Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google [CLOSED]


  • This topic is locked This topic is locked

#1
FreshBile

FreshBile

    New Member

  • Member
  • Pip
  • 7 posts
I can't seem to make this go away and it seems to be getting worse..

Any help would be appreciated.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:02 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Distributed\fah6-win32-x86.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Distributed\FahCore_81.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://access.snoco...ca32/wficat.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{713AD703-0570-450B-B7D9-431ED9BC7FB0}: NameServer = 4.2.2.1,4.2.2.2
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: [email protected]:+Distributed+fah6-win32-x86.exe - Unknown owner - C:\Distributed\fah6-win32-x86.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6556 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

What's the problem? Is it your homepage or redirecting you?
  • 0

#3
FreshBile

FreshBile

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi there Grey Knight and thank you very much for the help. This is a one time submission by proxy as the person that I was trying to help is my Brother and still trying to get connected this evening. (Thurs. 4/17). He asked me to post this so that the thread would not be closed.

There was the recent spyware desktop / task manager hi-jack as well as a couple of other infections that were cleared up. Most were cleared with Malwarebytes. There were no re-directs anymore that I am aware of and the rest of the system looked fairly clean to my uneducated eye. I updated Java and did the normal ATF clean.. Unfortunately, I missed something in the process thinking that things were back to normal. The system then disabled the ability to download and altered google searches so that everything starts from MonsterMarketPlace.com. Not the site, but the results..

After reading the forum posts (with the machine out of reach to try new fixes) I am coming to the understanding that it's a different condition. I believe a wareout variety. And at this point, I am also very curious as to where the flag to find it resides.

Having run out of time with the computer in question I referred him to you folks as you are the best in the business that I have seen anywhere.

Any posts in the future will be by him.

Thank you in advance for any help that you can provide. I hope to learn and help others someday soon.

(And he better friggin donate to the cause..)
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem....I'm sure we can help him out here.

I don't see signs of wareout here, but let's see...

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install. Make sure Run fixit is checked and click Finish. The fix will begin. Follow the prompts. You will be asked to reboot your computer. Your system may take longer than usual to load - this is normal.

Wait until your desktop loads. A notepad file called report.txt should open up. Post that log here.

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#5
FreshBile

FreshBile

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you for being so patient with me and my brother, between this and a crapped out DSL modem
I'm a getting a bit overwhelmed.









Sorry the fixwareout did not work as prescribed. It sent me to a DOS prompt that never completed.








ComboFix 08-04-08.7 - Dave 2008-04-17 20:26:39.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.602 [GMT -7:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-13 15:10 . 2008-04-13 15:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 14:53 . 2008-04-13 14:53 <DIR> d-------- C:\Program Files\Panda Security
2008-04-13 14:37 . 2008-04-16 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-13 14:36 . 2008-04-13 14:37 <DIR> d-------- C:\Program Files\Google
2008-04-13 13:00 . 2008-04-13 13:00 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-13 01:41 . 2008-04-13 01:43 <DIR> d-------- C:\Dist 2
2008-04-12 23:38 . 2008-04-13 11:51 <DIR> d-------- C:\Distributed
2008-04-12 23:05 . 2008-04-12 23:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-12 22:55 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-12 22:40 . 2008-04-11 04:14 <DIR> d-------- C:\SDFix
2008-04-12 22:09 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-12 20:58 . 2008-04-12 20:59 <DIR> d-------- C:\Documents and Settings\Dave\.SunDownloadManager
2008-04-12 19:55 . 2008-04-17 20:22 <DIR> d-------- C:\fixwareout
2008-04-12 18:42 . 2008-04-12 18:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-12 18:42 . 2008-04-12 18:42 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Malwarebytes
2008-04-12 18:42 . 2008-04-12 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-12 18:33 . 2008-04-12 18:33 283,160 --a------ C:\Pass2.cmd
2008-04-12 18:32 . 2008-04-12 18:32 2,700 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-12 18:31 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-12 18:31 . 2008-03-29 00:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-12 18:31 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-12 18:31 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-12 18:31 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-12 18:31 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-12 18:26 . 2008-04-12 18:26 <DIR> d-------- C:\Deckard
2008-04-12 17:31 . 2008-04-12 17:31 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-12 17:16 . 2008-04-12 17:16 <DIR> d-------- C:\VundoFix Backups
2008-04-12 16:51 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-12 16:51 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-05 11:05 . 2001-08-23 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 22:19 --------- d-----w C:\Documents and Settings\Dave\Application Data\Intuit
2008-04-13 09:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-13 05:33 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-13 05:09 --------- d-----w C:\Program Files\Java
2008-03-25 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-10 05:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-10 05:16 --------- d-----w C:\Program Files\Samsung
2008-03-09 18:59 --------- d-----w C:\Program Files\MSECache
2008-03-09 17:08 --------- d-----w C:\Documents and Settings\Ingrid\Application Data\Intuit
2008-03-08 19:20 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-08 19:18 --------- d-----w C:\Program Files\TurboTax
2008-03-07 05:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 05:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 05:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 20:07 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-04-06 03:22 17,936,384 ----a-w C:\Program Files\Jupiter-8V.dll
.

