Page 3 of 6 FirstFirst 123456 LastLast
Results 21 to 30 of 59

Thread: need help w/ hard to kill trojan

  1. #21
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    Quote Originally Posted by yettyn View Post
    Then I was right in my suspision of the ati driver, although it was more intuition then technical analys and now it hits me I havenät seen the avast popper about updated deffinitions for a while but I have plugged the speakers into my notebook for some entertainment while wating for scans

    so it should basically be just to reinstall Avast to replace the file, unless it has moved to another hideout.
    Well seeing as you stopped it pretty quickly in it's tracks, it probably never got to be a full blown infection, so it wont hurt to try that, remember it's when you reboot that it will jump to another file/runkey so try to do as much as possible without rebooting, then when you run another Combofix scan we can see what it says ...

    My bedtime now ... don't forget the PM I just sent you, I'll catch up with you again tomorrow

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

  2. #22
    Member
    Join Date
    Feb 2008
    Posts
    47

    Default We did it!

    The is dead and I am out of the web , I will post back later today with details and CF logs etc. as there still is some clean up and system repair to do. Just thought to let you know and I think I deserve some sleep now.

    So I am fine at the moment, pick someone in the end of the queue instead meanwhile, if you have time to spare.
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  3. #23
    Member
    Join Date
    Feb 2008
    Posts
    47

    Default Fresh logs coming

    Ok here are fresh CF and HJT logs, CF first and then HJT. Regrun also produced some interesting logs as well which you might be interested in looking at, including a boot log and others I think - but it's quite much data so maybe you don't want me to post it here?
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  4. #24
    Member
    Join Date
    Feb 2008
    Posts
    47

    Default ComboFix.log Part 1

    ComboFix 08-02-24.4 - Joakim 2008-02-24 10:33:16.10 - NTFSx86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1592 [GMT 1:00]
    Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
    .

