need help w/ hard to kill trojan

[steamwiz]

Then I was right in my suspision of the ati driver, although it was more intuition then technical analys :santa: and now it hits me I havenät seen the avast popper about updated deffinitions for a while but I have plugged the speakers into my notebook for some entertainment while wating for scans :red:

so it should basically be just to reinstall Avast to replace the file, unless it has moved to another hideout.

Well seeing as you stopped it pretty quickly in it's tracks, it probably never got to be a full blown infection, so it wont hurt to try that, remember it's when you reboot that it will jump to another file/runkey so try to do as much as possible without rebooting, then when you run another Combofix scan we can see what it says ...

My bedtime now ... don't forget the PM I just sent you, I'll catch up with you again tomorrow

steam

 

[yettyn]

We did it!

The :spider: is dead and I am out of the web :santa:, I will post back later today with details and CF logs etc. as there still is some clean up and system repair to do. Just thought to let you know and I think I deserve some sleep now.

So I am fine at the moment, pick someone in the end of the queue instead meanwhile, if you have time to spare.

 

[yettyn]

Fresh logs coming

Ok here are fresh CF and HJT logs, CF first and then HJT. Regrun also produced some interesting logs as well which you might be interested in looking at, including a boot log and others I think - but it's quite much data so maybe you don't want me to post it here?

 

[yettyn]