((((((((((((((((((((((((((((( snapshot_2008-04-13_11.19.08.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-26 01:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 20:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2008-04-13 17:39:51 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-18 03:24:34 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-13 17:39:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-18 03:24:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-13 17:39:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-18 03:24:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-13 14:37 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 11:07 843776]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 00:11 771704]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe" [2007-10-22 21:11 524288]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-03-25 19:31:56 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-13 14:37:01 124400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2006-09-13 20:01]
R2 [email protected]:+Distributed+fah6-win32-x86.exe;[email protected]:+Distributed+fah6-win32-x86.exe;C:\Distributed\fah6-win32-x86.exe [2008-03-11 15:39]
R2 RVIEG01;VSC Engine;C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys [2001-04-13 20:16]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655fc20b-dfe3-11db-a707-001aa00a7745}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Dave.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 20:28:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 501248 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1680 bytes
C:\WINDOWS\system32\clbdll.dll 40960 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************
"ServiceDll"="C:\WINDOWS\System32\es.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\[email protected]:+Distributed+fah6-win32-x86.exe]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
Completion time: 2008-04-17 20:28:45
ComboFix-quarantined-files.txt 2008-04-18 03:28:41
ComboFix2.txt 2008-04-13 19:45:26
ComboFix3.txt 2008-04-13 18:19:21
ComboFix4.txt 2008-04-13 05:00:54
ComboFix5.txt 2008-04-13 01:25:23
Pre-Run: 7,733,751,808 bytes free
Post-Run: 7,723,347,968 bytes free
.
2008-04-13 06:24:00 --- E O F ---
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
How long did you wait for the FixWareout tool to run? Try leaving it on for a while longer. That tool might be able to resolve this issue as I don't see anything else in the Combofix log that could redirect you.

Did you run Combofix multiple times? I see that it has been run more than once? Same thing applies, you will need to wait until it finishes.

Go to your C: drive and look for the ComboFix5.txt log file (notice the number 5 at the end). Post that one here.

Edited by greyknight17, 18 April 2008 - 05:56 PM.

  • 0

#7
FreshBile

FreshBile

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello

Hello, here's the comboFix 5 file.
I let the Fixware program run to what appeared to be the end, a DOS prompt. I think I let it go for about a minute
or so before closing. I've also noticed this morning that a Google search did not return anything from MonsterMarketPlace.com