    2008-02-24 04:34 . 2008-02-24 10:21 1,783,562,240 --a------ C:\LogFile.Etl
    2008-02-23 15:40 . 2008-02-24 04:43 78 --a------ C:\WINDOWS\lsoon.ini
    2008-02-23 15:22 . 2008-02-24 10:58 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
    2008-02-23 15:18 . 2005-04-03 14:02 8,944 --a------ C:\WINDOWS\system32\drivers\UnHackMeDrv.sys
    2008-02-23 15:08 . 2008-02-23 15:09 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Regrun
    2008-02-23 15:04 . 2008-02-23 15:04 30,946 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
    2008-02-23 15:04 . 2008-02-23 15:04 25,088 --a------ C:\WINDOWS\system32\Partizan.exe
    2008-02-23 14:53 . 2008-02-24 03:36 <DIR> d-------- C:\regrunplat570
    2008-02-23 14:53 . 2008-02-23 14:53 <DIR> d-------- C:\Program Files\Greatis
    2008-02-23 14:53 . 2008-02-13 11:41 441,856 --a------ C:\WINDOWS\RunGuard.exe
    2008-02-23 14:53 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
    2008-02-23 14:53 . 2000-12-12 19:56 16,384 --a------ C:\WINDOWS\WinBait.org
    2008-02-23 14:53 . 2000-12-12 19:56 16,384 --a------ C:\WINDOWS\WinBait.exe
    2008-02-23 14:52 . 2008-02-23 14:52 11,266,935 --a------ C:\regrunplat570.zip
    2008-02-23 12:46 . 2008-02-23 12:50 <DIR> d-------- C:\Program Files\Windows Live Safety Center
    2008-02-23 03:22 . 2008-02-23 03:21 1,238,736 --a------ C:\MGtools.exe
    2008-02-23 03:08 . 2008-02-23 03:08 <DIR> d-------- C:\Program Files\CCleaner
    2008-02-23 02:57 . 2008-02-23 02:57 <DIR> d-------- C:\Program Files\ERUNT
    2008-02-22 15:36 . 2008-02-22 15:36 791,393 --a------ C:\temp\erunt-setup.exe
    2008-02-22 14:31 . 2008-02-22 17:28 <DIR> d-------- C:\Program Files\EsetOnlineScanner
    2008-02-22 11:51 . 2008-02-22 11:55 <DIR> d-------- C:\WinLicense
    2008-02-22 04:53 . 2008-02-22 04:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
    2008-02-22 04:48 . 2008-02-22 04:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VMware
    2008-02-22 04:42 . 2008-02-22 04:42 6,300,696 --a------ C:\temp\SUPERAntiSpywarePro.exe
    2008-02-22 03:53 . 2008-02-23 12:46 <DIR> d-------- C:\WINDOWS\LastGood
    2008-02-22 03:40 . 2008-02-22 03:40 <DIR> d-------- C:\Program Files\ATI Technologies
    2008-02-22 03:21 . 2006-02-28 13:00 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
    2008-02-22 03:18 . 2008-02-22 03:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
    2008-02-22 00:32 . 2008-02-22 00:32 <DIR> d-------- C:\Documents and Settings\Joakim\DoctorWeb
    2008-02-21 20:40 . 2008-02-21 20:41 <DIR> d-------- C:\getservice
    2008-02-21 19:38 . 2008-02-21 19:38 <DIR> d-------- C:\ATI
    2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Malwarebytes
    2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-02-20 14:32 . 2008-02-20 14:32 <DIR> d-------- C:\VundoFix Backups
    2008-02-19 23:37 . 2008-02-21 08:19 250 --a------ C:\WINDOWS\gmer.ini
    2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-02-18 10:44 . 2008-02-18 10:44 <DIR> d-------- C:\Program Files\Trend Micro
    2008-02-18 10:39 . 2008-02-18 10:39 812,344 --a------ C:\temp\HJTInstall.exe
    2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
    2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
    2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
    2008-02-17 21:53 . 2008-02-17 21:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-02-17 21:53 . 2008-02-17 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-02-17 21:02 . 2002-09-20 10:53 235,100 --a------ C:\WINDOWS\system32\drivers\MidiSyn.sys
    2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\WINDOWS\VirtualEar
    2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\Program Files\Analog Devices
    2008-02-17 21:01 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
    2008-02-17 21:01 . 2001-09-19 13:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
    2008-02-17 21:01 . 2001-09-19 13:47 720,896 --a------ C:\WINDOWS\system32\Audio3d.dll
    2008-02-17 21:01 . 2003-06-02 13:42 578,304 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
    2008-02-17 21:01 . 2003-03-13 18:34 100,224 --a------ C:\WINDOWS\system32\drivers\aeaudio.sys
    2008-02-17 21:01 . 2003-01-08 11:23 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
    2008-02-17 21:01 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
    2008-02-17 21:01 . 2001-09-11 15:20 30,208 --a------ C:\WINDOWS\system32\wdmioctl.dll
    2008-02-17 21:01 . 2003-03-13 15:40 3,744 --a------ C:\WINDOWS\system32\drivers\smsens.sys
    2008-02-17 20:34 . 2008-02-18 23:21 <DIR> d-------- C:\temp\WinLicenseDemo
    2008-02-17 18:53 . 2008-02-17 18:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-02-17 16:44 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
    2008-02-17 16:44 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
    2008-02-17 16:44 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
    2008-02-17 16:44 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
    2008-02-17 16:44 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
    2008-02-17 16:44 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
    2008-02-17 16:44 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
    2008-02-17 13:35 . 2008-02-17 13:35 55 --a------ C:\WINDOWS\regrunfix.rnr
    2008-02-17 03:58 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
    2008-02-16 23:10 . 2008-02-16 23:12 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\PrevxCSI
    2008-02-16 09:09 . 2008-02-16 21:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8
    2008-02-15 16:31 . 2008-02-17 14:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-02-15 16:30 . 2008-02-15 22:55 <DIR> d-------- C:\Documents and Settings\Joakim\.housecall6.6
    2008-02-15 15:20 . 2008-02-22 08:52 <DIR> d-------- C:\Program Files\Trojan Remover
    2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Simply Super Software
    2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
    2008-02-15 15:20 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
    2008-02-15 15:20 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
    2008-02-15 15:20 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
    2008-02-15 15:20 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
    2008-02-15 15:20 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
    2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe
    2008-02-14 22:43 . 2008-02-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe
    2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip
    2008-02-14 12:41 . 2008-02-14 12:41 499,712 --a------ C:\WINDOWS\system32\ExSlider.dll
    2008-02-14 12:41 . 2008-02-14 12:41 203,488 --a------ C:\WINDOWS\system32\ExSlider.chm
    2008-02-14 12:40 . 2008-02-14 12:40 573,440 --a------ C:\WINDOWS\system32\ExStatusBar.dll
    2008-02-14 12:40 . 2008-02-14 12:40 436,674 --a------ C:\WINDOWS\system32\ExStatusBar.chm
    2008-02-14 12:39 . 2008-02-14 12:39 434,176 --a------ C:\WINDOWS\system32\ExThumbnail.dll
    2008-02-14 12:34 . 2008-02-14 12:34 331,776 --a------ C:\WINDOWS\system32\ExTexture.dll
    2008-02-14 12:34 . 2008-02-14 12:34 102,224 --a------ C:\WINDOWS\system32\ExTexture.chm
    2008-02-14 12:31 . 2008-02-14 12:31 172,032 --a------ C:\WINDOWS\system32\MaskEdit.dll
    2008-02-14 12:31 . 2008-02-14 12:31 53,672 --a------ C:\WINDOWS\system32\MaskEdit.chm
    2008-02-14 12:28 . 2008-02-14 12:28 <DIR> d-------- C:\Program Files\Copy of EXECryptor
    2008-02-13 14:50 . 2008-02-13 14:50 389,120 --a------ C:\WINDOWS\system32\ExCalc.dll
    2008-02-13 14:50 . 2008-02-13 14:50 84,478 --a------ C:\WINDOWS\system32\ExCalc.chm
    2008-02-13 14:42 . 2008-02-13 14:42 479,232 --a------ C:\WINDOWS\system32\ExRolList.dll
    2008-02-13 14:42 . 2008-02-13 14:42 210,902 --a------ C:\WINDOWS\system32\ExRolList.CHM
    2008-02-13 14:03 . 2008-02-13 14:03 225,280 --a------ C:\WINDOWS\system32\ExShellView.dll
    2008-02-13 14:03 . 2008-02-13 14:03 83,770 --a------ C:\WINDOWS\system32\ExShellView.chm
    2008-02-13 13:58 . 2008-02-13 13:58 397,312 --a------ C:\WINDOWS\system32\ExFolderView.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-24 09:24 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VMware
    2008-02-23 22:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-02-23 02:48 --------- d-----w C:\Documents and Settings\Joakim\Application Data\uTorrent
    2008-02-22 08:01 --------- d-----w C:\Program Files\SpywareBlaster
    2008-02-20 01:00 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
    2008-02-20 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
    2008-02-19 23:57 --------- d-----w C:\Program Files\SpywareGuard
    2008-02-18 14:03 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Skype
    2008-02-17 23:36 --------- d-----w C:\Program Files\SpeedFan
    2008-02-17 22:19 --------- d-----w C:\Program Files\Java
    2008-02-17 20:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-02-17 17:54 --------- d-----w C:\Program Files\Lavasoft
    2008-02-16 20:50 --------- d-----w C:\Program Files\Windows Desktop Search
    2008-02-14 23:04 --------- d-----w C:\Program Files\WYSIWYG Web Builder 4.0
    2008-02-14 21:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Lavasoft
    2008-02-14 11:41 --------- d-----w C:\Program Files\Exontrol
    2008-02-14 11:29 --------- d-----w C:\Program Files\EXECryptor
    2008-02-12 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-02-12 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-02-11 17:37 --------- d-----w C:\Program Files\MSDN
    2008-02-11 17:24 --------- d-----w C:\Program Files\Microsoft SQL Server
    2008-02-11 17:21 --------- d-----w C:\Program Files\Microsoft.NET
    2008-02-11 16:58 --------- d-----w C:\Program Files\Common Files\Merge Modules
    2008-02-11 16:53 --------- d-----w C:\Program Files\MSBuild
    2008-02-10 23:43 --------- d-----w C:\Program Files\FlashFXP
    2008-02-01 20:16 --------- d-----w C:\Program Files\TortoiseCVS
    2008-01-24 13:35 --------- d-----w C:\Program Files\WYSIWYG Web Builder 5
    2008-01-23 15:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
    2008-01-23 12:11 --------- d-----w C:\Program Files\Effective Studios
    2008-01-10 19:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\vlc
    2008-01-04 22:28 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VanDyke
    2008-01-03 22:10 --------- d-----w C:\Program Files\Skype
    2008-01-01 22:02 --------- d-----w C:\Program Files\TortoiseSVN
    2007-12-24 01:22 --------- d-----w C:\Documents and Settings\Joakim\Application Data\phpDesigner 2008
    2007-12-24 01:15 --------- d-----w C:\Program Files\phpDesigner 2008
    2007-05-01 15:12 79,245 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.dat
    2007-05-01 15:11 683,801 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.exe
    2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll
    .
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  5. #25
    Member
    Join Date
    Feb 2008
    Posts
    47

