need help w/ hard to kill trojan

[yettyn]

Hi, find HJT and KOS logs below, and I have taken all the steps given in sticky post

I need help to complete and clean up a partly successful struggle with a nasty trojan that has bloggers me since Friday night. I think it was some kind of Bagle that suddenly made me sober as it blocked my avast and ad-aware programs, loaded some srosa.sys driver, created a dir named down in system32, populated with exe files with numbers as file name. It also created and started the files winterm.exe and hldrrr.exe, and apart from this it was not possible to run HJT or reboot into safe mode (computer just rebooted).

To make a long story short, I am a geek and tried to fix this on my own (which I of course shouldn't have done, wiser now) running different online scanner which detected this and lead me on track but of course asked for my money before fixing it , but I finally came a cross ComboFix which at first seem to have fixed it.

Then I found Spybot which alerted me to be infected with Win32.Agent.bgy and Win32.Bagle.hi, and although I clean them out in Safe Mode, run Spybot again when booting into normal and coming up clean, I then get an error message saying "[256] Detected debugger running, please close etc" which goes away by it self and when I then run Spybot again after system completed boot the same Agent.bgy and Bagle.hi is detected. I looked around and have figured out that the trojan maybe was wrapped with Thimidia or something like that.

Anyhow here is my logs as I stand now. Spybot still open w/o fixing detected infections and same with HJT.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:24:36, on 19/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
O2 - BHO: Microsoft Web Test Recorder 9.0 Helper - {E31CE47F-C268-41ba-897B-B415E613947D} - C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpeedFan.lnk.disabled
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Dispatcher.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.astrocalc.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189011463281
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}: NameServer = 213.226.224.12,213.226.224.66
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9655 bytes

Virus scan took almost freaking 20h and report is massive, so I cleaned out all except the detected infections.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 19, 2008 10:54:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/02/2008
Kaspersky Anti-Virus database records: 570665
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
H:\
J:\

Scan Statistics:
Total number of scanned objects: 586273
Number of viruses found: 6
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 19:56:09

Infected Object Name / Virus Name / Last Action
...
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional\SkinStudio5_Pro.exe/data0000.cab/devenv.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional \SkinStudio5_Pro.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional\SkinStudio5_Pro.exe Rsrc-Package: infected - 2 skipped
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip/runme.exe Infected: Trojan.Win32.Dialer.oi skipped
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip Infected: Trojan.Win32.Dialer.oi skipped
C:\Old F\dl\SQLDiff\digf287a.zip ZIP: infected - 2 skipped
C:\Old G\dlfiles\flashget\fgf140.exe/WISE0018.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Old G\dlfiles\flashget\fgf140.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Old G\dlfiles\flashget\fgf140.exe WiseSFX: infected - 2 skipped
C:\Old G\dlfiles\MailThem\igmsetup.exe/AJJ.EXE Infected: not-a-virus:AdWare.Win32.Aureate.d skipped
C:\Old G\dlfiles\MailThem\igmsetup.exe ZIP: infected - 1 skipped
C:\Old G\dlfiles\MailThem\igmsetup.exe WiseSFXDropper: infected - 1 skipped
C:\reggapps\Unisuite\hz-utx01.exe/run.exe Infected: Trojan-Downloader.Win32.Harnig.bg skipped
C:\reggapps\Unisuite\hz-utx01.exe ZIP: infected - 1 skipped
C:\WINDOWS\system32\drivers\SROSA.SYS.del Infected: Trojan-Downloader.Win32.Bagle.iw skipped
...
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Now I touch nothing before I get instructions

[steamwiz]

HI

Hijackthis only has a couple of orphan reg keys to remove:-

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)

Do you really need this in your trusted sites ?

O15 - Trusted Zone: *.astrocalc.com

You do realise that putting any site in here is like giving a stranger the keys to your house, it can run anything on your computer without informing you.

RE: KAV scan log ....

It look like you have been downloading cracked programs, these nearly always come with a "little extra"

C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional\SkinStudio5_Pro.exe ... Infected with AdWare.Win32.Virtumonde.ks

-
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip/runme.exe Infected: Trojan.Win32.Dialer.oi skipped
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip Infected: Trojan.Win32.Dialer.oi skipped

This could be a legit dialer ... or a porn dialer ... if you don't know what it is, get the file checked out here :-

http://www.virustotal.com/flash/index_en.html

or just delete it.

-
C:\Old G\dlfiles\flashget\fgf140.exe

AdWare.Win32.Cydoor ... more adware - delete it

-
C:\Old G\dlfiles\MailThem\igmsetup.exe

& more to delete ... Win32.Aureate.d

-
C:\reggapps\Unisuite\hz-utx01.exe

Trojan-Downloader.Win32.Harnig.bg .. delete

-
C:\WINDOWS\system32\drivers\SROSA.SYS.del ... Infected: Trojan-Downloader.Win32.Bagle.iw skipped

delete this ...

-------
Run spybot again & post the log ...

THEN ...

Please follow these instructions for running Combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

1. When finished, it will produce a logfile located at C:\ComboFix.txt.
2. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-


1. Spybot log
2. C:\ComboFix.txt


steam

[yettyn]

Thanks for finally coming at my assistance, I was just about to enter the waiting room ;-)

I will do as you said... but first, it's correct I have downloaded cracked programs, but it's not quite how it look... can I pm you with some details I don't like to be publicly visible, which also would help to solve this case?

/Y

[steamwiz]

Thanks for finally coming at my assistance, I was just about to enter the waiting room ;-)

I will do as you said... but first, it's correct I have downloaded cracked programs, but it's not quite how it look... can I pm you with some details I don't like to be publicly visible, which also would help to solve this case?

/Y

Sorry for the delay, I've just been working on the older posts, everyone who posted more than 4 days ago has now received a reply I'm happy to say

Sure Please feel free to send me a PM

steam

[yettyn]

All virus junk was deleted right away, in fact it was mostly old stuff taking up HDD space anyway - I must get myself a smaller HDD to become less lazy I am pretty sure my infection didn't come from there anyhow as I know were and when I got it. My Avast was taken by surprise, but infact only 2 of 32 scanners at jotty and viruscontrol did catch it when I sent up the infecting file.

As I said in my pm, I became a bit too restless after waiting for 2 days and took some steps to gather more information, both regarding the threath and what was going on inside my computer. like I have run Spybot several times and it basically goes around in circles. So I post several logs to give you proper information, basically the very first one and the last.

I have cleaned out tracking cookies, and also below the item Partizan I am pretty sure is a false positive as it belongs to RegRun which I at least think is a legitimate malware program?

17.02.2008 22:02:33 - ##### check started #####
17.02.2008 22:02:33 - ### Version: 1.5.2
17.02.2008 22:02:33 - ### Date: 17/02/2008 22:02:33
17.02.2008 22:02:34 - ##### checking bots #####
17.02.2008 22:10:20 - found: Microsoft.WindowsSecurityCenter.AntiVirusOverride Settings
17.02.2008 22:17:01 - found: Win32.Agent.bgy Settings
17.02.2008 22:17:11 - found: Win32.Bagle.hi Settings
17.02.2008 22:17:11 - found: Win32.Bagle.hi Program directory
17.02.2008 22:17:48 - found: Win32.VB.jl Settings
17.02.2008 22:17:49 - found: Win32.VB.jl Settings
17.02.2008 22:21:57 - ##### check finished #####


--- Report generated: 2008-02-17 22:21 ---

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Win32.Bagle.hi: [SBI $FF44CCD9] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\ts

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, nothing done)
C:\WINDOWS\system32\drivers\down\

Win32.VB.jl: [SBI $4A7DE52E] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Partizan

Win32.VB.jl: [SBI $3C98DC13] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Partizan


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-13 Includes\DialerC.sbi (*)
2008-02-13 Includes\HeavyDuty.sbi (*)
2008-02-13 Includes\Hijackers.sbi (*)
2008-02-13 Includes\HijackersC.sbi (*)
2008-02-13 Includes\Keyloggers.sbi (*)
2008-02-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-13 Includes\Malware.sbi (*)
2008-02-13 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-02-13 Includes\PUPSC.sbi (*)
2008-02-13 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-13 Includes\SecurityC.sbi (*)
2008-02-13 Includes\Spybots.sbi (*)
2008-02-13 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-13 Includes\Trojans.sbi (*)
2008-02-13 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll

This first pass was done in safe mode I think, then booted normal and run again to get this:

17.02.2008 22:34:16 - ##### check started #####
17.02.2008 22:34:16 - ### Version: 1.5.2
17.02.2008 22:34:16 - ### Date: 17/02/2008 22:34:16
17.02.2008 22:34:17 - ##### checking bots #####
17.02.2008 22:47:10 - found: Win32.Agent.bgy Settings
17.02.2008 22:47:19 - found: Win32.Bagle.hi Program directory
17.02.2008 22:51:53 - ##### check finished #####

--- Report generated: 2008-02-17 22:53 ---

Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, fixed)
C:\WINDOWS\system32\drivers\down\


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-13 Includes\DialerC.sbi (*)
2008-02-13 Includes\HeavyDuty.sbi (*)
2008-02-13 Includes\Hijackers.sbi (*)
2008-02-13 Includes\HijackersC.sbi (*)
2008-02-13 Includes\Keyloggers.sbi (*)
2008-02-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-13 Includes\Malware.sbi (*)
2008-02-13 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-02-13 Includes\PUPSC.sbi (*)
2008-02-13 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-13 Includes\SecurityC.sbi (*)
2008-02-13 Includes\Spybots.sbi (*)
2008-02-13 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-13 Includes\Trojans.sbi (*)
2008-02-13 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll

to be continued...

[steamwiz]

HI

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

This may or may not be malware related ... it could be your anti-virus claiming responsibility for monitoring itself.

-
17.02.2008 22:47:10 - found: Win32.Agent.bgy Settings
17.02.2008 22:47:19 - found: Win32.Bagle.hi Program directory

Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Would you please run Regedit & export this key :-

HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Then copy& paste the contents here

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, fixed)
C:\WINDOWS\system32\drivers\down\

these are bagle ... surprisingly it shows nothing in the "down" folder ...

-
This is from another spybot log, you will notice that spybot deletes all files in the System32\drivers\down\ folder

Win32.Agent.bgy: [SBI $3FF5579E] Einstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_USERS\S-1-5-21-1009317085-2326122771-423037255-1000\Software\FirstRRRun

Win32.Bagle.hi: [SBI $FF44CCD9] Einstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_USERS\S-1-5-21-1009317085-2326122771-423037255-1000\Software\ts

Win32.Bagle.hi: [SBI $37536BC2] Programm-Verzeichnis (Verzeichnis, fixed)
C:\Windows\System32\drivers\down\

Win32.Bagle.hi: [SBI $5A6A2EC7] Ausführbare Datei (Datei, fixed)
C:\Windows\System32\drivers\down\245359.exe

Win32.Bagle.hi: [SBI $5A6A2EC7] Ausführbare Datei (Datei, fixed)
C:\Windows\System32\drivers\down\280078.exe

Win32.Bagle.hi: [SBI $5A6A2EC7] Ausführbare Datei (Datei, fixed)
C:\Windows\System32\drivers\down\285765.exe

---------
Here's another bagle similar to yours, but this version has been around over 2 years

http://vil.nai.com/vil/content/v_138585.htm

--
You say you've run Combofix, bagle notoriously corrupts the headers of certain exe files, Combofix included, unless the exe is renamed first (before download) ... but you had no trouble running it ?

I'll be interested to see some of your Combofix logs ..

steam

[yettyn]

So here we kinda start over with fresh logs. First an observation though. Last friday when this started I happened to double click that file I told you about resulting in a dialog saying "select file to crack". It was friday night and selected the file I opened somewhat puzzled, before I realized what had happened.

I emediately took preventive meassures like pulling the net cable and open Windows Task Manager where I saw these numbered.exe files popping up which I understood was crap and killed and relatively soon I also located hldrrr.exe and winterms.exe which was killed but at this stage I was still unaware of srosa.sys but possibly fast response to the situation limited the damage somehow, at least I never saw much of that in the other tread you pointed me at. I found some of the registry keys and values which I deleted, although some of the srosa stuff was hard to get rid of as it didn't help to change permissions inside of regedit and at that point I could open none of my usual security programs, nor install HJT.

Anyhow, that open dialog never showed up again, until now. Now it comes up every time I boot into normal mode. If I just leave it there nothing further seem to happen. I surely wont select any file and Cancel probably wont make much difference so I tested the X instead which result in the system takes a dive after a short delay. But as I said, if I just leave it open there things seem to be statusQ and I can use the system.

The very first time I "managed" to get this dialog to come back was on wednesday when I got restless and started to poke around, do some different online scans and finally was able to clean out much although after reboot the classic things came back. I then noticed there was something strange with my display driver and looking for hidden/camoflaged things I couldn't find anything else except legit things that loaded. Actually it started with me trying to install a new ATI Catalyst driver set but as the fist ATI screen loaded I got a message I needed Admin privileges (or something similar) to install. I then decided to uninstall the ATI drivers (I have a Radeon 9250) and bump down to VGA and see what happened. Before I rebooted I cleaned up the virus tracks and when the machine came up I saw no down dir and a Spybot scan came out clear - at that point I thought I had done it... but as soon as I touched the install new hardware dialog that came up for missing display driver that dialog popped up again!

Now I think it's RegRun's Anti-rootkit driver which loads early that actually forces the dialog to get up to surface instead of hiding. Anyhow, that were I am now. I will post Spybot logs right away in a new post and then run Combofix to see were it gets us. I assume I should disable RegRun then although I am a bit reluctant as I basically know how the CF will come out, it will delete the down dir and then reboot and after reboot the dir is back as well as the reg keys. Or do you have a better idea? Basically I think I have it all out, except for 1 place were it hides and reincarnate unless we can give it a final blow.