I haven't tried to download anything yet

Thanks,














ComboFix 08-04-08.7 - Dave 2008-04-12 18:23:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.638 [GMT -7:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-12 17:31 . 2008-04-12 17:31 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-12 17:16 . 2008-04-12 17:16 <DIR> d-------- C:\VundoFix Backups
2008-04-12 16:51 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-12 16:51 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-06 12:29 . 2008-04-06 12:29 <DIR> d-------- C:\WINDOWS\FLEOK
2008-04-06 12:11 . 2008-04-06 12:11 24,064 --a------ C:\WINDOWS\didduid.ini
2008-04-05 11:05 . 2001-08-23 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-05 11:04 . 2008-04-05 11:04 91,561 --a------ C:\WINDOWS\system32\wmsdkns.exe
2008-03-15 20:28 . 2008-03-15 20:28 <DIR> d-------- C:\Program Files\AskSBar
2008-03-15 20:26 . 2008-03-15 20:26 164 --a------ C:\install.dat
2008-03-15 11:21 . 2008-03-22 11:06 <DIR> d-------- C:\Program Files\Bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 01:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-25 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-10 05:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-10 05:16 --------- d-----w C:\Program Files\Samsung
2008-03-09 18:59 --------- d-----w C:\Program Files\MSECache
2008-03-09 17:08 --------- d-----w C:\Documents and Settings\Ingrid\Application Data\Intuit
2008-03-08 19:20 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-08 19:18 --------- d-----w C:\Program Files\TurboTax
2008-03-07 05:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 05:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 05:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-16 20:11 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-16 20:07 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-16 20:07 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-16 20:07 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-16 20:07 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-16 20:07 --------- d-----w C:\Program Files\Symantec
2007-04-06 03:22 17,936,384 ----a-w C:\Program Files\Jupiter-8V.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-03-15 20:28 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" [ ]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [ ]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-08 20:20 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 11:07 843776]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 00:11 771704]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe" [2007-10-22 21:11 524288]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2006-09-13 20:01]
R2 RVIEG01;VSC Engine;C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys [2001-04-13 20:16]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655fc20b-dfe3-11db-a707-001aa00a7745}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Dave.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 18:25:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 501248 bytes executable


C:\WINDOWS\system32\clbcfg.dat 1775 bytes
C:\WINDOWS\system32\clbdll.dll 28672 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
Completion time: 2008-04-12 18:25:22
ComboFix-quarantined-files.txt 2008-04-13 01:25:20
ComboFix2.txt 2008-04-13 01:09:18
Pre-Run: 7,644,114,944 bytes free
Post-Run: 7,634,391,040 bytes free
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go back to the site where you downloaded Combofix and follow the instructions there to install the recovery console (skip the CD part and go with the download instead).

Post the new log here.

How did the FixWareout tool go? Run it again....
  • 0

#9
FreshBile

FreshBile

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okee dokee...

I ran Fixwareout again. And it completed this time. Something was hanging it up before and it completed this time, here's the log..

The ComboFix log with the recovery console is below.

Thanks again for your help.



Username "Dave" - 04/19/2008 18:27:33 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"SoundMAXPnP"="\"C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Samsung PanelMgr"="C:\\WINDOWS\\Samsung\\PanelMgr\\SSMMgr.exe /autorun"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


ComboFix 08-04-18.3 - Dave 2008-04-19 18:18:33.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.625 [GMT -7:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dave\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-13 15:10 . 2008-04-13 15:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 14:53 . 2008-04-13 14:53 <DIR> d-------- C:\Program Files\Panda Security
2008-04-13 14:37 . 2008-04-19 08:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-13 14:36 . 2008-04-13 14:37 <DIR> d-------- C:\Program Files\Google
2008-04-13 13:23 . 2008-04-13 13:23 <DIR> d-------- C:\!KillBox
2008-04-13 13:00 . 2008-04-13 13:00 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-13 01:41 . 2008-04-13 01:43 <DIR> d-------- C:\Dist 2
2008-04-12 23:38 . 2008-04-13 11:51 <DIR> d-------- C:\Distributed
2008-04-12 23:05 . 2008-04-12 23:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-12 22:55 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-12 22:40 . 2008-04-11 04:14 <DIR> d-------- C:\SDFix
2008-04-12 22:09 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-12 20:58 . 2008-04-12 20:59 <DIR> d-------- C:\Documents and Settings\Dave\.SunDownloadManager
2008-04-12 19:55 . 2008-04-17 20:22 <DIR> d-------- C:\fixwareout
2008-04-12 18:42 . 2008-04-12 18:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-12 18:42 . 2008-04-12 18:42 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Malwarebytes
2008-04-12 18:42 . 2008-04-12 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-12 18:33 . 2008-04-12 18:33 283,160 --a------ C:\Pass2.cmd
2008-04-12 18:32 . 2008-04-12 18:32 2,700 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-12 18:31 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-12 18:31 . 2008-03-29 00:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-12 18:31 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-12 18:31 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-12 18:31 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-12 18:31 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-12 18:26 . 2008-04-12 18:26 <DIR> d-------- C:\Deckard
2008-04-12 17:31 . 2008-04-12 17:31 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-12 17:16 . 2008-04-12 17:16 <DIR> d-------- C:\VundoFix Backups
2008-04-12 16:51 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-12 16:51 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-05 11:05 . 2001-08-23 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 22:19 --------- d-----w C:\Documents and Settings\Dave\Application Data\Intuit
2008-04-13 09:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-13 05:33 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-13 05:09 --------- d-----w C:\Program Files\Java
2008-03-25 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-10 05:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-10 05:16 --------- d-----w C:\Program Files\Samsung
2008-03-09 18:59 --------- d-----w C:\Program Files\MSECache
2008-03-09 17:08 --------- d-----w C:\Documents and Settings\Ingrid\Application Data\Intuit
2008-03-08 19:20 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-08 19:18 --------- d-----w C:\Program Files\TurboTax
2008-03-07 05:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 05:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 05:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 20:07 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-04-06 03:22 17,936,384 ----a-w C:\Program Files\Jupiter-8V.dll
.

((((((((((((((((((((((((((((( snapshot_2008-04-13_11.19.08.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-20 00:56:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-26 01:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 20:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2007-03-26 01:10:53 2,722 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\SkuStore.bin
+ 2004-08-04 09:07:22 1,788 ------w C:\WINDOWS\ServicePackFiles\i386\dcache.bin
+ 2004-08-04 07:07:58 2,944 ------w C:\WINDOWS\ServicePackFiles\i386\drmkaud.sys
+ 2001-08-23 12:00:00 2,000 ----a-w C:\WINDOWS\system\KEYBOARD.DRV
+ 2001-08-23 12:00:00 2,032 ----a-w C:\WINDOWS\system\MOUSE.DRV
+ 2001-08-23 12:00:00 1,744 ----a-w C:\WINDOWS\system\SOUND.DRV
+ 2001-08-23 12:00:00 2,176 ----a-w C:\WINDOWS\system\VGA.DRV
- 2008-04-13 17:39:51 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-20 00:56:07 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-13 17:39:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-20 00:56:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-13 17:39:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-20 00:56:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-04 09:07:22 1,788 ----a-w C:\WINDOWS\system32\dcache.bin
+ 2004-08-04 07:07:58 2,944 -c--a-w C:\WINDOWS\system32\dllcache\drmkaud.sys
+ 2001-08-23 12:00:00 2,000 -c--a-w C:\WINDOWS\system32\dllcache\keyboard.drv
+ 2001-08-23 12:00:00 2,560 -c--a-w C:\WINDOWS\system32\dllcache\lz32.dll
+ 2001-08-23 12:00:00 2,032 -c--a-w C:\WINDOWS\system32\dllcache\mouse.drv
+ 2001-08-23 12:00:00 2,944 -c--a-w C:\WINDOWS\system32\dllcache\null.sys
+ 2001-08-23 12:00:00 1,744 -c--a-w C:\WINDOWS\system32\dllcache\sound.drv
+ 2001-08-23 12:00:00 2,176 -c--a-w C:\WINDOWS\system32\dllcache\vga.drv
+ 2001-08-23 12:00:00 2,864 -c--a-w C:\WINDOWS\system32\dllcache\winsock.dll
+ 2001-08-23 12:00:00 2,112 -c--a-w C:\WINDOWS\system32\dllcache\winspool.exe
+ 2001-08-23 12:00:00 2,736 -c--a-w C:\WINDOWS\system32\dllcache\wowdeb.exe
+ 2004-08-04 07:07:58 2,944 ----a-w C:\WINDOWS\system32\drivers\drmkaud.sys
+ 2001-08-23 12:00:00 2,944 ----a-w C:\WINDOWS\system32\drivers\null.sys
+ 2001-08-23 12:00:00 2,000 ----a-w C:\WINDOWS\system32\keyboard.drv
+ 2001-08-23 12:00:00 2,560 ----a-w C:\WINDOWS\system32\lz32.dll
+ 2001-08-23 12:00:00 2,032 ----a-w C:\WINDOWS\system32\mouse.drv
+ 2001-08-23 12:00:00 2,656 ----a-w C:\WINDOWS\system32\netware.drv
+ 2001-08-23 12:00:00 1,744 ----a-w C:\WINDOWS\system32\sound.drv
+ 2001-08-23 12:00:00 2,176 ----a-w C:\WINDOWS\system32\vga.drv
+ 2001-08-23 12:00:00 2,864 ----a-w C:\WINDOWS\system32\winsock.dll
+ 2001-08-23 12:00:00 2,112 ----a-w C:\WINDOWS\system32\winspool.exe
+ 2001-08-23 12:00:00 2,736 ----a-w C:\WINDOWS\system32\wowdeb.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-13 14:37 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 11:07 843776]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 00:11 771704]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe" [2007-10-22 21:11 524288]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-03-25 19:31:56 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-13 14:37:01 124400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2006-09-13 20:01]
R2 [email protected]:+Distributed+fah6-win32-x86.exe;[email protected]:+Distributed+fah6-win32-x86.exe;C:\Distributed\fah6-win32-x86.exe [2008-03-11 15:39]
R2 RVIEG01;VSC Engine;C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys [2001-04-13 20:16]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655fc20b-dfe3-11db-a707-001aa00a7745}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Dave.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 18:19:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 501248 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1680 bytes
C:\WINDOWS\system32\clbdll.dll 40960 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************
"ServiceDll"="C:\WINDOWS\System32\es.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\[email protected]:+Distributed+fah6-win32-x86.exe]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
Completion time: 2008-04-19 18:20:25
ComboFix-quarantined-files.txt 2008-04-20 01:20:22
ComboFix2.txt 2008-04-18 03:28:45
ComboFix3.txt 2008-04-13 19:45:26
ComboFix4.txt 2008-04-13 18:19:21
ComboFix5.txt 2008-04-13 05:00:54