    Default Part 2

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
    @={30351346-7B7D-4FCC-81B4-1E394CA267EB}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
    @={30351347-7B7D-4FCC-81B4-1E394CA267EB}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
    @={30351348-7B7D-4FCC-81B4-1E394CA267EB}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
    @={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
    @={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
    @={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
    @={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
    @={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
    @={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
    @={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
    @={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
    @={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
    @={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
    @={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

    [HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
    2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
    2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
    2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
    2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
    2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
    2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
    2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
    2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
    2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
    2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
    2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
    2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
    2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

    [HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
    2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
    "Registry"="C:\Program Files\Greatis\RegRunSuite\lsoon.exe" [2008-02-13 11:40 390656]
    "Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" [2008-02-13 11:41 356864]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
    "vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
    "VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
    "RegRun WinBait"="C:\WINDOWS\winbait.exe" [2000-12-12 19:56 16384]
    "@RegRunOnSecure"="C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe" [2003-01-22 11:03 57856]

    C:\Documents and Settings\Joakim\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk.disabled [2008-02-23 02:57:40 767]
    SpeedFan.lnk.disabled [2006-03-04 16:49:13 682]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk.disabled [2006-02-03 00:05:49 1824]
    Dispatcher.lnk.disabled [2006-04-05 16:01:09 856]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{F552DDE6-2090-4bf4-B924-6141E87789A5}"= C:\Program Files\Greatis\RegRunSuite\RRShell.dll [2004-11-02 09:15 368711]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 setuid

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ATI Smart"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    "VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
    "vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
    "avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowOutboundDestinationUnreachable"= 0 (0x0)

    R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 12:27]
    S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-02-23 15:04]
    S2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
    S2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 11:08]
    S2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 04:22]
    S3 GTwinUSB;GTwinUSB;C:\WINDOWS\system32\Drivers\GTwinUSB.sys [2002-10-04 11:21]
    S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
    S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys []
    S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-02-24 10:58]
    S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 16:53]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 05:17]
    S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2007-11-07 08:58]

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-02-17 15:06:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-02-17 15:06:24 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
    - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-24 10:58:14
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    .
    **************************************************************************
    .
    Completion time: 2008-02-24 11:05:41 - machine was rebooted
    ComboFix2.txt 2008-02-23 03:09:59
    ComboFix3.txt 2008-02-22 03:26:54
    ComboFix4.txt 2008-02-21 21:57:46
    ComboFix5.txt 2008-02-21 21:10:53
    .
    2008-02-12 23:25:53 --- E O F ---
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  6. #26
    Member
    Join Date
    Feb 2008
    Posts
    47

    Default HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:33, on 2008-02-24
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: Microsoft Web Test Recorder 9.0 Helper - {E31CE47F-C268-41ba-897B-B415E613947D} - C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
    O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
    O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "J:\backreg\rstore.ini"
    O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
    O4 - Startup: ERUNT AutoBackup.lnk.disabled
    O4 - Startup: SpeedFan.lnk.disabled
    O4 - Global Startup: Acrobat Assistant.lnk.disabled
    O4 - Global Startup: Dispatcher.lnk.disabled
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O15 - Trusted Zone: *.astrocalc.com
    O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189011463281
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}: NameServer = 213.226.224.12,213.226.224.66
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
    O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
    O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 7426 bytes
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  7. #27
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    Hi

    Quote Originally Posted by yettyn View Post
    There are more registry values I have found though that gets recreated, basically variants of some from that other case (which I been too busy with logs to look fully at yet). Do you want me to export these as well?
    Post them please ...

    Quote Originally Posted by yettyn View Post
    Ok here are fresh CF and HJT logs, CF first and then HJT. Regrun also produced some interesting logs as well which you might be interested in looking at, including a boot log and others I think - but it's quite much data so maybe you don't want me to post it here?
    Yes please ... post it all ... if there's nothing you don't want posted on open forum in it.

    I'll have a look through it, & others may want to as well...

    Can you run a new KAV scan as well please ... no need to post any of the log if it's clean ... if not just post the infected lines ...

    As it's Sunday I wont be on-line all day, but I'll keep checking back whenever I get the chance

    thanks

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

  8. #28
    Member
    Join Date
    Feb 2008
    Posts
    47

    Default

    I will run a kav but last time it took 20 hours, but it might have been due to the infection - although I do have a big system

    As you said, it's sunday. I have written a separrate report I will post next, then I will come with more logs later. But now my girlfriend will kill me if I don't get out with her
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  9. #29
    Member
    Join Date
    Feb 2008
    Posts
    47

    Default Removal report

    Some tighing up comments about the removal. There were 2 identical infectors to remove actually, the one that popped up the "select file" dialog, which I assume is the original of the dropped copy, and the backup I belive. As I never let it bloom in a full blown infection I am not sure about the later behaviour here though. It seem though that initially the parent infector that was run picked my display driver's control util to replace. I cannot tell for sure, but I rebooted a few times before I got a hunch that ATI dll had a take in the party and I was not able to track more then 1 extra copy of the trigger. My belive is that it simply check if it has a sibbling and if not it pick a new one, on boot.

    Your pointer to that other threed was much helpful to figure out the final link in the regeneration, that it copied itself into another startup file and took its place. I had the rest figured out and eventually Imay had come to that discovery as well, but heck why wait ;-) thanks a lot.

    The actual blocking of and then removal was only possible with the help of IceSword and RegRun. Initially it didn't allow IceSword to run and it was RegRun that really caught it in the first place, even if it wasn't able to eliminate it fully by its own. Only with IceSword I was able to kill the hooked dialog process, but I am mighty impressed by RegRun and possibly I am just too new and unfamilar with this tool to use its full potential. I ran the free, somewhat limited version first, which lead me on the track, while Spybot and ComboFix just went round in circles. These are great tools though, not to be mistaken about that, but it was after I installed RegRun 5.7 Platinum for a 30 days trail I started to get somewere with it and I will definately buy this tool after my trail (or even sooner)!

    So while computer was hanging on the file select dialog, I killed with Icesword first the backup file process and then the file process hooking the dialog. Now the thing is, and I don't know if this is a coincident or not, but the backup process was actually RegRun's watchdog.exe file which seem to have slipped through. I found the backup by making a system wide search for files with about th same size. There was several files with same size, but the backup can be separated out as it has the same green icon. I tested all these same size files at jotti's and the others where clean although they may as well just be empty corps - I can't really tell as I have run just the minimal since the firs incident so at this point I actually don't know how much damage has been done. Valuable to knowas well is that as jotti, only AVG and VBA32 was able to flag the original infector, the very first ran exe file. Apart from these 2, also Ikarus and Cprotect (I think it's called) flagged the dropped copy as infected. At viruscontrol, also Avira flagged the the original infector (although not at jotti, same file uploaded).