ComboFix.log Part 1

ComboFix 08-02-24.4 - Joakim 2008-02-24 10:33:16.10 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1592 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-24 04:34 . 2008-02-24 10:21 1,783,562,240 --a------ C:\LogFile.Etl
2008-02-23 15:40 . 2008-02-24 04:43 78 --a------ C:\WINDOWS\lsoon.ini
2008-02-23 15:22 . 2008-02-24 10:58 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-02-23 15:18 . 2005-04-03 14:02 8,944 --a------ C:\WINDOWS\system32\drivers\UnHackMeDrv.sys
2008-02-23 15:08 . 2008-02-23 15:09 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Regrun
2008-02-23 15:04 . 2008-02-23 15:04 30,946 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2008-02-23 15:04 . 2008-02-23 15:04 25,088 --a------ C:\WINDOWS\system32\Partizan.exe
2008-02-23 14:53 . 2008-02-24 03:36 <DIR> d-------- C:\regrunplat570
2008-02-23 14:53 . 2008-02-23 14:53 <DIR> d-------- C:\Program Files\Greatis
2008-02-23 14:53 . 2008-02-13 11:41 441,856 --a------ C:\WINDOWS\RunGuard.exe
2008-02-23 14:53 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
2008-02-23 14:53 . 2000-12-12 19:56 16,384 --a------ C:\WINDOWS\WinBait.org
2008-02-23 14:53 . 2000-12-12 19:56 16,384 --a------ C:\WINDOWS\WinBait.exe
2008-02-23 14:52 . 2008-02-23 14:52 11,266,935 --a------ C:\regrunplat570.zip
2008-02-23 12:46 . 2008-02-23 12:50 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-23 03:22 . 2008-02-23 03:21 1,238,736 --a------ C:\MGtools.exe
2008-02-23 03:08 . 2008-02-23 03:08 <DIR> d-------- C:\Program Files\CCleaner
2008-02-23 02:57 . 2008-02-23 02:57 <DIR> d-------- C:\Program Files\ERUNT
2008-02-22 15:36 . 2008-02-22 15:36 791,393 --a------ C:\temp\erunt-setup.exe
2008-02-22 14:31 . 2008-02-22 17:28 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-02-22 11:51 . 2008-02-22 11:55 <DIR> d-------- C:\WinLicense
2008-02-22 04:53 . 2008-02-22 04:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
2008-02-22 04:48 . 2008-02-22 04:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VMware
2008-02-22 04:42 . 2008-02-22 04:42 6,300,696 --a------ C:\temp\SUPERAntiSpywarePro.exe
2008-02-22 03:53 . 2008-02-23 12:46 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-22 03:40 . 2008-02-22 03:40 <DIR> d-------- C:\Program Files\ATI Technologies
2008-02-22 03:21 . 2006-02-28 13:00 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2008-02-22 03:18 . 2008-02-22 03:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-22 00:32 . 2008-02-22 00:32 <DIR> d-------- C:\Documents and Settings\Joakim\DoctorWeb
2008-02-21 20:40 . 2008-02-21 20:41 <DIR> d-------- C:\getservice
2008-02-21 19:38 . 2008-02-21 19:38 <DIR> d-------- C:\ATI
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Malwarebytes
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-20 14:32 . 2008-02-20 14:32 <DIR> d-------- C:\VundoFix Backups
2008-02-19 23:37 . 2008-02-21 08:19 250 --a------ C:\WINDOWS\gmer.ini
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-18 10:44 . 2008-02-18 10:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 10:39 . 2008-02-18 10:39 812,344 --a------ C:\temp\HJTInstall.exe
2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
2008-02-17 21:53 . 2008-02-17 21:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-17 21:53 . 2008-02-17 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 21:02 . 2002-09-20 10:53 235,100 --a------ C:\WINDOWS\system32\drivers\MidiSyn.sys
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-17 21:01 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-02-17 21:01 . 2001-09-19 13:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-02-17 21:01 . 2001-09-19 13:47 720,896 --a------ C:\WINDOWS\system32\Audio3d.dll
2008-02-17 21:01 . 2003-06-02 13:42 578,304 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2008-02-17 21:01 . 2003-03-13 18:34 100,224 --a------ C:\WINDOWS\system32\drivers\aeaudio.sys
2008-02-17 21:01 . 2003-01-08 11:23 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-02-17 21:01 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-02-17 21:01 . 2001-09-11 15:20 30,208 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-02-17 21:01 . 2003-03-13 15:40 3,744 --a------ C:\WINDOWS\system32\drivers\smsens.sys
2008-02-17 20:34 . 2008-02-18 23:21 <DIR> d-------- C:\temp\WinLicenseDemo
2008-02-17 18:53 . 2008-02-17 18:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 16:44 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-17 16:44 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-17 16:44 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-17 16:44 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-17 16:44 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-17 16:44 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-17 16:44 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-17 13:35 . 2008-02-17 13:35 55 --a------ C:\WINDOWS\regrunfix.rnr
2008-02-17 03:58 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-02-16 23:10 . 2008-02-16 23:12 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\PrevxCSI
2008-02-16 09:09 . 2008-02-16 21:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 16:31 . 2008-02-17 14:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 16:30 . 2008-02-15 22:55 <DIR> d-------- C:\Documents and Settings\Joakim\.housecall6.6
2008-02-15 15:20 . 2008-02-22 08:52 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Simply Super Software
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-15 15:20 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-15 15:20 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-15 15:20 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-15 15:20 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-15 15:20 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe
2008-02-14 22:43 . 2008-02-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe
2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip
2008-02-14 12:41 . 2008-02-14 12:41 499,712 --a------ C:\WINDOWS\system32\ExSlider.dll
2008-02-14 12:41 . 2008-02-14 12:41 203,488 --a------ C:\WINDOWS\system32\ExSlider.chm
2008-02-14 12:40 . 2008-02-14 12:40 573,440 --a------ C:\WINDOWS\system32\ExStatusBar.dll
2008-02-14 12:40 . 2008-02-14 12:40 436,674 --a------ C:\WINDOWS\system32\ExStatusBar.chm
2008-02-14 12:39 . 2008-02-14 12:39 434,176 --a------ C:\WINDOWS\system32\ExThumbnail.dll
2008-02-14 12:34 . 2008-02-14 12:34 331,776 --a------ C:\WINDOWS\system32\ExTexture.dll
2008-02-14 12:34 . 2008-02-14 12:34 102,224 --a------ C:\WINDOWS\system32\ExTexture.chm
2008-02-14 12:31 . 2008-02-14 12:31 172,032 --a------ C:\WINDOWS\system32\MaskEdit.dll
2008-02-14 12:31 . 2008-02-14 12:31 53,672 --a------ C:\WINDOWS\system32\MaskEdit.chm
2008-02-14 12:28 . 2008-02-14 12:28 <DIR> d-------- C:\Program Files\Copy of EXECryptor
2008-02-13 14:50 . 2008-02-13 14:50 389,120 --a------ C:\WINDOWS\system32\ExCalc.dll
2008-02-13 14:50 . 2008-02-13 14:50 84,478 --a------ C:\WINDOWS\system32\ExCalc.chm
2008-02-13 14:42 . 2008-02-13 14:42 479,232 --a------ C:\WINDOWS\system32\ExRolList.dll
2008-02-13 14:42 . 2008-02-13 14:42 210,902 --a------ C:\WINDOWS\system32\ExRolList.CHM
2008-02-13 14:03 . 2008-02-13 14:03 225,280 --a------ C:\WINDOWS\system32\ExShellView.dll
2008-02-13 14:03 . 2008-02-13 14:03 83,770 --a------ C:\WINDOWS\system32\ExShellView.chm
2008-02-13 13:58 . 2008-02-13 13:58 397,312 --a------ C:\WINDOWS\system32\ExFolderView.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 09:24 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VMware
2008-02-23 22:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-23 02:48 --------- d-----w C:\Documents and Settings\Joakim\Application Data\uTorrent
2008-02-22 08:01 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-02-19 23:57 --------- d-----w C:\Program Files\SpywareGuard
2008-02-18 14:03 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Skype
2008-02-17 23:36 --------- d-----w C:\Program Files\SpeedFan
2008-02-17 22:19 --------- d-----w C:\Program Files\Java
2008-02-17 20:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 17:54 --------- d-----w C:\Program Files\Lavasoft
2008-02-16 20:50 --------- d-----w C:\Program Files\Windows Desktop Search
2008-02-14 23:04 --------- d-----w C:\Program Files\WYSIWYG Web Builder 4.0
2008-02-14 21:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Lavasoft
2008-02-14 11:41 --------- d-----w C:\Program Files\Exontrol
2008-02-14 11:29 --------- d-----w C:\Program Files\EXECryptor
2008-02-12 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-12 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-11 17:37 --------- d-----w C:\Program Files\MSDN
2008-02-11 17:24 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-11 17:21 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-11 16:58 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-02-11 16:53 --------- d-----w C:\Program Files\MSBuild
2008-02-10 23:43 --------- d-----w C:\Program Files\FlashFXP
2008-02-01 20:16 --------- d-----w C:\Program Files\TortoiseCVS
2008-01-24 13:35 --------- d-----w C:\Program Files\WYSIWYG Web Builder 5
2008-01-23 15:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-23 12:11 --------- d-----w C:\Program Files\Effective Studios
2008-01-10 19:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\vlc
2008-01-04 22:28 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VanDyke
2008-01-03 22:10 --------- d-----w C:\Program Files\Skype
2008-01-01 22:02 --------- d-----w C:\Program Files\TortoiseSVN
2007-12-24 01:22 --------- d-----w C:\Documents and Settings\Joakim\Application Data\phpDesigner 2008
2007-12-24 01:15 --------- d-----w C:\Program Files\phpDesigner 2008
2007-05-01 15:12 79,245 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.dat
2007-05-01 15:11 683,801 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.exe
2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll
.

 

[yettyn]

Part 2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"Registry"="C:\Program Files\Greatis\RegRunSuite\lsoon.exe" [2008-02-13 11:40 390656]
"Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" [2008-02-13 11:41 356864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RegRun WinBait"="C:\WINDOWS\winbait.exe" [2000-12-12 19:56 16384]
"@RegRunOnSecure"="C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe" [2003-01-22 11:03 57856]

C:\Documents and Settings\Joakim\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk.disabled [2008-02-23 02:57:40 767]
SpeedFan.lnk.disabled [2006-03-04 16:49:13 682]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2006-02-03 00:05:49 1824]
Dispatcher.lnk.disabled [2006-04-05 16:01:09 856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"= C:\Program Files\Greatis\RegRunSuite\RRShell.dll [2004-11-02 09:15 368711]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 0 (0x0)

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 12:27]
S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-02-23 15:04]
S2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 11:08]
S2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 04:22]
S3 GTwinUSB;GTwinUSB;C:\WINDOWS\system32\Drivers\GTwinUSB.sys [2002-10-04 11:21]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys []
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-02-24 10:58]
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 16:53]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 05:17]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2007-11-07 08:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 15:06:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-17 15:06:24 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 10:58:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2008-02-24 11:05:41 - machine was rebooted
ComboFix2.txt 2008-02-23 03:09:59
ComboFix3.txt 2008-02-22 03:26:54
ComboFix4.txt 2008-02-21 21:57:46
ComboFix5.txt 2008-02-21 21:10:53
.
2008-02-12 23:25:53 --- E O F ---

 

[yettyn]

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33, on 2008-02-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Microsoft Web Test Recorder 9.0 Helper - {E31CE47F-C268-41ba-897B-B415E613947D} - C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "J:\backreg\rstore.ini"
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - Startup: ERUNT AutoBackup.lnk.disabled
O4 - Startup: SpeedFan.lnk.disabled
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Dispatcher.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.astrocalc.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189011463281
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}: NameServer = 213.226.224.12,213.226.224.66
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7426 bytes

 

[steamwiz]

Hi

There are more registry values I have found though that gets recreated, basically variants of some from that other case (which I been too busy with logs to look fully at yet). Do you want me to export these as well?

Post them please ...

Ok here are fresh CF and HJT logs, CF first and then HJT. Regrun also produced some interesting logs as well which you might be interested in looking at, including a boot log and others I think - but it's quite much data so maybe you don't want me to post it here?

Yes please ... post it all ... if there's nothing you don't want posted on open forum in it.

I'll have a look through it, & others may want to as well...

Can you run a new KAV scan as well please ... no need to post any of the log if it's clean ... if not just post the infected lines ...

As it's Sunday I wont be on-line all day, but I'll keep checking back whenever I get the chance

thanks

steam

 

[yettyn]

I will run a kav but last time it took 20 hours, but it might have been due to the infection - although I do have a big system

As you said, it's sunday. I have written a separrate report I will post next, then I will come with more logs later. But now my girlfriend will kill me if I don't get out with her :angel:

 

[yettyn]

Removal report

Some tighing up comments about the removal. There were 2 identical infectors to remove actually, the one that popped up the "select file" dialog, which I assume is the original of the dropped copy, and the backup I belive. As I never let it bloom in a full blown infection I am not sure about the later behaviour here though. It seem though that initially the parent infector that was run picked my display driver's control util to replace. I cannot tell for sure, but I rebooted a few times before I got a hunch that ATI dll had a take in the party and I was not able to track more then 1 extra copy of the trigger. My belive is that it simply check if it has a sibbling and if not it pick a new one, on boot.

Your pointer to that other threed was much helpful to figure out the final link in the regeneration, that it copied itself into another startup file and took its place. I had the rest figured out and eventually Imay had come to that discovery as well, but heck why wait ;-) thanks a lot.

The actual blocking of and then removal was only possible with the help of IceSword and RegRun. Initially it didn't allow IceSword to run and it was RegRun that really caught it in the first place, even if it wasn't able to eliminate it fully by its own. Only with IceSword I was able to kill the hooked dialog process, but I am mighty impressed by RegRun and possibly I am just too new and unfamilar with this tool to use its full potential. I ran the free, somewhat limited version first, which lead me on the track, while Spybot and ComboFix just went round in circles. These are great tools though, not to be mistaken about that, but it was after I installed RegRun 5.7 Platinum for a 30 days trail I started to get somewere with it and I will definately buy this tool after my trail (or even sooner)!

So while computer was hanging on the file select dialog, I killed with Icesword first the backup file process and then the file process hooking the dialog. Now the thing is, and I don't know if this is a coincident or not, but the backup process was actually RegRun's watchdog.exe file which seem to have slipped through. I found the backup by making a system wide search for files with about th same size. There was several files with same size, but the backup can be separated out as it has the same green icon. I tested all these same size files at jotti's and the others where clean although they may as well just be empty corps - I can't really tell as I have run just the minimal since the firs incident so at this point I actually don't know how much damage has been done. Valuable to knowas well is that as jotti, only AVG and VBA32 was able to flag the original infector, the very first ran exe file. Apart from these 2, also Ikarus and Cprotect (I think it's called) flagged the dropped copy as infected. At viruscontrol, also Avira flagged the the original infector (although not at jotti, same file uploaded).

As for Regrun's watchguard, I expanded the setup file and copied a fresh watchguard.exe into Regruns program dir and then simply double clicked to start it and it seemed to take up it's duties again ;-) this might be a very important step, incase original watchdog.exe is lost to the bug as we will see soon.

After that I cleaned up all known places in registry with Icesword, meanwhile Regrun watched everything in the background and let me decide what to allow and not. When done I used "Reboot and Monitor" in Icesword and now comes next surprice as when booting up RegRun flagged for a driver file infected with Almanahe.D and had my kill it on a new reboot. If this was a part of the initial infection is hard to tell for me, but I assume with all the different scans I have done the last days (6-7 online scans, and several local scans with Avast and 3-4 other wellknown anti-malware scanners I downloaded and tested) it would have been found earlier. Well it makes sense as Regrun catched it now but not 10 minutes earlier ;-)

Ok so far so good, I think my computer is "safe" for now but damage need to be evaluated, I know there are some faults with registry keys. But it's a nice sunny sunday, so I will close down all systems and go for a long refreshing walk also cleaning out my thoughts ;-) and we can start next phase tohight or maybe tomorrow. Just let me know if there is something special you want me to do?

Btw, when running ComboFix I disabled Regrun but missed the RegGuard, but it seem to have interact with CF in a nice way and let it run after my approval. Before that I actually did disable regguard from that dialog. On reboot Regrun took control again and flagged CF in an early state. I clicked to add it to the ignore list and then selcted it to be a false positive, and Regrun then flagged to reboot to "disinfect". Maybe a bad selection of wording in this scenerio when there is nothing bad to deal with but I guess the reboot is necessary. So reboot and Regrun left ComboFix alone to do it's job and I think it all came out well. They both funcined with exelency here!

I am not affilated in any way, but I feel like saying it again, I strongly recomend RegRun. There is a free functional version with some none functional parts, it helped me at the very first stage. At that stage I was suspisious about anything, especially if it had an installer so I didn't try the fully function setup then. But now I would recommend that one as although it brings a minor cost after the free 30 days, it's a penny of all it can save you from further on! And it isn't really expensive either ;-) and again, I understand this almost sounds like advertizing but I like to stress that I am not affilated in any way - just a very happy user as I realize this could have ended in a horror.

 

[steamwiz]

HI

Thank you for the write-up/report, I'm sure it will help many people.

Normally I'd be telling you what to delete to clean up now, but I think you are more than capable of deciding for yourself ...

The file you uploaded for me was 0 bytes ... can you upload it again please...

2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip < is this it ?

2008-02-22 11:51 . 2008-02-22 11:55 <DIR> d-------- C:\WinLicense <<< is this your legit version ?

2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe < avast! Virus Cleaner Tool - The latest version is 1.0.211, built on 11.5.2007. Size: 398 KB ... 407,680 is a little on the large size - check it out or delete it.

These look like legit setup files you have saved in the temp folder, saving files in a temp folder is a good way to loose them, many cleanup programs delete all files in temp folders... if you want to keep these - move them somewhere more permanent.

2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe

2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll < delete this

This key also needs to be reset :-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

To :-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

A reg file like this will do it :-

====
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

====

a couple of other things ...

1. You mentioned the registry keys you saw were not quite the same as in the write-up I pointed you to ... would you post the registry keys you are referring to please...

2. This infection disabled safemode, but you appear to have it back OK ?

If you are having any problems with that, please run Safeboot repair by sUBs:
http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe

I think that's it...

steam

 

[yettyn]

HI

Thank you for the write-up/report, I'm sure it will help many people.

Normally I'd be telling you what to delete to clean up now, but I think you are more than capable of deciding for yourself ...

The file you uploaded for me was 0 bytes ... can you upload it again please...

Hmm I assume you talk about the file uploaded to bleepingcomputer? was it winlicense.zip or you got a winlicense.exe as 0 ? I ask as at the time I was a bit tired in my head ;-) and first tried to upload the exe twice with error result before my brain kicked in and told me to zip it.

2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip < is this it ?

2008-02-22 11:51 . 2008-02-22 11:55 <DIR> d-------- C:\WinLicense <<< is this your legit version ?

The latter is my legit, the other is the official demo I downloaded just to compare.

2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe < avast! Virus Cleaner Tool - The latest version is 1.0.211, built on 11.5.2007. Size: 398 KB ... 407,680 is a little on the large size - check it out or delete it.

It's their trojan scan and remover tool, pretty useless actually and it has been deleted. Actually I removed Avast completely in favour of AVG Free as it (together with VBA32 and RegRun) was the only scanners that picked up the original infection.

These look like legit setup files you have saved in the temp folder, saving files in a temp folder is a good way to loose them, many cleanup programs delete all files in temp folders... if you want to keep these - move them somewhere more permanent.

2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe

It's more of my private temp folder actually were I put anything new or unknown unless they have a proper place already. But you are right, maybe I should rename it to something else as this is files I want to control myself when to delete.

2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll < delete this

I also found in system32 this file: adffbdceebefb3_r.ocx 1kb and it looks to me as a candidate for deletion as well?

Then I have one C:\LogFile.Etl with the enourmous size of almost 2 gb and it has a time stamp of 2008-02-24 10:21 which is about the time I got back to the computer having had some hours of sleep after finally killing the thing. I just thought if you know anything about this file before I delete it?

a couple of other things ...

1. You mentioned the registry keys you saw were not quite the same as in the write-up I pointed you to ... would you post the registry keys you are referring to please...

Well maybe I expressed myself unclear as english isn't my native lang... What I meant actually was that I didn't have all of the keys listed in that write up. Now it's all gone so I cannot check back but I think the keys as such I had was the same. When I google it I found them to match Bagle.hi and Bagle.iw (or if it was .wi) but if you get the original infector it should be possible to study it in a secure env in more detail I guess.

Things are a bit unclear as I realize I been struggling with this for 10 days (when I really should have done other things, like work) and the first 2-3 days I did it totally on my own as I though I was capable to fix it :red: but at least I managed to stop its propagation.

2. This infection disabled safemode, but you appear to have it back OK ?

If you are having any problems with that, please run Safeboot repair by sUBs:
http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe

I think that's it...

steam

Well here I think this variant act differently, appreantly it doesn't delete the Safe Mode keys but add junk to them - but I am not sure about that. Originally I couldn't boot into safe more but then somehow it got fixed. At the time I couldn't run almost anything security related but then I managed to get rid of the LEGACY_SROSA keys and I think it was after that I could get into safe mode. However, I later come to realize that somehow (at least certain parts of) the computer belived to still run in safe mode while it actually was in normal mode - got messages like "this service cannot be started in safe more" and similar when trying to install or uninstall certain programs (using services I assume).

I now seem to have fixed this, I did it with help of this url http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

Do you think I still should run Safeboot repair?

I haven't run a kav scan yet as I thought of manually clean up a bit in my old files as there probably is much that doesn't serve its purpose anymore. I did run a full AVG scan and it found a couple of type trojan.generic and obfustat in my old files, but this is stuff that haven't been touched for years except when it has been moved from an older small HDD to my new big one. It should really have been put on dvd's or deleted but you know how it is with time and computer work.

So now I will reboot with the fixed reg key you gave me as well and I will start to run programs again to see if things works or not. So far I have not run anything except for the most absolute necessary. Then I will reinstall my Outpost Firewall, maybe I will do that first actually to catch any attempt to escape out.

I did uninstall my firewall some month ago as I found it a bit of a resourse hog, and I have another firewall higher up anyway blocking most incoming but nothing outgoing actually. Now there is a new release though so I will give it a chance as I still have a valid license for it. Ok I will get to works with it then... and I haven't had time for the other logs yet, but I will come to it, felt a bit exhousted before after 10 days with too long ours

 

[yettyn]

steam, something is still wicked with my system...

After changing that reg key you gave me and rebooted I noticed the following.

1. it took (and still takes) extremely long time to boot.
2. at login, when I click on my user name icon I am actually asked for a password, leaving it blank let me in. Previously I only had to click the icon (I didn't consider a passwd necessary as no one else come to my computer).

3. The Task bar looks different, thinner and using the classic theme. Also no program show up in the task bar (I noticed this later though so not sure if it was like that from start).

4. If I click an url that wants to open IE7 I just get "Connecting..." in the page tab and it stays with that, got ones though a message "server is busy" or something like that, I think it was with AVG, and also with AVG if I check for updates and found, when downloading it say the file is corrupted. Downloading from their site and update from folder works ok. Using IE7 "normaly" works, but if not forced to I am :FF:

I had a look at AVG's pages an ended up at the one about removing malware. I thought for fun to try the procedure there, ran windows clean up and then I downloaded CWShreader, ran just a scan and
CWS.Smartfinder FOUND
CWS.kjsearch FOUND

Because I am currious I check to move to bin instead of delete and ran Fix
CWS.Smartfinder REMOVED
CWS.kjsearch REMOVED

but nothing showsup in bin, so I uncheck it and do Fix again and again it say removed for these items.

I rebooted and Fix again but same as before.

Now I decide to run Safeboot Repair (log comes next in own post) and I then reboot. This makes the task bar look as before, but still nothing shows up there.

Another thing, I noticed the RegRun icon in tray changed before, it is now back to normal. AVG icon doesn't show up any more. I will also post a fresh HJT log as you probably will ask me to do so ;-)

Also it seem like I cannot copy and paste in this editor, but that is maybe set that way? I can copy and past in my editor.

 

[yettyn]

Safeboot repair results

I meant above if I try to copy something in this editor I cannot paste it back, like copy doesn't take. I can copy in my text editor though and paste it here (using FF).

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\nm]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\nm.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\UploadMgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Option]
"OptionValue"=dword:00000001

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PSEXESVC

 

[yettyn]

Fresh HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:02, on 2008-02-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Greatis\REGRUN~1\regrun2.exe
C:\Program Files\TextPad 5\TextPad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Microsoft Web Test Recorder 9.0 Helper - {E31CE47F-C268-41ba-897B-B415E613947D} - C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "J:\backreg\rstore.ini"
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKUS\S-1-5-21-1482476501-507921405-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1482476501-507921405-725345543-1003\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "J:\backreg\rstore.ini" (User '?')
O4 - HKUS\S-1-5-21-1482476501-507921405-725345543-1003\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-1482476501-507921405-725345543-1003 Startup: ERUNT AutoBackup.lnk.disabled (User '?')
O4 - S-1-5-21-1482476501-507921405-725345543-1003 Startup: SpeedFan.lnk.disabled (User '?')
O4 - Startup: ERUNT AutoBackup.lnk.disabled
O4 - Startup: SpeedFan.lnk.disabled
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Dispatcher.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.astrocalc.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189011463281
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}: NameServer = 213.226.224.12,213.226.224.66
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8420 bytes

I try to uninstall Ad-Aware 2007 as it never worked first installed and also not after reinstall when others like Avast started to work. But Ad-Aware don't want to uninstall, it say:

Add or Remove program
The Windows Installer Service could not be accessed. This can occure if you are running in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
[OK]

 

[steamwiz]

HI

It was this file which was received as 0 bytes :-

C:\temp\WinLicenseDemo.zip (the zip) would appreciate you trying again ...

-
C:\temp is a folder often created by malware to download files to ... there is often so much rubbish in it that I will include deleting the folder completely in a script I give someone ... if any program, legit or malware needs that folder, it will create it.

-

I also found in system32 this file: adffbdceebefb3_r.ocx 1kb and it looks to me as a candidate for deletion as well?

Yes ... delete it.

-

Then I have one C:\LogFile.Etl with the enourmous size of almost 2 gb and it has a time stamp of 2008-02-24 10:21 which is about the time I got back to the computer having had some hours of sleep after finally killing the thing. I just thought if you know anything about this file before I delete it?

Yes I noticed that in the Combofix log ...

2008-02-24 04:34 . 2008-02-24 10:21 1,783,562,240 --a------ C:\LogFile.Etl

I thought it was something you were running to monitor something, Either you or one of the programs you were running was doing a tracelog & dumping it to that file ... probably RegRun.

Take a look at this :-

http://www.wilderssecurity.com/archive/index.php/t-112739.html

If you want to find out more about it, do a google search for LogFile.Etl

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=SUNA,SUNA:2005-52,SUNA:en&q=LogFile.Etl

-

a couple of other things ...

1. You mentioned the registry keys you saw were not quite the same as in the write-up I pointed you to ... would you post the registry keys you are referring to please...

Well maybe I expressed myself unclear as english isn't my native lang... What I meant actually was that I didn't have all of the keys listed in that write up. Now it's all gone so I cannot check back but I think the keys as such I had was the same. When I google it I found them to match Bagle.hi and Bagle.iw (or if it was .wi) but if you get the original infector it should be possible to study it in a secure env in more detail I guess.

Yes ... absolutely ... that's why we'd appreciate the file ...

-
I was about to post the above, then I saw your next post & all the problems ...

The reg file I gave you couldn't have caused those ...

Regrun is a powerful program, I'm wondering if you accidentally removed some registries which you shouldn't have ?

Bagle can damage/delete the Windows installer ... I can give you a link to the newest version at windows update if you want it ...

But I think the best course of action at the moment is to perform a system restore, to your newest restore point, AFTER removing Bagle ... the one created when you last ran Combofix ...

ComboFix 08-02-24.4 - Joakim 2008-02-24 10:33:16.10 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1592 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe
* Created a new restore point

Then reassess the situation from there ...

During that brief time Bagle was installed we can never be sure something wasn't changed/deleted ... you should consider whether a reinstall is an option for you ... it may give you a chance to also get rid all that unwanted junk you mention ...

steam

 

[yettyn]

Windows installer link, yes please as I have problems accessing windows update now.

Logfile.Etl was RegRun yes, a trace I ran.

I know reinstall windows would be a sane act, however it's not really an option now if can be avoided. I don't think there has been any security break but things in registry have been changed no doubt.

I'm not sure I have come to upliad WinlicenseDEmo as that's not the file ;-) I must have been tired... I will upload the file again or maybe I shall upload the whole package as it was found online? It's 14Mb

I downloaded WinlicenseDemo from Oreans to compare it with the cracked set, to see if was based on it.

 

[steamwiz]

Hi

How about :-

But I think the best course of action at the moment is to perform a system restore, to your newest restore point, AFTER removing Bagle ... the one created when you last ran Combofix ...

ComboFix 08-02-24.4 - Joakim 2008-02-24 10:33:16.10 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1592 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe
* Created a new restore point

Then reassess the situation from there ...

Windows installer :-

http://www.download.com/Microsoft-Windows-Installer/3000-2216_4-10757334.html

 

[yettyn]

Well it looks like I screwed up that restore point... or system restore is on but say it cannot protect my computer - probably because some critical services dont run, also I have no network in control panel and IE7 wont start. Tried to reinstall it but it complains about cryptographic service not running. In other words, something closes down my services or don't allow them to start - any idea?

I do have some registry backups taken with Erunt, can it be good enough you think?

Another thing and maybe it's what is playing here, RegRun again complained about Almanahe.D worm, same as it did on first reboot after bagle was removed.

 

[steamwiz]

Combofix created that restore point OK ... if it couldn't create one, it would have said so, so it got messed up AFTER it was created ...

As for the Erunt backups, how old are they ? I noticed somwhere in your logs where Erunt backups were disabled...

cryptographic service not running ?

I had a quick look back over your thread & noticed this as early as post #10 - spybot log ...

http://forums.spybot.info/showpost.php?p=167145&postcount=10

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!


Are all those files really missing? or 0 bytes ... the MD5 says they are ...

It's midnight again (as you are well aware it's 1am where you are)

So this is a link to some info on the highlighted one ...

http://www.auditmypc.com/process/crypt32.asp

this is looking more & more like a reinstall I'm sorry to say

steam

 

[yettyn]

Yes just to face the facts, it has gone too bad or I screwed it up somewere on my own. I am doing a repair reinstall now and see where it will take me. Hopefully it should leave me somewhat near to where I was before the infection.