Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

double problem [RESOLVED]

Started by gauntlet , May 04 2008 03:11 PM

This topic is locked

#1
gauntlet

Posted 04 May 2008 - 03:11 PM

New Member

Member
5 posts

the first virus was trojan.pandex who uses my pc and slows it down almost to halt sometimes.
the only program that found it so far is ANTISPYWARE DOCTOR who delets it, but it comes back right away
(its located in wlctrl32.dll)

other tools were useless. the virus shuts ADAWARE and AVG in the middle of the scan.
i tried to use Malwarebyte's Anti-Malware to get rid of it and it seemed like cleaning something
but after rebooting i started getting windows masseges about any application that was loading (even opening of iexplorer or a txt file, whatever) - "The application or DLL C:\WINDOWS\system32\clbdll.dll is not a valid Windows image. Please check this against your installation diskette."

after pressing OK the programs run, but its realy annoying and i believe it affects other things as well.
and i couldnt find any clbdll.dll in the system32 folder

and by the way, the trojan.pandex didnt went away

help me please!

#2
greyknight17

Posted 04 May 2008 - 04:52 PM

Malware Expert

Visiting Consultant
16,560 posts

Welcome to GTG.

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

#3
gauntlet

Posted 05 May 2008 - 01:00 AM

New Member

Topic Starter
Member
5 posts

well, ran the combofix
and i stll got the "bad image" massege (about the clbdll.dll)
and my internet connection is crawling and i got a lot of svchost.exe running on my taskmgr
so i guess the pandex trojan is still here

here's the combofix log:

ComboFix 08-05-01.3 - Administrator 05/05/2008 9:15:13.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.785 [GMT 3:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\AJWL2EEB\iforex.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\AJWL2EEB\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\byXNeFuV.dll
c:\windows\system32\Drivers\Aho42.sys
C:\WINDOWS\system32\hkmgscpq.dll
C:\WINDOWS\system32\jkklJCVm.dll
C:\WINDOWS\system32\jspaqoab.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nexkaqf.sys
C:\WINDOWS\system32\qpcsgmkh.ini
C:\WINDOWS\system32\ssqqQijG.dll
C:\WINDOWS\system32\VuFeNXyb.ini
C:\WINDOWS\system32\VuFeNXyb.ini2
C:\WINDOWS\system32\WLCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_aho42
-------\Service_aho42
-------\Service_Aho42
-------\Service_nexkaqf

((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 16:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-04 12:19 --------- d-----w C:\Program Files\Panda Security
2008-05-04 11:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-04 11:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-03 08:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-03 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-02 20:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-02 20:05 --------- d-----w C:\Program Files\AVG
2008-05-02 14:07 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-02 13:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Tunebite
2008-05-02 12:56 --------- d-----w C:\Program Files\eMule
2008-05-01 06:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-30 15:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-04-29 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-04-27 12:33 --------- d-----w C:\Program Files\Winamp
2008-04-27 12:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Winamp
2008-04-26 17:26 --------- d-----w C:\Program Files\CDisplay
2008-04-26 15:27 --------- d-----w C:\Program Files\FlashGet
2008-04-24 09:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-22 13:10 --------- d-----w C:\Program Files\Blackout Ragnarok Online
2008-04-21 16:57 --------- d-----w C:\Program Files\ICQ6
2008-04-19 16:30 --------- d-----w C:\Program Files\Java
2008-04-14 02:58 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-04-14 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-04-14 02:56 --------- d-----w C:\Program Files\RapidSolution
2008-04-13 00:40 --------- d-----w C:\Program Files\MSN Messenger
2008-04-12 22:24 --------- d-----w C:\Program Files\Cucusoft
2008-04-12 22:24 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-12 16:51 --------- d-----w C:\Program Files\TVUPlayer
2008-04-12 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-04-12 16:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TVU Networks
2008-04-07 18:58 --------- d-----w C:\Program Files\GOV.IL
2008-04-07 18:58 --------- d-----w C:\Program Files\agat
2008-04-07 15:38 --------- d-----w C:\Program Files\WebcamMax
2008-04-07 15:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Webcammax
2008-04-06 15:35 --------- d-----w C:\Program Files\Electronic Arts
2008-04-04 13:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-04-04 07:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-30 06:13 --------- d-----w C:\Program Files\Maxthon2
2008-03-30 05:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MxBoost
2008-03-27 21:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-27 21:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-22 14:59 --------- d-----w C:\Program Files\EA Sports
2008-03-22 14:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ICQ
2008-03-22 11:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
2008-03-21 16:55 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-03-21 16:55 --------- d-----w C:\Program Files\Chicken Invaders 2
2008-03-21 16:55 --------- d-----w C:\Program Files\BFG
2008-03-19 21:25 --------- d-----w C:\Program Files\ooVoo
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-22 15:49 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-13 20:52 409,600 -c--a-w C:\WINDOWS\system32\wrap_oal.dll
2008-02-13 20:52 114,688 -c--a-w C:\WINDOWS\system32\OpenAL32.dll
2008-01-26 13:32 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/19/2007 02:49 PM 68856]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [08/23/2006 03:08 PM 16050688 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 07:22 AM 7700480]
"nwiz"="nwiz.exe" [10/22/2006 07:22 AM 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 07:22 AM 86016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Watch.lnk - C:\WINDOWS\twain_32\C6U14K\WATCH.exe [2008-01-31 16:10:06 356352]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 05/11/2007 01:06 PM 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 10/23/2007 03:18 PM 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 11/29/2007 06:58 PM 290112 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 12/19/2007 11:13 PM 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\Program Files\FlashGet\flashget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\groovemonitor]
--a------ 10/27/2006 01:47 AM 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 04/01/2008 01:40 PM 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 01/19/2007 12:54 PM 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 09/20/2007 09:51 AM 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 03/01/2007 03:57 PM 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
--a------ 03/19/2008 05:10 PM 12404528 C:\Program Files\ooVoo\ooVoo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
--a------ 10/22/2007 01:52 PM 75584 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 12/07/2007 04:08 PM 21686568 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra--c--- 05/16/2006 01:04 PM 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched]
--a------ 02/22/2008 04:25 AM 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 12/19/2007 02:49 PM 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite]
--a------ 02/01/2008 01:10 PM 4998448 C:\Program Files\RapidSolution\Tunebite\Tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webcammaxmoniter]
--a------ 02/12/2008 05:34 PM 456024 C:\Program Files\WebcamMax\wcmmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\ooVoo\\ooVoo.exe"=
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP פורט 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP פורט 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP פורט 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP פורט 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP פורט 37675

R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CamthWDM.sys [02/09/2008 07:58 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE /AUTORUN
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d33a045-0aa2-11dd-b58b-0019db6af4ac}]
\Shell\AutoRun\command - H:\3o.exe
\Shell\explore\Command - H:\3o.exe
\Shell\open\Command - H:\3o.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 16:06:55 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 09:37:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 35328 bytes executable
C:\WINDOWS\system32\clbinit.dll 1695 bytes

scan completed successfully
hidden files: 8

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 05/05/2008 9:44:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-05 06:44:27

Pre-Run: 19,769,421,824 bytes free
Post-Run: 20,490,919,936 bytes free

240 --- E O F --- 2008-05-02 00:00:33

#4
greyknight17

Posted 05 May 2008 - 07:03 PM

Malware Expert

Visiting Consultant
16,560 posts

Don't worry, we're getting to that part. Just needed that preliminary scan first

Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
clbdriver
File::
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far? Anything still detected? If so, where?

#5
gauntlet

Posted 06 May 2008 - 03:59 PM

New Member

Topic Starter
Member
5 posts

ran the disinfector and the whole combofix again with the cfscript
and again had the clbdll.dll massege with any file that was loaded, which meant i had to keep my finger
on the OK button for the program to run (*the attacment is an example of how the popup looks like)

on the other hand, seems the pandex.trojan is gone
my internet speed is faster now, although not optimal and i still got too many svchost.exe on taskmgr

anyway, here's the log:

ComboFix 08-05-01.3 - Administrator 05/07/2008 0:26:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.658 [GMT 3:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER

((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 21:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-05 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-05 11:57 --------- d-----w C:\Program Files\Norton Security Scan
2008-05-05 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 16:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-04 12:19 --------- d-----w C:\Program Files\Panda Security
2008-05-04 11:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-04 11:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-03 08:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-03 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-02 20:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-02 20:05 --------- d-----w C:\Program Files\AVG
2008-05-02 14:07 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-02 13:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Tunebite
2008-05-02 12:56 --------- d-----w C:\Program Files\eMule
2008-04-29 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-04-27 12:33 --------- d-----w C:\Program Files\Winamp
2008-04-27 12:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Winamp
2008-04-26 17:26 --------- d-----w C:\Program Files\CDisplay
2008-04-26 15:27 --------- d-----w C:\Program Files\FlashGet
2008-04-24 09:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-22 13:10 --------- d-----w C:\Program Files\Blackout Ragnarok Online
2008-04-21 16:57 --------- d-----w C:\Program Files\ICQ6
2008-04-19 16:30 --------- d-----w C:\Program Files\Java
2008-04-14 02:58 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-04-14 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-04-14 02:56 --------- d-----w C:\Program Files\RapidSolution
2008-04-13 00:40 --------- d-----w C:\Program Files\MSN Messenger
2008-04-12 22:24 --------- d-----w C:\Program Files\Cucusoft
2008-04-12 22:24 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-12 16:51 --------- d-----w C:\Program Files\TVUPlayer
2008-04-12 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-04-12 16:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TVU Networks
2008-04-07 18:58 --------- d-----w C:\Program Files\GOV.IL
2008-04-07 18:58 --------- d-----w C:\Program Files\agat
2008-04-07 15:38 --------- d-----w C:\Program Files\WebcamMax
2008-04-07 15:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Webcammax
2008-04-06 15:35 --------- d-----w C:\Program Files\Electronic Arts
2008-04-04 13:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-04-04 07:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-30 06:13 --------- d-----w C:\Program Files\Maxthon2
2008-03-30 05:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MxBoost
2008-03-27 21:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-27 21:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-22 14:59 --------- d-----w C:\Program Files\EA Sports
2008-03-22 14:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ICQ
2008-03-22 11:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
2008-03-21 16:55 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-03-21 16:55 --------- d-----w C:\Program Files\Chicken Invaders 2
2008-03-21 16:55 --------- d-----w C:\Program Files\BFG
2008-03-19 21:25 --------- d-----w C:\Program Files\ooVoo
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-22 15:49 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-13 20:52 409,600 -c--a-w C:\WINDOWS\system32\wrap_oal.dll
2008-02-13 20:52 114,688 -c--a-w C:\WINDOWS\system32\OpenAL32.dll
2008-01-26 13:32 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@Mon 05-05-2008_ 9.42.38.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-05 06:35:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-06 21:35:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 09:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 12:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 12:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [08/23/2006 03:08 PM 16050688 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 07:22 AM 7700480]
"nwiz"="nwiz.exe" [10/22/2006 07:22 AM 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 07:22 AM 86016]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [08/04/2004 03:56 AM 158208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Watch.lnk - C:\WINDOWS\twain_32\C6U14K\WATCH.exe [2008-01-31 16:10:06 356352]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 05/11/2007 01:06 PM 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 10/23/2007 03:18 PM 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 11/29/2007 06:58 PM 290112 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 12/19/2007 11:13 PM 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\Program Files\FlashGet\flashget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\groovemonitor]
--a------ 10/27/2006 01:47 AM 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 04/01/2008 01:40 PM 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 01/19/2007 12:54 PM 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 09/20/2007 09:51 AM 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 03/01/2007 03:57 PM 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
--a------ 03/19/2008 05:10 PM 12404528 C:\Program Files\ooVoo\ooVoo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
--a------ 10/22/2007 01:52 PM 75584 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 12/07/2007 04:08 PM 21686568 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra--c--- 05/16/2006 01:04 PM 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched]
--a------ 02/22/2008 04:25 AM 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 12/19/2007 02:49 PM 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite]
--a------ 02/01/2008 01:10 PM 4998448 C:\Program Files\RapidSolution\Tunebite\Tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webcammaxmoniter]
--a------ 02/12/2008 05:34 PM 456024 C:\Program Files\WebcamMax\wcmmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\ooVoo\\ooVoo.exe"=
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP פורט 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP פורט 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP פורט 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP פורט 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP פורט 37675

R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CamthWDM.sys [02/09/2008 07:58 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE /AUTORUN
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d33a045-0aa2-11dd-b58b-0019db6af4ac}]
\Shell\AutoRun\command - H:\3o.exe
\Shell\explore\Command - H:\3o.exe
\Shell\open\Command - H:\3o.exe

*Newly Created Service* - CLBDRIVER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 16:06:55 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 00:35:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 35328 bytes executable
C:\WINDOWS\system32\clbinit.dll 1695 bytes

scan completed successfully
hidden files: 8

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 05/07/2008 0:43:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 21:42:57
ComboFix2.txt 2008-05-05 06:44:44

Pre-Run: 20,370,382,848 bytes free
Post-Run: 20,425,912,320 bytes free

236 --- E O F --- 2008-05-02 00:00:33

Attached Thumbnails

#6
greyknight17

Posted 08 May 2008 - 08:46 PM

Malware Expert

Visiting Consultant
16,560 posts

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Rootkit::
C:\WINDOWS\system32\drivers\clbdriver.sys
Driver::
clbdriver
File::
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys

#7
gauntlet

Posted 09 May 2008 - 04:03 AM

New Member

Topic Starter
Member
5 posts

great, the bcll.dll massage is gone!
guess i still have some minor malware and track cookies on the system, but everything seems to be working fine
here the log, i'd appriciate it if u would comment on any junk that's there

ComboFix 08-05-01.3 - Administrator 05/09/2008 12:31:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.595 [GMT 3:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\recover.reg
C:\WINDOWS\system32\drivers\clbdriver.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER

((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 07:34 --------- d-----w C:\Program Files\eMule
2008-05-08 19:03 --------- d-----w C:\Program Files\Trend Micro
2008-05-08 19:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-05-08 18:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-07 12:51 --------- d-----w C:\Program Files\Trisnap Technologies
2008-05-06 21:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-05 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-05 11:57 --------- d-----w C:\Program Files\Norton Security Scan
2008-05-05 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-04 12:19 --------- d-----w C:\Program Files\Panda Security
2008-05-04 11:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-04 11:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-03 08:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-03 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-02 20:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-02 20:05 --------- d-----w C:\Program Files\AVG
2008-05-02 14:07 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-02 13:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Tunebite
2008-04-29 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-04-27 12:33 --------- d-----w C:\Program Files\Winamp
2008-04-27 12:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Winamp
2008-04-26 17:26 --------- d-----w C:\Program Files\CDisplay
2008-04-26 15:27 --------- d-----w C:\Program Files\FlashGet
2008-04-24 09:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-22 13:10 --------- d-----w C:\Program Files\Blackout Ragnarok Online
2008-04-21 16:57 --------- d-----w C:\Program Files\ICQ6
2008-04-19 16:30 --------- d-----w C:\Program Files\Java
2008-04-14 02:58 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-04-14 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-04-14 02:56 --------- d-----w C:\Program Files\RapidSolution
2008-04-13 00:40 --------- d-----w C:\Program Files\MSN Messenger
2008-04-12 22:24 --------- d-----w C:\Program Files\Cucusoft
2008-04-12 22:24 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-12 16:51 --------- d-----w C:\Program Files\TVUPlayer
2008-04-12 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-04-12 16:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TVU Networks
2008-04-07 18:58 --------- d-----w C:\Program Files\GOV.IL
2008-04-07 18:58 --------- d-----w C:\Program Files\agat
2008-04-07 15:38 --------- d-----w C:\Program Files\WebcamMax
2008-04-07 15:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Webcammax
2008-04-06 15:35 --------- d-----w C:\Program Files\Electronic Arts
2008-04-04 13:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-04-04 07:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-30 16:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 16:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 15:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-30 06:13 --------- d-----w C:\Program Files\Maxthon2
2008-03-30 05:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MxBoost
2008-03-27 21:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-27 21:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-22 14:59 --------- d-----w C:\Program Files\EA Sports
2008-03-22 14:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ICQ
2008-03-22 11:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
2008-03-21 16:55 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-03-21 16:55 --------- d-----w C:\Program Files\Chicken Invaders 2
2008-03-21 16:55 --------- d-----w C:\Program Files\BFG
2008-03-19 21:25 --------- d-----w C:\Program Files\ooVoo
2008-01-26 13:32 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [09/18/2007 11:06 PM 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/19/2007 02:49 PM 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [08/23/2006 03:08 PM 16050688 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 07:22 AM 7700480]
"nwiz"="nwiz.exe" [10/22/2006 07:22 AM 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 07:22 AM 86016]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [08/04/2004 03:56 AM 158208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Watch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Watch.lnk
backup=C:\WINDOWS\pss\Watch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 05/11/2007 01:06 PM 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 10/23/2007 03:18 PM 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 11/29/2007 06:58 PM 290112 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 12/19/2007 11:13 PM 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\Program Files\FlashGet\flashget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\groovemonitor]
--a------ 10/27/2006 01:47 AM 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 04/01/2008 01:40 PM 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 01/19/2007 12:54 PM 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 09/20/2007 09:51 AM 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 03/01/2007 03:57 PM 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
--a------ 03/19/2008 05:10 PM 12404528 C:\Program Files\ooVoo\ooVoo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
--a------ 10/22/2007 01:52 PM 75584 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 12/07/2007 04:08 PM 21686568 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra--c--- 05/16/2006 01:04 PM 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched]
--a------ 02/22/2008 04:25 AM 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 12/19/2007 02:49 PM 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite]
--a------ 02/01/2008 01:10 PM 4998448 C:\Program Files\RapidSolution\Tunebite\Tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 10/27/2007 01:47 AM 1393928 C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webcammaxmoniter]
--a------ 02/12/2008 05:34 PM 456024 C:\Program Files\WebcamMax\wcmmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\ooVoo\\ooVoo.exe"=
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\Trisnap Technologies\\SSI\\ssi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP פורט 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP פורט 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP פורט 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP פורט 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP פורט 37675

R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CamthWDM.sys [02/09/2008 07:58 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE /AUTORUN
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d33a045-0aa2-11dd-b58b-0019db6af4ac}]
\Shell\AutoRun\command - H:\3o.exe
\Shell\explore\Command - H:\3o.exe
\Shell\open\Command - H:\3o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb94edc-b877-11dc-b546-0019db6af4ac}]
\Shell\auto\command - H:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - H:\Knight.exe open
\Shell\find\command - H:\Knight.exe open
\Shell\install\command - H:\Knight.exe open
\Shell\open\command - H:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1d8aa76-b79d-11dc-b544-0019db6af4ac}]
\Shell\auto\command - H:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - H:\Knight.exe open
\Shell\find\command - H:\Knight.exe open
\Shell\install\command - H:\Knight.exe open
\Shell\open\command - H:\Knight.exe open

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 16:06:55 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 12:43:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
.
**************************************************************************
.
Completion time: 05/09/2008 12:51:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 09:51:45
ComboFix2.txt 2008-05-06 21:43:20
ComboFix3.txt 2008-05-05 06:44:44

Pre-Run: 18,818,080,768 bytes free
Post-Run: 18,853,588,992 bytes free

255 --- E O F --- 2008-05-02 00:00:33

#8
greyknight17

Posted 10 May 2008 - 02:38 PM

Malware Expert

Visiting Consultant
16,560 posts

Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.

#9
gauntlet

Posted 10 May 2008 - 03:26 PM

New Member

Topic Starter
Member
5 posts

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05112008_001825

that's all the log

10x a lot for the good job,
may consider this one as resolved

#10
greyknight17

Posted 11 May 2008 - 08:12 PM

Malware Expert

Visiting Consultant
16,560 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.