    As for Regrun's watchguard, I expanded the setup file and copied a fresh watchguard.exe into Regruns program dir and then simply double clicked to start it and it seemed to take up it's duties again ;-) this might be a very important step, incase original watchdog.exe is lost to the bug as we will see soon.

    After that I cleaned up all known places in registry with Icesword, meanwhile Regrun watched everything in the background and let me decide what to allow and not. When done I used "Reboot and Monitor" in Icesword and now comes next surprice as when booting up RegRun flagged for a driver file infected with Almanahe.D and had my kill it on a new reboot. If this was a part of the initial infection is hard to tell for me, but I assume with all the different scans I have done the last days (6-7 online scans, and several local scans with Avast and 3-4 other wellknown anti-malware scanners I downloaded and tested) it would have been found earlier. Well it makes sense as Regrun catched it now but not 10 minutes earlier ;-)

    Ok so far so good, I think my computer is "safe" for now but damage need to be evaluated, I know there are some faults with registry keys. But it's a nice sunny sunday, so I will close down all systems and go for a long refreshing walk also cleaning out my thoughts ;-) and we can start next phase tohight or maybe tomorrow. Just let me know if there is something special you want me to do?

    Btw, when running ComboFix I disabled Regrun but missed the RegGuard, but it seem to have interact with CF in a nice way and let it run after my approval. Before that I actually did disable regguard from that dialog. On reboot Regrun took control again and flagged CF in an early state. I clicked to add it to the ignore list and then selcted it to be a false positive, and Regrun then flagged to reboot to "disinfect". Maybe a bad selection of wording in this scenerio when there is nothing bad to deal with but I guess the reboot is necessary. So reboot and Regrun left ComboFix alone to do it's job and I think it all came out well. They both funcined with exelency here!

    I am not affilated in any way, but I feel like saying it again, I strongly recomend RegRun. There is a free functional version with some none functional parts, it helped me at the very first stage. At that stage I was suspisious about anything, especially if it had an installer so I didn't try the fully function setup then. But now I would recommend that one as although it brings a minor cost after the free 30 days, it's a penny of all it can save you from further on! And it isn't really expensive either ;-) and again, I understand this almost sounds like advertizing but I like to stress that I am not affilated in any way - just a very happy user as I realize this could have ended in a horror.
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  10. #30
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    HI

    Thank you for the write-up/report, I'm sure it will help many people.

    Normally I'd be telling you what to delete to clean up now, but I think you are more than capable of deciding for yourself ...

    The file you uploaded for me was 0 bytes ... can you upload it again please...

    2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip < is this it ?

    2008-02-22 11:51 . 2008-02-22 11:55 <DIR> d-------- C:\WinLicense <<< is this your legit version ?

    2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe < avast! Virus Cleaner Tool - The latest version is 1.0.211, built on 11.5.2007. Size: 398 KB ... 407,680 is a little on the large size - check it out or delete it.

    These look like legit setup files you have saved in the temp folder, saving files in a temp folder is a good way to loose them, many cleanup programs delete all files in temp folders... if you want to keep these - move them somewhere more permanent.

    2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
    2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
    2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
    2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe

    2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll < delete this

    This key also needs to be reset :-

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 setuid

    To :-

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

    A reg file like this will do it :-

    ====
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

    ====

    a couple of other things ...

    1. You mentioned the registry keys you saw were not quite the same as in the write-up I pointed you to ... would you post the registry keys you are referring to please...

    2. This infection disabled safemode, but you appear to have it back OK ?

    If you are having any problems with that, please run Safeboot repair by sUBs:
    http://download.bleepingcomputer.com...tKeyRepair.exe

    I think that's it...

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •