need help w/ hard to kill trojan

**yettyn** · 2008-02-23, 21:57

--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 2003-11-03 23:17:44
Date (last access): 2008-02-23 19:37:42
Date (last write): 2003-11-03 23:17:44
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 6.0.1.1091

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 2008-02-17 21:53:36
Date (last access): 2008-02-23 20:42:38
Date (last write): 2008-01-28 11:43:28
Filesize: 1554256
Attributes: archive
MD5: 5248E02EFBCB64D328647CD00E384B85
CRC32: C1B426A9
Version: 1.5.0.11

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Groove GFS Browser Helper
Path: C:\Program Files\Microsoft Office\Office12\
Long name: GrooveShellExtensions.dll
Short name: GRA8E1~1.DLL
Date (created): 2007-08-24 07:01:22
Date (last access): 2008-02-23 19:09:12
Date (last write): 2007-08-24 07:01:22
Filesize: 2212224
Attributes: archive
MD5: 32C4927E013C018A13D8DFBDA4148812
CRC32: 9A9F3D8B
Version: 12.0.6211.1000

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 2007-09-20 10:30:18
Date (last access): 2008-02-23 20:09:18
Date (last write): 2007-09-20 10:30:18
Filesize: 328752
Attributes: archive
MD5: 59CF5BF6684AFCF906CADAD39B4214DE
CRC32: C363813C
Version: 4.200.520.1

{AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AcroIEToolbarHelper Class
description: Adobe Acrobat
classification: Legitimate
known filename: AcroIEFavClient.dll
info link: http://www.adobe.com/products/acrobatpro/main.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Acrobat\
Long name: AcroIEFavClient.dll
Short name: ACROIE~1.DLL
Date (created): 2003-05-15 01:03:46
Date (last access): 2008-02-23 20:07:14
Date (last write): 2003-05-15 01:03:46
Filesize: 147456
Attributes: archive
MD5: 44BCFF08947790E74BD7CC7532D2B793
CRC32: 0C91890B

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Toolbar Helper
Path: C:\Program Files\Windows Live Toolbar\
Long name: msntb.dll
Short name:
Date (created): 2007-10-19 11:20:48
Date (last access): 2008-02-23 19:05:24
Date (last write): 2007-10-19 11:20:48
Filesize: 546320
Attributes: archive
MD5: CEE1BE1DA21300208D07FBEAE9EA2B51
CRC32: 12446524
Version: 3.1.0.146

{E31CE47F-C268-41ba-897B-B415E613947D} (Microsoft Web Test Recorder 9.0 Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Microsoft Web Test Recorder 9.0 Helper
Path: C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\
Long name: Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
Short name: MID57A~1.DLL
Date (created): 2007-11-08 08:19:22
Date (last access): 2008-02-23 19:40:40
Date (last write): 2007-11-08 08:19:22
Filesize: 64088
Attributes: archive
MD5: 351A23DAC4ABC59854E718EDF19ECF4F
CRC32: 94EE98C7
Version: 9.0.21022.8

{E5A1691B-D188-4419-AD02-90002030B8EE} (FlashFXP Helper for Internet Explorer)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: FlashFXP Helper for Internet Explorer
Path: C:\PROGRA~1\FlashFXP\
Long name: IEFlash.dll
Short name:
Date (created): 2006-03-31 21:27:14
Date (last access): 2008-02-23 20:07:14
Date (last write): 2006-03-31 21:27:14
Filesize: 191096
Attributes: archive
MD5: 3507AEE207E68553606F17DB01574E60
CRC32: 7906032A
Version: 3.0.0.1015

**yettyn** · 2008-02-23, 21:59

--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool)
DPF name:
CLSID name: Office Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\OGAControl.inf
Codebase: http://download.microsoft.com/downlo...OGAControl.cab
Path: C:\WINDOWS\system32\
Long name: OGACheckControl.DLL
Short name: OGACHE~1.DLL
Date (created): 2007-03-05 13:34:28
Date (last access): 2008-02-23 19:40:42
Date (last write): 2007-06-19 12:11:08
Filesize: 676224
Attributes: archive
MD5: 7F0A75930BFD106D349EF925A080AF03
CRC32: 46CC7779
Version: 1.6.21.0

{0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1)
DPF name:
CLSID name: F-Secure Online Scanner 3.1
Installer: C:\WINDOWS\Downloaded Program Files\fscax.inf
Codebase: http://support.f-secure.com/ols/fscax.cab
description:
classification: Legitimate
known filename: fscax.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: fscax.dll
Short name:
Date (created): 2007-05-07 16:39:24
Date (last access): 2008-02-23 19:40:42
Date (last write): 2007-05-07 16:39:24
Filesize: 254360
Attributes: archive
MD5: D5199825510E4C4F97DC93B7BC3B1A8A
CRC32: 9FA45099
Version: 3.1.0.5

{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
DPF name:
CLSID name: CKAVWebScan Object
Installer: C:\WINDOWS\Downloaded Program Files\kavwebscan.inf
Codebase: http://www.kaspersky.com/kos/english...an_unicode.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\
Long name: kavwebscan.dll
Short name: KAVWEB~1.DLL
Date (created): 2007-08-29 15:49:54
Date (last access): 2008-02-23 12:54:30
Date (last write): 2007-08-29 15:49:54
Filesize: 950272
Attributes: archive
MD5: BC915C49931CE46222F9B0A7EFB56CEE
CRC32: 11048171
Version: 5.0.98.0

{193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control)
DPF name:
CLSID name: ewidoOnlineScan Control
Installer:
Codebase: http://downloads.ewido.net/ewidoOnlineScan.cab
description:
classification: Legitimate
known filename: EWIDOO~1.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: ewidoOnlineScan.dll
Short name: EWIDOO~1.DLL
Date (created): 2006-07-11 09:41:36
Date (last access): 2008-02-23 19:40:42
Date (last write): 2006-07-11 09:41:36
Filesize: 345656
Attributes: archive
MD5: B284992540E0FA2B76DEA56F93D49A16
CRC32: FD2E709C
Version: 1.0.0.4

{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control)
DPF name:
CLSID name: OnlineScanner Control
Installer: C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf
Codebase: http://www.eset.eu/buxus/docs/OnlineScanner.cab
Path: C:\WINDOWS\system32\
Long name: OnlineScanner.ocx
Short name: ONLINE~1.OCX
Date (created): 2008-02-11 09:40:08
Date (last access): 2008-02-23 19:40:42
Date (last write): 2008-02-11 09:40:08
Filesize: 2715648
Attributes: archive
MD5: 8A41731096C2ECD10568DDB8F0F90498
CRC32: 5CE9D28A
Version: 1.0.0.635

{5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module)
DPF name:
CLSID name: Windows Live Safety Center Base Module
Installer: C:\WINDOWS\Downloaded Program Files\wlscBase.inf
Codebase: http://cdn.scan.onecare.live.com/res...lscbase370.cab
description:
classification: Legitimate
known filename: wlscBase.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: wlscBase.dll
Short name:
Date (created): 2008-01-21 21:34:22
Date (last access): 2008-02-23 19:40:42
Date (last write): 2008-01-21 21:34:22
Filesize: 465472
Attributes: archive
MD5: 66D7300A615CA949EF495270D2DA15E2
CRC32: B3EEF44F
Version: 1.7.370.1

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://www.update.microsoft.com/micr...?1189011463281
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 2007-07-30 18:18:34
Date (last access): 2008-02-23 19:45:32
Date (last write): 2007-07-30 18:18:34
Filesize: 207736
Attributes: archive
MD5: 8038B166CE79E58E193566150CE26465
CRC32: 9137D395
Version: 7.0.6000.381

{C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeup...tent/opuc4.cab
description:
classification: Legitimate
known filename: opuc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 2007-10-22 10:57:52
Date (last access): 2008-02-23 19:40:42
Date (last write): 2007-10-22 10:57:52
Filesize: 524288
Attributes: archive
MD5: F1ED50F66FEF8F56E06F087AA1CE3629
CRC32: CD8AE024
Version: 12.0.5543.1000

--- Process list ---
PID: 0 ( 0) [System]
PID: 144 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 212 ( 144) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 236 ( 144) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 280 ( 236) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 292 ( 236) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 448 ( 280) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 512 ( 280) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 580 ( 280) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 824 ( 796) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1048 ( 824) C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
size: 405504
MD5: A7E1BDD605277ABAD6603E6854270042
PID: 1176 (1160) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 4 ( 0) System

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 2008-02-23 20:44:58

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD RfComm [Bluetooth]
GUID: {9FC48064-7298-43E4-B7BD-181F2089792A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD RfComm [Bluetooth]

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7EB7E0A6-747D-41E5-B3E9-51B238242A17}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7EB7E0A6-747D-41E5-B3E9-51B238242A17}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BE5D971E-ABC2-4BEE-9C80-BAE2A10D8C86}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BE5D971E-ABC2-4BEE-9C80-BAE2A10D8C86}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4B98A9D0-0CE3-45B2-9972-AFF344D2021A}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4B98A9D0-0CE3-45B2-9972-AFF344D2021A}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CBD9838C-BC86-4C69-A2EC-E0194C37955F}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CBD9838C-BC86-4C69-A2EC-E0194C37955F}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A315DF94-269F-4F6F-B4FD-1903A31FA824}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A315DF94-269F-4F6F-B4FD-1903A31FA824}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: Bluetooth Namespace
GUID: {06AA63E0-7D60-41FF-AFB2-3EE6D2D9392D}
Filename: %SystemRoot%\system32\wshbth.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\wshbth.dll
DB protocol: Bluetooth-Namespace

Done with Spybot

**yettyn** · 2008-02-23, 22:05

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun]
"First12Ru123n"=dword:00000001

that's all in that key, I will post some of my backed up ComboFix logs next.

**yettyn** · 2008-02-23, 22:08

There are more registry values I have found though that gets recreated, basically variants of some from that other case (which I been too busy with logs to look fully at yet). Do you want me to export these as well?

**yettyn** · 2008-02-23, 22:16

ComboFix 08-02-20.2 - Joakim 2008-02-20 1:53:02.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1518 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\down

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 23:37 . 2008-02-19 23:37 250 --a------ C:\WINDOWS\gmer.ini
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-18 10:44 . 2008-02-18 10:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 10:39 . 2008-02-18 10:39 812,344 --a------ C:\temp\HJTInstall.exe
2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
2008-02-17 21:53 . 2008-02-17 21:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-17 21:53 . 2008-02-17 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 21:02 . 2002-09-20 10:53 235,100 --a------ C:\WINDOWS\system32\drivers\MidiSyn.sys
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-17 21:01 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-02-17 21:01 . 2001-09-19 13:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-02-17 21:01 . 2001-09-19 13:47 720,896 --a------ C:\WINDOWS\system32\Audio3d.dll
2008-02-17 21:01 . 2003-06-02 13:42 578,304 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2008-02-17 21:01 . 2003-03-13 18:34 100,224 --a------ C:\WINDOWS\system32\drivers\aeaudio.sys
2008-02-17 21:01 . 2003-01-08 11:23 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-02-17 21:01 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-02-17 21:01 . 2001-09-11 15:20 30,208 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-02-17 21:01 . 2003-03-13 15:40 3,744 --a------ C:\WINDOWS\system32\drivers\smsens.sys
2008-02-17 20:34 . 2008-02-18 23:21 <DIR> d-------- C:\temp\WinLicenseDemo
2008-02-17 18:53 . 2008-02-17 18:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 16:44 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-17 16:44 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-17 16:44 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-17 16:44 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-17 16:44 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-17 16:44 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-17 16:44 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-17 13:35 . 2008-02-17 13:35 55 --a------ C:\WINDOWS\regrunfix.rnr
2008-02-17 03:58 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-02-16 23:10 . 2008-02-16 23:12 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\PrevxCSI
2008-02-16 09:09 . 2008-02-16 21:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 16:31 . 2008-02-17 14:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 16:30 . 2008-02-15 22:55 <DIR> d-------- C:\Documents and Settings\Joakim\.housecall6.6
2008-02-15 15:20 . 2008-02-17 22:57 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Simply Super Software
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-15 15:20 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-15 15:20 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-15 15:20 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-15 15:20 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-15 15:20 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe
2008-02-14 22:43 . 2008-02-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe
2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip
2008-02-14 12:41 . 2008-02-14 12:41 499,712 --a------ C:\WINDOWS\system32\ExSlider.dll
2008-02-14 12:41 . 2008-02-14 12:41 203,488 --a------ C:\WINDOWS\system32\ExSlider.chm
2008-02-14 12:40 . 2008-02-14 12:40 573,440 --a------ C:\WINDOWS\system32\ExStatusBar.dll
2008-02-14 12:40 . 2008-02-14 12:40 436,674 --a------ C:\WINDOWS\system32\ExStatusBar.chm
2008-02-14 12:39 . 2008-02-14 12:39 434,176 --a------ C:\WINDOWS\system32\ExThumbnail.dll
2008-02-14 12:34 . 2008-02-14 12:34 331,776 --a------ C:\WINDOWS\system32\ExTexture.dll
2008-02-14 12:34 . 2008-02-14 12:34 102,224 --a------ C:\WINDOWS\system32\ExTexture.chm
2008-02-14 12:31 . 2008-02-14 12:31 172,032 --a------ C:\WINDOWS\system32\MaskEdit.dll
2008-02-14 12:31 . 2008-02-14 12:31 53,672 --a------ C:\WINDOWS\system32\MaskEdit.chm
2008-02-14 12:28 . 2008-02-14 12:28 <DIR> d-------- C:\Program Files\Copy of EXECryptor
2008-02-13 14:50 . 2008-02-13 14:50 389,120 --a------ C:\WINDOWS\system32\ExCalc.dll
2008-02-13 14:50 . 2008-02-13 14:50 84,478 --a------ C:\WINDOWS\system32\ExCalc.chm
2008-02-13 14:42 . 2008-02-13 14:42 479,232 --a------ C:\WINDOWS\system32\ExRolList.dll
2008-02-13 14:42 . 2008-02-13 14:42 210,902 --a------ C:\WINDOWS\system32\ExRolList.CHM
2008-02-13 14:03 . 2008-02-13 14:03 225,280 --a------ C:\WINDOWS\system32\ExShellView.dll
2008-02-13 14:03 . 2008-02-13 14:03 83,770 --a------ C:\WINDOWS\system32\ExShellView.chm
2008-02-13 13:58 . 2008-02-13 13:58 397,312 --a------ C:\WINDOWS\system32\ExFolderView.dll
2008-02-13 13:58 . 2008-02-13 13:58 117,644 --a------ C:\WINDOWS\system32\ExFolderView.chm
2008-02-13 13:52 . 2008-02-13 14:09 286,720 --a------ C:\WINDOWS\system32\ExToolTip.dll
2008-02-13 13:52 . 2008-02-13 14:09 119,264 --a------ C:\WINDOWS\system32\ExToolTip.chm
2008-02-13 13:34 . 2008-02-13 13:34 438,272 --a------ C:\WINDOWS\system32\ExLabel.dll
2008-02-13 13:34 . 2008-02-13 13:34 152,774 --a------ C:\WINDOWS\system32\ExLabel.chm
2008-02-12 20:09 . 2008-02-12 20:09 1,995,825 --a------ C:\WINDOWS\system32\ExGantt.chm
2008-02-12 20:09 . 2008-02-12 20:09 1,486,848 --a------ C:\WINDOWS\system32\ExGantt.dll
2008-02-12 20:05 . 2008-02-12 20:05 634,880 --a------ C:\WINDOWS\system32\ExCalendar.dll
2008-02-12 20:05 . 2008-02-12 20:05 460,734 --a------ C:\WINDOWS\system32\ExCalendar.chm
2008-02-12 19:56 . 2008-02-12 19:56 2,680,120 --a------ C:\WINDOWS\system32\ExG2antt.chm
2008-02-12 19:56 . 2008-02-12 19:56 1,933,312 --a------ C:\WINDOWS\system32\ExG2antt.dll
2008-02-12 10:16 . 2008-02-12 10:16 <DIR> d-------- C:\Program Files\QuickTime
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\js
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\images
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\html
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\css
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\Program Files\Business Objects
2008-02-11 18:10 . 2008-02-11 18:10 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-02-11 18:09 . 2008-02-11 18:09 <DIR> d-------- C:\Program Files\Windows Mobile 5.0 SDK R2
2008-02-11 18:08 . 2008-02-11 18:08 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-02-11 18:08 . 2008-02-11 18:08 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-11 17:51 . 2008-02-11 18:26 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-02-11 17:51 . 2008-02-11 17:51 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-02-11 17:50 . 2008-02-11 17:50 <DIR> d-------- C:\Program Files\Microsoft Web Designer Tools
2008-02-11 17:47 . 2008-02-11 17:47 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-11 17:47 . 2008-02-11 17:47 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-11 17:47 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-11 17:46 . 2008-02-11 17:46 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-07 23:56 . 2008-02-07 23:57 <DIR> d-------- C:\xampp
2008-02-07 23:42 . 2008-02-07 23:43 30,565,644 --a------ C:\xampp-win32-1.6.6-RC2.7z
2008-02-06 11:10 . 2008-02-11 02:19 <DIR> d-------- C:\temp\htdocs
2008-02-06 10:35 . 2008-02-10 19:06 228,285 --a------ C:\temp\mxEAL.zip
2008-02-02 19:19 . 2008-02-02 19:19 896,535 --a------ C:\temp\e107bb_v3.0.0.zip
2008-02-02 09:08 . 2008-02-02 09:08 <DIR> d-------- C:\Documents and Settings\Joakim\Contacts

**yettyn** · 2008-02-23, 22:17

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-02-19 23:57 --------- d-----w C:\Program Files\SpywareGuard
2008-02-18 14:03 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Skype
2008-02-17 23:50 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-17 23:36 --------- d-----w C:\Program Files\SpeedFan
2008-02-17 22:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-17 22:19 --------- d-----w C:\Program Files\Java
2008-02-17 20:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 17:54 --------- d-----w C:\Program Files\Lavasoft
2008-02-16 23:46 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-02-16 21:49 --------- d-----w C:\Documents and Settings\Joakim\Application Data\uTorrent
2008-02-16 20:50 --------- d-----w C:\Program Files\Windows Desktop Search
2008-02-14 23:04 --------- d-----w C:\Program Files\WYSIWYG Web Builder 4.0
2008-02-14 21:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Lavasoft
2008-02-14 11:41 --------- d-----w C:\Program Files\Exontrol
2008-02-14 11:29 --------- d-----w C:\Program Files\EXECryptor
2008-02-12 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-12 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-11 17:37 --------- d-----w C:\Program Files\MSDN
2008-02-11 17:24 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-11 17:21 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-11 16:58 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-02-11 16:53 --------- d-----w C:\Program Files\MSBuild
2008-02-10 23:43 --------- d-----w C:\Program Files\FlashFXP
2008-02-01 20:16 --------- d-----w C:\Program Files\TortoiseCVS
2008-01-23 15:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-10 19:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\vlc
2008-01-04 22:28 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VanDyke
2008-01-03 22:10 --------- d-----w C:\Program Files\Skype
2008-01-01 22:02 --------- d-----w C:\Program Files\TortoiseSVN
2007-12-24 01:22 --------- d-----w C:\Documents and Settings\Joakim\Application Data\phpDesigner 2008
2007-12-24 01:15 --------- d-----w C:\Program Files\phpDesigner 2008
2007-05-01 15:12 79,245 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.dat
2007-05-01 15:11 683,801 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.exe
2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-12 11:18 1679729]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]

C:\Documents and Settings\Joakim\Start Menu\Programs\Startup\
SpeedFan.lnk.disabled [2006-03-04 16:49:13 682]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2006-02-03 00:05:49 1824]
Dispatcher.lnk.disabled [2006-04-05 16:01:09 856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 12:27]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 11:08]
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 04:22]
R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [2007-04-09 12:55]
R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-05-01 21:52]
S3 GTwinUSB;GTwinUSB;C:\WINDOWS\system32\Drivers\GTwinUSB.sys [2002-10-04 11:21]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" []
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 16:53]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 05:17]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2007-11-07 08:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Launcher.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 15:06:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-17 15:06:24 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 02:00:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
.
**************************************************************************
.
Completion time: 2008-02-20 2:08:06 - machine was rebooted
ComboFix2.txt 2008-02-18 02:21:47
.
2008-02-12 23:25:53 --- E O F ---

**yettyn** · 2008-02-23, 22:22

ComboFix 08-02-20.2 - Joakim 2008-02-22 4:11:00.8 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\down

.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-22 03:53 . 2008-02-22 03:53 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-22 03:40 . 2008-02-22 03:40 <DIR> d-------- C:\Program Files\ATI Technologies
2008-02-22 03:21 . 2006-02-28 13:00 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2008-02-22 03:18 . 2008-02-22 03:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-22 00:32 . 2008-02-22 00:32 <DIR> d-------- C:\Documents and Settings\Joakim\DoctorWeb
2008-02-21 20:40 . 2008-02-21 20:41 <DIR> d-------- C:\getservice
2008-02-21 19:38 . 2008-02-21 19:38 <DIR> d-------- C:\ATI
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Malwarebytes
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-20 14:32 . 2008-02-20 14:32 <DIR> d-------- C:\VundoFix Backups
2008-02-19 23:37 . 2008-02-21 08:19 250 --a------ C:\WINDOWS\gmer.ini
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-18 10:44 . 2008-02-18 10:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 10:39 . 2008-02-18 10:39 812,344 --a------ C:\temp\HJTInstall.exe
2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
2008-02-17 21:53 . 2008-02-17 21:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-17 21:53 . 2008-02-17 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 21:02 . 2002-09-20 10:53 235,100 --a------ C:\WINDOWS\system32\drivers\MidiSyn.sys
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-17 21:01 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-02-17 21:01 . 2001-09-19 13:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-02-17 21:01 . 2001-09-19 13:47 720,896 --a------ C:\WINDOWS\system32\Audio3d.dll
2008-02-17 21:01 . 2003-06-02 13:42 578,304 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2008-02-17 21:01 . 2003-03-13 18:34 100,224 --a------ C:\WINDOWS\system32\drivers\aeaudio.sys
2008-02-17 21:01 . 2003-01-08 11:23 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-02-17 21:01 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-02-17 21:01 . 2001-09-11 15:20 30,208 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-02-17 21:01 . 2003-03-13 15:40 3,744 --a------ C:\WINDOWS\system32\drivers\smsens.sys
2008-02-17 20:34 . 2008-02-18 23:21 <DIR> d-------- C:\temp\WinLicenseDemo
2008-02-17 18:53 . 2008-02-17 18:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 16:44 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-17 16:44 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-17 16:44 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-17 16:44 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-17 16:44 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-17 16:44 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-17 16:44 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-17 13:35 . 2008-02-17 13:35 55 --a------ C:\WINDOWS\regrunfix.rnr
2008-02-17 03:58 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-02-16 23:10 . 2008-02-16 23:12 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\PrevxCSI
2008-02-16 09:09 . 2008-02-16 21:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 16:31 . 2008-02-17 14:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 16:30 . 2008-02-15 22:55 <DIR> d-------- C:\Documents and Settings\Joakim\.housecall6.6
2008-02-15 15:20 . 2008-02-17 22:57 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Simply Super Software
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-15 15:20 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-15 15:20 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-15 15:20 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-15 15:20 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-15 15:20 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe
2008-02-14 22:43 . 2008-02-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe
2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip
2008-02-14 12:41 . 2008-02-14 12:41 499,712 --a------ C:\WINDOWS\system32\ExSlider.dll
2008-02-14 12:41 . 2008-02-14 12:41 203,488 --a------ C:\WINDOWS\system32\ExSlider.chm
2008-02-14 12:40 . 2008-02-14 12:40 573,440 --a------ C:\WINDOWS\system32\ExStatusBar.dll
2008-02-14 12:40 . 2008-02-14 12:40 436,674 --a------ C:\WINDOWS\system32\ExStatusBar.chm
2008-02-14 12:39 . 2008-02-14 12:39 434,176 --a------ C:\WINDOWS\system32\ExThumbnail.dll
2008-02-14 12:34 . 2008-02-14 12:34 331,776 --a------ C:\WINDOWS\system32\ExTexture.dll
2008-02-14 12:34 . 2008-02-14 12:34 102,224 --a------ C:\WINDOWS\system32\ExTexture.chm
2008-02-14 12:31 . 2008-02-14 12:31 172,032 --a------ C:\WINDOWS\system32\MaskEdit.dll
2008-02-14 12:31 . 2008-02-14 12:31 53,672 --a------ C:\WINDOWS\system32\MaskEdit.chm
2008-02-14 12:28 . 2008-02-14 12:28 <DIR> d-------- C:\Program Files\Copy of EXECryptor
2008-02-13 14:50 . 2008-02-13 14:50 389,120 --a------ C:\WINDOWS\system32\ExCalc.dll
2008-02-13 14:50 . 2008-02-13 14:50 84,478 --a------ C:\WINDOWS\system32\ExCalc.chm
2008-02-13 14:42 . 2008-02-13 14:42 479,232 --a------ C:\WINDOWS\system32\ExRolList.dll
2008-02-13 14:42 . 2008-02-13 14:42 210,902 --a------ C:\WINDOWS\system32\ExRolList.CHM
2008-02-13 14:03 . 2008-02-13 14:03 225,280 --a------ C:\WINDOWS\system32\ExShellView.dll
2008-02-13 14:03 . 2008-02-13 14:03 83,770 --a------ C:\WINDOWS\system32\ExShellView.chm
2008-02-13 13:58 . 2008-02-13 13:58 397,312 --a------ C:\WINDOWS\system32\ExFolderView.dll
2008-02-13 13:58 . 2008-02-13 13:58 117,644 --a------ C:\WINDOWS\system32\ExFolderView.chm
2008-02-13 13:52 . 2008-02-13 14:09 286,720 --a------ C:\WINDOWS\system32\ExToolTip.dll
2008-02-13 13:52 . 2008-02-13 14:09 119,264 --a------ C:\WINDOWS\system32\ExToolTip.chm
2008-02-13 13:34 . 2008-02-13 13:34 438,272 --a------ C:\WINDOWS\system32\ExLabel.dll
2008-02-13 13:34 . 2008-02-13 13:34 152,774 --a------ C:\WINDOWS\system32\ExLabel.chm
2008-02-12 20:09 . 2008-02-12 20:09 1,995,825 --a------ C:\WINDOWS\system32\ExGantt.chm
2008-02-12 20:09 . 2008-02-12 20:09 1,486,848 --a------ C:\WINDOWS\system32\ExGantt.dll
2008-02-12 20:05 . 2008-02-12 20:05 634,880 --a------ C:\WINDOWS\system32\ExCalendar.dll
2008-02-12 20:05 . 2008-02-12 20:05 460,734 --a------ C:\WINDOWS\system32\ExCalendar.chm
2008-02-12 19:56 . 2008-02-12 19:56 2,680,120 --a------ C:\WINDOWS\system32\ExG2antt.chm
2008-02-12 19:56 . 2008-02-12 19:56 1,933,312 --a------ C:\WINDOWS\system32\ExG2antt.dll
2008-02-12 10:16 . 2008-02-12 10:16 <DIR> d-------- C:\Program Files\QuickTime
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\js
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\images
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\html
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\css
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\Program Files\Business Objects
2008-02-11 18:10 . 2008-02-11 18:10 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-02-11 18:09 . 2008-02-11 18:09 <DIR> d-------- C:\Program Files\Windows Mobile 5.0 SDK R2
2008-02-11 18:08 . 2008-02-11 18:08 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-02-11 18:08 . 2008-02-11 18:08 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-11 17:51 . 2008-02-11 18:26 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-02-11 17:51 . 2008-02-11 17:51 <DIR> d-------- C:\Program Files\Microsoft SDKs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-22 03:09 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-02-19 23:57 --------- d-----w C:\Program Files\SpywareGuard
2008-02-18 14:03 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Skype
2008-02-17 23:50 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-17 23:36 --------- d-----w C:\Program Files\SpeedFan
2008-02-17 22:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-17 22:19 --------- d-----w C:\Program Files\Java
2008-02-17 20:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 17:54 --------- d-----w C:\Program Files\Lavasoft
2008-02-16 23:46 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-02-16 21:49 --------- d-----w C:\Documents and Settings\Joakim\Application Data\uTorrent
2008-02-16 20:50 --------- d-----w C:\Program Files\Windows Desktop Search
2008-02-14 23:04 --------- d-----w C:\Program Files\WYSIWYG Web Builder 4.0
2008-02-14 21:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Lavasoft
2008-02-14 11:41 --------- d-----w C:\Program Files\Exontrol
2008-02-14 11:29 --------- d-----w C:\Program Files\EXECryptor
2008-02-12 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-12 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-11 17:37 --------- d-----w C:\Program Files\MSDN
2008-02-11 17:24 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-11 17:21 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-11 16:58 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-02-11 16:53 --------- d-----w C:\Program Files\MSBuild
2008-02-10 23:43 --------- d-----w C:\Program Files\FlashFXP
2008-02-01 20:16 --------- d-----w C:\Program Files\TortoiseCVS
2008-01-23 15:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-10 19:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\vlc
2008-01-04 22:28 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VanDyke
2008-01-03 22:10 --------- d-----w C:\Program Files\Skype
2008-01-01 22:02 --------- d-----w C:\Program Files\TortoiseSVN
2007-12-24 01:22 --------- d-----w C:\Documents and Settings\Joakim\Application Data\phpDesigner 2008
2007-12-24 01:15 --------- d-----w C:\Program Files\phpDesigner 2008
2007-05-01 15:12 79,245 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.dat
2007-05-01 15:11 683,801 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.exe
2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll
.

**yettyn** · 2008-02-23, 22:31

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-02-12 11:18 1679729]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

C:\Documents and Settings\Joakim\Start Menu\Programs\Startup\
SpeedFan.lnk.disabled [2006-03-04 16:49:13 682]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2006-02-03 00:05:49 1824]
Dispatcher.lnk.disabled [2006-04-05 16:01:09 856]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 12:27]
R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-05-01 21:52]
S2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 11:08]
S2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 04:22]
S2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [2007-04-09 12:55]
S3 ATICDSDr;ATICDSDr;C:\DOCUME~1\Joakim\LOCALS~1\Temp\ATICDSDr.sys []
S3 GTwinUSB;GTwinUSB;C:\WINDOWS\system32\Drivers\GTwinUSB.sys [2002-10-04 11:21]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-02-18 19:42]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 16:53]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 05:17]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2007-11-07 08:58]
S4 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Launcher.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 15:06:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-17 15:06:24 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 04:19:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2008-02-22 4:26:54 - machine was rebooted
ComboFix2.txt 2008-02-21 21:57:46
ComboFix3.txt 2008-02-21 21:10:53
ComboFix4.txt 2008-02-20 01:08:07
ComboFix5.txt 2008-02-18 02:21:47
.
2008-02-12 23:25:53 --- E O F ---

I will now download a new copy of CF and try to run a scan with current situation. I have not noticed any renaming but it's possibly because my very first actions. The files in down dir have been there but as I also said before, I tried to fix this myself before I turned here for help but was only half successful. I also think 1 CF log was lost as the program seem to recycle them pushing the stack after 5 runs/backup. But I think I got rid of these files without seeing them coming back, before I turned here.

**steamwiz** · 2008-02-24, 00:31

Hi

This infection hides it's reinfector in what appears to be a legitimate file with a legit run key, so that when you reboot it can reinfect ...

the first Combofix log shows this run key & the infected file is atiptaxx.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-12 11:18 1679729]

The second Combofix log shows the atiptaxx.exe run key gas been moved to the run- & now the ashDisp.exe is the infecter ... note the date & size on both files ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-02-12 11:18 1679729]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

-
ComboFix 08-02-20.2 - Joakim 2008-02-20 1:53:02.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1518 [GMT 1:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-12 11:18 1679729]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

-
ComboFix 08-02-20.2 - Joakim 2008-02-22 4:11:00.8 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT 1:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-02-12 11:18 1679729]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

--------------

Another interesting thing is XP doesn't by default have a :-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] key

It uses different keys ...

--
I'm sending you another PM

steam

**yettyn** · 2008-02-24, 01:04

Then I was right in my suspision of the ati driver, although it was more intuition then technical analys

and now it hits me I havenät seen the avast popper about updated deffinitions for a while

but I have plugged the speakers into my notebook for some entertainment while wating for scans

so it should basically be just to reinstall Avast to replace the file, unless it has moved to another hideout.

Thread: need help w/ hard to kill trojan

Thread Tools

Display

Part 3

Part 4

My oldest CF log - Part 1

Part 2

My latest (old) CF log Part 1

Part 2

Posting Permissions