Pre-Run: 7,789,338,624 bytes free
Post-Run: 7,760,424,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

179 --- E O F --- 2008-04-13 06:24:00
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

Driver::
clbdriver
File::
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#11
FreshBile

FreshBile

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello greyknight17,


Here is the latest ComboFix log you requested.

The computer appears to be running normal, actually quite speedy.

Thanks,
Dave
















ComboFix 08-04-18.3 - Dave 2008-04-20 12:05:09.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.584 [GMT -7:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dave\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-13 15:10 . 2008-04-13 15:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 14:53 . 2008-04-13 14:53 <DIR> d-------- C:\Program Files\Panda Security
2008-04-13 14:37 . 2008-04-20 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-13 14:36 . 2008-04-13 14:37 <DIR> d-------- C:\Program Files\Google
2008-04-13 13:23 . 2008-04-13 13:23 <DIR> d-------- C:\!KillBox
2008-04-13 13:00 . 2008-04-13 13:00 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-13 01:41 . 2008-04-13 01:43 <DIR> d-------- C:\Dist 2
2008-04-12 23:38 . 2008-04-19 19:20 <DIR> d-------- C:\Distributed
2008-04-12 23:05 . 2008-04-12 23:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-12 22:55 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-12 22:40 . 2008-04-11 04:14 <DIR> d-------- C:\SDFix
2008-04-12 22:09 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-12 20:58 . 2008-04-12 20:59 <DIR> d-------- C:\Documents and Settings\Dave\.SunDownloadManager
2008-04-12 19:55 . 2008-04-19 18:30 <DIR> d-------- C:\fixwareout
2008-04-12 18:42 . 2008-04-12 18:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-12 18:42 . 2008-04-12 18:42 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Malwarebytes
2008-04-12 18:42 . 2008-04-12 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-12 18:33 . 2008-04-12 18:33 283,160 --a------ C:\Pass2.cmd
2008-04-12 18:32 . 2008-04-12 18:32 2,700 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-12 18:31 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-12 18:31 . 2008-03-29 00:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-12 18:31 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-12 18:31 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-12 18:31 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-12 18:31 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-12 18:26 . 2008-04-12 18:26 <DIR> d-------- C:\Deckard
2008-04-12 17:31 . 2008-04-12 17:31 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-12 17:16 . 2008-04-12 17:16 <DIR> d-------- C:\VundoFix Backups
2008-04-12 16:51 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-12 16:51 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-05 11:05 . 2001-08-23 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 22:19 --------- d-----w C:\Documents and Settings\Dave\Application Data\Intuit
2008-04-13 09:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-13 05:33 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-13 05:09 --------- d-----w C:\Program Files\Java
2008-03-25 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-10 05:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-10 05:16 --------- d-----w C:\Program Files\Samsung
2008-03-09 18:59 --------- d-----w C:\Program Files\MSECache
2008-03-09 17:08 --------- d-----w C:\Documents and Settings\Ingrid\Application Data\Intuit
2008-03-08 19:20 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-08 19:18 --------- d-----w C:\Program Files\TurboTax
2008-03-07 05:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 05:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 05:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-04-06 03:22 17,936,384 ----a-w C:\Program Files\Jupiter-8V.dll
.

((((((((((((((((((((((((((((( snapshot_2008-04-19_18.20.13.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 00:56:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 19:07:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 03:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-04-20 00:56:07 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-20 19:07:38 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-20 00:56:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-20 19:07:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-20 00:56:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-20 19:07:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-13 14:37 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 11:07 843776]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 00:11 771704]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe" [2007-10-22 21:11 524288]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-03-25 19:31:56 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-13 14:37:01 124400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2006-09-13 20:01]
R2 [email protected]:+Distributed+fah6-win32-x86.exe;[email protected]:+Distributed+fah6-win32-x86.exe;C:\Distributed\fah6-win32-x86.exe [2008-03-11 15:39]
R2 RVIEG01;VSC Engine;C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys [2001-04-13 20:16]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655fc20b-dfe3-11db-a707-001aa00a7745}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CLBDRIVER
.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Dave.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 12:08:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 501248 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1680 bytes
C:\WINDOWS\system32\clbdll.dll 40960 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************
"ServiceDll"="C:\WINDOWS\System32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\[email protected]:+Distributed+fah6-win32-x86.exe]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Distributed\FahCore_81.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-20 12:10:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-20 19:10:01
ComboFix2.txt 2008-04-20 01:20:26
ComboFix3.txt 2008-04-18 03:28:45
ComboFix4.txt 2008-04-13 19:45:26
ComboFix5.txt 2008-04-13 18:19:21

Pre-Run: 7,766,118,400 bytes free
Post-Run: 7,701,741,568 bytes free

162 --- E O F --- 2008-04-13 06:24:00
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Let's try one more run....

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

KILLALL::
Rootkit::
C:\WINDOWS\system32\drivers\clbdriver.sys
Driver::
clbdriver
File::
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#13
FreshBile

FreshBile

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here it is.






ComboFix 08-04-18.3 - Dave 2008-04-21 22:20:50.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.654 [GMT -7:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dave\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\clbdriver.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-13 15:10 . 2008-04-13 15:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 14:53 . 2008-04-13 14:53 <DIR> d-------- C:\Program Files\Panda Security
2008-04-13 14:37 . 2008-04-21 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-13 14:36 . 2008-04-13 14:37 <DIR> d-------- C:\Program Files\Google
2008-04-13 13:23 . 2008-04-13 13:23 <DIR> d-------- C:\!KillBox
2008-04-13 13:00 . 2008-04-13 13:00 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-13 01:41 . 2008-04-13 01:43 <DIR> d-------- C:\Dist 2
2008-04-12 23:38 . 2008-04-21 22:23 <DIR> d-------- C:\Distributed
2008-04-12 23:05 . 2008-04-12 23:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-12 22:55 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-12 22:40 . 2008-04-11 04:14 <DIR> d-------- C:\SDFix
2008-04-12 22:09 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-12 20:58 . 2008-04-12 20:59 <DIR> d-------- C:\Documents and Settings\Dave\.SunDownloadManager
2008-04-12 19:55 . 2008-04-19 18:30 <DIR> d-------- C:\fixwareout
2008-04-12 18:42 . 2008-04-12 18:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-12 18:42 . 2008-04-12 18:42 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Malwarebytes
2008-04-12 18:42 . 2008-04-12 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-12 18:33 . 2008-04-12 18:33 283,160 --a------ C:\Pass2.cmd
2008-04-12 18:32 . 2008-04-12 18:32 2,700 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-12 18:31 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-12 18:31 . 2008-03-29 00:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-12 18:31 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-12 18:31 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-12 18:31 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-12 18:31 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-12 18:26 . 2008-04-12 18:26 <DIR> d-------- C:\Deckard
2008-04-12 17:31 . 2008-04-12 17:31 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-12 17:16 . 2008-04-12 17:16 <DIR> d-------- C:\VundoFix Backups
2008-04-12 16:51 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-12 16:51 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-05 11:38 . 2008-04-21 19:37 1,680 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-05 11:05 . 2008-04-12 20:12 40,960 --a------ C:\WINDOWS\system32\clbdll.dll
2008-04-05 11:05 . 2001-08-23 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 22:19 --------- d-----w C:\Documents and Settings\Dave\Application Data\Intuit
2008-04-13 09:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-13 05:33 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-13 05:09 --------- d-----w C:\Program Files\Java
2008-03-25 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-10 05:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-10 05:16 --------- d-----w C:\Program Files\Samsung
2008-03-09 18:59 --------- d-----w C:\Program Files\MSECache
2008-03-09 17:08 --------- d-----w C:\Documents and Settings\Ingrid\Application Data\Intuit
2008-03-08 19:20 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-08 19:18 --------- d-----w C:\Program Files\TurboTax
2008-03-07 05:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 05:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 05:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-04-06 03:22 17,936,384 ----a-w C:\Program Files\Jupiter-8V.dll
.

((((((((((((((((((((((((((((( snapshot_2008-04-19_18.20.13.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-23 12:00:00 100,864 -c----w C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll
+ 2001-08-23 12:00:00 468,480 -c----w C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll
- 2008-04-20 00:56:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 05:23:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 03:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2004-08-04 08:56:42 110,080 ------w C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll
+ 2004-08-04 08:56:42 501,248 ------w C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll
+ 2001-08-23 12:00:00 10,752 ----a-w C:\WINDOWS\system32\clb.dll
+ 2004-08-04 08:56:42 110,080 ----a-w C:\WINDOWS\system32\clbcatex.dll
+ 2004-08-04 08:56:42 501,248 ----a-w C:\WINDOWS\system32\clbcatq.dll
- 2008-04-20 00:56:07 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-22 02:36:19 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-20 00:56:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-22 02:36:19 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-20 00:56:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-22 02:36:19 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2001-08-23 12:00:00 10,752 -c--a-w C:\WINDOWS\system32\dllcache\clb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-13 14:37 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 11:07 843776]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 00:11 771704]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe" [2007-10-22 21:11 524288]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-03-25 19:31:56 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-13 14:37:01 124400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2006-09-13 20:01]
R2 [email protected]:+Distributed+fah6-win32-x86.exe;[email protected]:+Distributed+fah6-win32-x86.exe;C:\Distributed\fah6-win32-x86.exe [2008-03-11 15:39]
R2 RVIEG01;VSC Engine;C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys [2001-04-13 20:16]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{655fc20b-dfe3-11db-a707-001aa00a7745}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 03:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Dave.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 22:24:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="C:\WINDOWS\System32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\[email protected]:+Distributed+fah6-win32-x86.exe]
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Distributed\FahCore_81.exe
.
**************************************************************************
.
Completion time: 2008-04-21 22:26:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-22 05:26:17
ComboFix2.txt 2008-04-20 19:10:06
ComboFix3.txt 2008-04-20 01:20:26
ComboFix4.txt 2008-04-18 03:28:45
ComboFix5.txt 2008-04-13 19:45:26

Pre-Run: 7,664,803,840 bytes free
Post-Run: 7,657,635,840 bytes free

163 --- E O F --- 2008-04-13 06:24:00
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I think we got rid of it. Delete this file:

C:\WINDOWS\system32\clbcfg.dat

See if it still returns. Probably a minor issue for that file now.

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP