Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Also hit with Trojandownloader.xs [RESOLVED]


  • This topic is locked This topic is locked

#16
MrsFixIt

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
I didn't realize it could take 3 days for a reply, but it makes sense. I guess I just panicked!

Here's the FixWareout log:

Username "Donna McFarland" - 05/08/2008 23:22:28 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Then here's the new HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:11 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.twcny.rr.com/admcfarland/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061125
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5159 bytes

And finally, here's the new log from ComboFix:

ComboFix 08-05-01.3 - Donna McFarland 2008-05-08 23:34:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.540 [GMT -4:00]
Running from: C:\Documents and Settings\Donna McFarland\Desktop\CFMrsFixIt.exe
Command switches used :: C:\Documents and Settings\Donna McFarland\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][2].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][2].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][1].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][2].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][1].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][1].txt
C:\WINDOWS\system32\ndt2.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][2].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][2].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][1].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][2].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][1].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][1].txt
c:\documents and settings\donna mcfarland\favorites\health
c:\documents and settings\donna mcfarland\favorites\health\1800PetMeds.com - America's Pet Medication and Pet Health ~1.url
c:\documents and settings\donna mcfarland\favorites\health\Body Measurements.url
c:\documents and settings\donna mcfarland\favorites\health\Calorie Counter, Diet Software, Nutrition Software by DietPow~1
c:\documents and settings\donna mcfarland\favorites\health\Deep Water Workout.url
c:\documents and settings\donna mcfarland\favorites\health\Dick's Sporting Goods - Dumbbells Weider Barbell Set 25lbs.url
c:\documents and settings\donna mcfarland\favorites\health\Discovery Health National Body Challenge.url
c:\documents and settings\donna mcfarland\favorites\health\eDiets Bust.url
c:\documents and settings\donna mcfarland\favorites\health\eDiets Tips.url
c:\documents and settings\donna mcfarland\favorites\health\Exercise and Physical Fitness Page.url
c:\documents and settings\donna mcfarland\favorites\health\Food Storage Guide Answers the Questions.url
c:\documents and settings\donna mcfarland\favorites\health\Hair Makeover - Clairol.url
c:\documents and settings\donna mcfarland\favorites\health\Health, Sports, Disease Prevention, Nutrition..url
c:\documents and settings\donna mcfarland\favorites\health\HealtheTech - Metabolism, RMR, Weight Loss and Fitness.url
c:\documents and settings\donna mcfarland\favorites\health\Healthwell.com.url
c:\documents and settings\donna mcfarland\favorites\health\Healthy Choice - Products - Browse.url
c:\documents and settings\donna mcfarland\favorites\health\How to like foods you hate.url
c:\documents and settings\donna mcfarland\favorites\health\iFIT.url
c:\documents and settings\donna mcfarland\favorites\health\Leslie Sansone Fitness Videos.url
c:\documents and settings\donna mcfarland\favorites\health\Life Expectancy Calculator Retirement & Wills.url
c:\documents and settings\donna mcfarland\favorites\health\Linda Carter & IBS.url
c:\documents and settings\donna mcfarland\favorites\health\MyPyramid.gov - United States Department of Agriculture - Ho~1.u
c:\documents and settings\donna mcfarland\favorites\health\Natural Cleaning Products You Have In Your Kitchen- 3 Natu~1.url
c:\documents and settings\donna mcfarland\favorites\health\Prostate cancer risk.url
c:\documents and settings\donna mcfarland\favorites\health\Recipe Software.url
c:\documents and settings\donna mcfarland\favorites\health\Remedy Third Quarter 2006 - HealthyUpdates.com.url
c:\documents and settings\donna mcfarland\favorites\health\Richard Simmons.url
c:\documents and settings\donna mcfarland\favorites\health\Susan G. Komen Breast Cancer Foundation.url
c:\documents and settings\donna mcfarland\favorites\health\The High Step.url
c:\documents and settings\donna mcfarland\favorites\health\Walking Guidelines.url
c:\documents and settings\donna mcfarland\favorites\health\WebAerobics - water.url
c:\documents and settings\donna mcfarland\favorites\health\WebAerobics .url
c:\documents and settings\donna mcfarland\favorites\health\WebMD - Digestive Disorders Scott Ketover, MD.url
c:\documents and settings\donna mcfarland\favorites\health\Welcome to The American Dietetic Association ..url
c:\documents and settings\donna mcfarland\favorites\health\What's your RealAge.url
c:\documents and settings\donna mcfarland\favorites\shopping
c:\documents and settings\donna mcfarland\favorites\shopping\Amazon.com Books, Music & More!.url
c:\documents and settings\donna mcfarland\favorites\shopping\Bed Bath & Beyond Holiday Table.url
c:\documents and settings\donna mcfarland\favorites\shopping\BookFinder4U - Compare Book Prices at 75 Bookstores & Find~1.url
c:\documents and settings\donna mcfarland\favorites\shopping\Borders.com - Home.url
c:\documents and settings\donna mcfarland\favorites\shopping\Burpee.url
c:\documents and settings\donna mcfarland\favorites\shopping\Casual Living - The Voice of the Leisure Marketplace.url
c:\documents and settings\donna mcfarland\favorites\shopping\Collage Fitness Workouts.url
c:\documents and settings\donna mcfarland\favorites\shopping\Coupon Codes, Promotional Codes and Discounts at CurrentCo~1.url
c:\documents and settings\donna mcfarland\favorites\shopping\DeepDiscounts.Com.url
c:\documents and settings\donna mcfarland\favorites\shopping\Dick's Sporting Goods.url
c:\documents and settings\donna mcfarland\favorites\shopping\Dragon Dice, the fantasy game produced by SFR Inc..url
c:\documents and settings\donna mcfarland\favorites\shopping\Dummies Web Site™.url
c:\documents and settings\donna mcfarland\favorites\shopping\eBay - the world's online marketplace.url
c:\documents and settings\donna mcfarland\favorites\shopping\Fts, Inc.Com.url
c:\documents and settings\donna mcfarland\favorites\shopping\Half.com.url
c:\documents and settings\donna mcfarland\favorites\shopping\Hallmark.url
c:\documents and settings\donna mcfarland\favorites\shopping\Harbor Freight Tools.url
c:\documents and settings\donna mcfarland\favorites\shopping\IDG Books.url
c:\documents and settings\donna mcfarland\favorites\shopping\In The Swim.url
c:\documents and settings\donna mcfarland\favorites\shopping\JCPenney.url
c:\documents and settings\donna mcfarland\favorites\shopping\Kmart.url
c:\documents and settings\donna mcfarland\favorites\shopping\L.L.Bean.url
c:\documents and settings\donna mcfarland\favorites\shopping\LTD Commodities Online.url
c:\documents and settings\donna mcfarland\favorites\shopping\Micro Warehouse Inc. Your #1 Source for Al..url
c:\documents and settings\donna mcfarland\favorites\shopping\mySimon Price comparison.url
c:\documents and settings\donna mcfarland\favorites\shopping\NorthernTool.com supplies high quality tools and equipment~1.url
c:\documents and settings\donna mcfarland\favorites\shopping\Oriental Trading Company.url
c:\documents and settings\donna mcfarland\favorites\shopping\Overstock.com.url
c:\documents and settings\donna mcfarland\favorites\shopping\Raymour & Flanigan Furniture.url
c:\documents and settings\donna mcfarland\favorites\shopping\Reliable Office Supplies.url
c:\documents and settings\donna mcfarland\favorites\shopping\Sears.url
c:\documents and settings\donna mcfarland\favorites\shopping\Staples In-Store Specials.url
c:\documents and settings\donna mcfarland\favorites\shopping\SwimOutlet.com - The web's most popular swim shop!.url
c:\documents and settings\donna mcfarland\favorites\shopping\Target.url
c:\documents and settings\donna mcfarland\favorites\shopping\The Official Black Friday 2005 Site - Thanksgiving Sale, T~1.url
c:\documents and settings\donna mcfarland\favorites\shopping\The Sportsman's Guide.url
c:\documents and settings\donna mcfarland\favorites\shopping\TheFirm HomePage.url
c:\documents and settings\donna mcfarland\favorites\shopping\Walmart.url
C:\WINDOWS\system32\ndt2.sys

.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-08 23:21 . 2008-05-08 23:27 <DIR> d-------- C:\fixwareout
2008-05-05 22:27 . 2008-05-05 22:27 <DIR> d-------- C:\Program Files\Panda Security
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Documents and Settings\Donna McFarland\Application Data\Malwarebytes
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 23:02 . 2008-05-04 23:02 <DIR> d-------- C:\_OTMoveIt
2008-05-04 19:36 . 2008-05-08 23:30 <DIR> d-------- C:\HJT
2008-05-04 02:29 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-04 02:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-04 02:29 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-04 02:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-04 02:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-04 02:29 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-04 01:17 . 2004-08-10 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 09:56 . 2008-05-04 01:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 09:56 . 2008-04-26 09:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-24 20:08 . 2008-04-24 20:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 14:16 . 2008-05-08 16:53 <DIR> d-------- C:\Program Files\StepMania

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 22:16 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\Vso
2008-05-06 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-06 00:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-28 04:18 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\BitTorrent
2008-04-25 00:09 --------- d-----w C:\Program Files\Lavasoft
2008-04-25 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 20:59 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-04-02 20:32 47,360 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\pcouffin.sys
2008-04-02 20:32 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-30 23:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 23:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 22:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-12 20:25 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\Lavasoft
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-01-31 05:55 87,608 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\ezpinst.exe
2007-01-16 20:55 88 -csh--r C:\WINDOWS\system32\6545AE81B9.sys
2007-01-16 20:56 2,828 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_19.27.13.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-04 23:24:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 03:23:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 22:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 17:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2008-05-04 23:24:33 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-05 23:55:39 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-04 23:24:33 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-05 23:55:39 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-04 19:10:02 62,434 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-09 03:28:12 62,434 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-04 19:10:02 402,994 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-09 03:28:12 402,994 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a--c--- 2006-11-25 02:58 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a--c--- 2006-09-28 15:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-08-03 20:51 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 23:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a--c--- 2006-05-22 14:26 694272 C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-09-29 16:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-11-25 03:29 236544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-12-14 01:41 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-12-14 01:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-14 01:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2006-05-01 11:28 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2006-05-01 11:28 667718 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 18:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 18:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 04:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
--a------ 2006-04-11 20:39 176201 C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2005-08-30 18:42 823362 C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2006-08-22 17:32 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-25 03:26 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
-----c--- 2002-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2006-03-08 20:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a--c--- 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"UMWdf"=3 (0x3)
"perfmons"=2 (0x2)
"WZCSVC"=2 (0x2)
"w32time"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"stisvc"=3 (0x3)
"WudfSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"VSS"=3 (0x3)
"upnphost"=3 (0x3)
"UPS"=3 (0x3)
"StarWindService"=2 (0x2)
"SCardSvr"=3 (0x3)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"Routing"=2 (0x2)
"NtmsSvc"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"RSVP"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"SysmonLog"=3 (0x3)
"ose"=3 (0x3)
"xmlprov"=3 (0x3)
"mnmsrvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NBService"=3 (0x3)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"McrdSvc"=2 (0x2)
"MDM"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)
"SwPrv"=3 (0x3)
"MHN"=3 (0x3)
"dmadmin"=3 (0x3)
"dmserver"=3 (0x3)
"CiSvc"=3 (0x3)
"PolicyAgent"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"MSDTC"=3 (0x3)
"TrkWks"=2 (0x2)
"Browser"=2 (0x2)
"AppMgmt"=3 (0x3)
"aspnet_state"=3 (0x3)
"WmiApSrv"=3 (0x3)
"LPDSVC"=3 (0x3)
"GameConsoleService"=3 (0x3)
"MsSecurity1.209.4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\Donna McFarland\\DonnasDocs\\Programs\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\MSPUB.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 PL-40R;CASIO USB MIDI;C:\WINDOWS\system32\Drivers\pl40rwdm.sys [2004-10-01 03:08]
S4 GameConsoleService;GameConsoleService;"C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe" [2007-12-19 19:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 06:12:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 23:36:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
Completion time: 2008-05-08 23:37:10
ComboFix-quarantined-files.txt 2008-05-09 03:36:54
ComboFix2.txt 2008-05-05 02:55:10
ComboFix3.txt 2008-05-04 23:27:31

Pre-Run: 99,945,959,424 bytes free
Post-Run: 99,931,987,968 bytes free

344 --- E O F --- 2008-04-09 19:04:04



I still can't upload pictures to my eBay auctions. I don't suppose you might know why. I assume it's some security setting, but I haven't been able to locate it.
  • 0

Advertisements


#17
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Rootkit::
clbdriver
Driver::
clbdriver
File::
c:\windows\system32\drivers\clbdriver.sys

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Did you try using another browser to see if the same problem occurs?

Edited by greyknight17, 12 May 2008 - 08:13 PM.

  • 0

#18
MrsFixIt

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
ComboFix 08-05-01.3 - Donna McFarland 2008-05-10 21:54:54.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.542 [GMT -4:00]
Running from: C:\Documents and Settings\Donna McFarland\Desktop\CFMrsFixIt.exe
Command switches used :: C:\Documents and Settings\Donna McFarland\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\drivers\clbdriver.sys
.

((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-08 23:21 . 2008-05-08 23:27 <DIR> d-------- C:\fixwareout
2008-05-05 22:27 . 2008-05-05 22:27 <DIR> d-------- C:\Program Files\Panda Security
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Documents and Settings\Donna McFarland\Application Data\Malwarebytes
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 23:02 . 2008-05-04 23:02 <DIR> d-------- C:\_OTMoveIt
2008-05-04 19:36 . 2008-05-08 23:30 <DIR> d-------- C:\HJT
2008-05-04 02:29 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-04 02:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-04 02:29 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-04 02:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-04 02:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-04 02:29 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-04 01:17 . 2004-08-10 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 09:56 . 2008-05-04 01:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 09:56 . 2008-04-26 09:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-24 20:08 . 2008-04-24 20:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 14:16 . 2008-05-09 16:57 <DIR> d-------- C:\Program Files\StepMania

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 22:16 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\Vso
2008-05-06 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-06 00:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-28 04:18 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\BitTorrent
2008-04-25 00:09 --------- d-----w C:\Program Files\Lavasoft
2008-04-25 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 20:59 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-04-02 20:32 47,360 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\pcouffin.sys
2008-04-02 20:32 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-30 23:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 23:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 22:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-12 20:25 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\Lavasoft
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-01-31 05:55 87,608 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\ezpinst.exe
2007-01-16 20:55 88 -csh--r C:\WINDOWS\system32\6545AE81B9.sys
2007-01-16 20:56 2,828 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_19.27.13.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-04 23:24:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-11 01:42:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 22:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2006-06-15 22:33:54 1,132,192 ----a-w C:\WINDOWS\Downloaded Program Files\EPUWALcontrol.dll
+ 2007-07-18 17:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2008-05-04 23:24:33 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-05 23:55:39 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-04 23:24:33 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-05 23:55:39 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-04 19:10:02 62,434 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-11 01:46:27 62,434 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-04 19:10:02 402,994 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-11 01:46:27 402,994 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a--c--- 2006-11-25 02:58 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a--c--- 2006-09-28 15:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-08-03 20:51 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 23:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a--c--- 2006-05-22 14:26 694272 C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-09-29 16:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-11-25 03:29 236544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-12-14 01:41 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-12-14 01:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-14 01:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2006-05-01 11:28 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2006-05-01 11:28 667718 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 18:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 18:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 04:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
--a------ 2006-04-11 20:39 176201 C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2005-08-30 18:42 823362 C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2006-08-22 17:32 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-25 03:26 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
-----c--- 2002-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2006-03-08 20:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a--c--- 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"UMWdf"=3 (0x3)
"perfmons"=2 (0x2)
"WZCSVC"=2 (0x2)
"w32time"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"stisvc"=3 (0x3)
"WudfSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"VSS"=3 (0x3)
"upnphost"=3 (0x3)
"UPS"=3 (0x3)
"StarWindService"=2 (0x2)
"SCardSvr"=3 (0x3)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"Routing"=2 (0x2)
"NtmsSvc"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"RSVP"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"SysmonLog"=3 (0x3)
"ose"=3 (0x3)
"xmlprov"=3 (0x3)
"mnmsrvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NBService"=3 (0x3)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"McrdSvc"=2 (0x2)
"MDM"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)
"SwPrv"=3 (0x3)
"MHN"=3 (0x3)
"dmadmin"=3 (0x3)
"dmserver"=3 (0x3)
"CiSvc"=3 (0x3)
"PolicyAgent"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"MSDTC"=3 (0x3)
"TrkWks"=2 (0x2)
"Browser"=2 (0x2)
"AppMgmt"=3 (0x3)
"aspnet_state"=3 (0x3)
"WmiApSrv"=3 (0x3)
"LPDSVC"=3 (0x3)
"GameConsoleService"=3 (0x3)
"MsSecurity1.209.4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\Donna McFarland\\DonnasDocs\\Programs\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\MSPUB.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 PL-40R;CASIO USB MIDI;C:\WINDOWS\system32\Drivers\pl40rwdm.sys [2004-10-01 03:08]
S4 GameConsoleService;GameConsoleService;"C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe" [2007-12-19 19:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 06:12:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 22:01:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbinit.dll 1695 bytes

scan completed successfully
hidden files: 5

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
Completion time: 2008-05-10 22:14:25
ComboFix-quarantined-files.txt 2008-05-11 02:14:23
ComboFix2.txt 2008-05-09 03:37:11
ComboFix3.txt 2008-05-05 02:55:10
ComboFix4.txt 2008-05-04 23:27:31

Pre-Run: 99,866,902,528 bytes free
Post-Run: 99,854,278,656 bytes free

259 --- E O F --- 2008-04-09 19:04:04
  • 0

#19
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Disconnect from the internet and disable ALL your security programs especially Spybot's TeaTimer program. Probably best to uninstall Spybot even for the time being so we can be sure it's not interfering with the fixes. Please run the steps from my last reply again and post the new combofix log here when ready.
  • 0

#20
MrsFixIt

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
I compared my internet settings on my Dell (the sick computer) with those of the IBM, & after making changes to the Dell to match the IBM, I have been able to upload pictures to my eBay auctions.

I disabled my anti-virus program, no longer have SpyBot running, & disconnected from the internet before running ComboFix. I'm getting the message "xxx filed to initialize properly. Click OK to terminate the application." where "xxx" is regedit.exe, chcp.com, regt.cfexe, & find.exe. These also show multiple times.

Anyway, here's the log:

ComboFix 08-05-01.3 - Donna McFarland 2008-05-11 22:42:41.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.709 [GMT -4:00]
Running from: C:\Documents and Settings\Donna McFarland\Desktop\CFMrsFixIt.exe
Command switches used :: C:\Documents and Settings\Donna McFarland\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\drivers\clbdriver.sys
.

((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-08 23:21 . 2008-05-08 23:27 <DIR> d-------- C:\fixwareout
2008-05-05 22:27 . 2008-05-05 22:27 <DIR> d-------- C:\Program Files\Panda Security
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Documents and Settings\Donna McFarland\Application Data\Malwarebytes
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 23:02 . 2008-05-04 23:02 <DIR> d-------- C:\_OTMoveIt
2008-05-04 19:36 . 2008-05-08 23:30 <DIR> d-------- C:\HJT
2008-05-04 02:29 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-04 02:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-04 02:29 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-04 02:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-04 02:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-04 02:29 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-04 01:17 . 2004-08-10 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 09:56 . 2008-05-04 01:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 09:56 . 2008-04-26 09:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-24 20:08 . 2008-04-24 20:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 14:16 . 2008-05-09 16:57 <DIR> d-------- C:\Program Files\StepMania

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 19:18 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\Vso
2008-05-06 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-06 00:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-28 04:18 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\BitTorrent
2008-04-25 00:09 --------- d-----w C:\Program Files\Lavasoft
2008-04-25 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 20:59 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-04-02 20:32 47,360 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\pcouffin.sys
2008-04-02 20:32 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-30 23:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 23:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 22:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-12 20:25 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\Lavasoft
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-01-31 05:55 87,608 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\ezpinst.exe
2007-01-16 20:55 88 -csh--r C:\WINDOWS\system32\6545AE81B9.sys
2007-01-16 20:56 2,828 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_19.27.13.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-04 23:24:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 02:39:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 22:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2006-06-15 22:33:54 1,132,192 ----a-w C:\WINDOWS\Downloaded Program Files\EPUWALcontrol.dll
+ 2007-07-18 17:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2008-05-04 23:24:33 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-05 23:55:39 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-04 23:24:33 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-05 23:55:39 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-04 19:10:02 62,434 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-12 02:44:19 62,434 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-04 19:10:02 402,994 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-12 02:44:19 402,994 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a--c--- 2006-11-25 02:58 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a--c--- 2006-09-28 15:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-08-03 20:51 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 23:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a--c--- 2006-05-22 14:26 694272 C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-09-29 16:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-11-25 03:29 236544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-12-14 01:41 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-12-14 01:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-14 01:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2006-05-01 11:28 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2006-05-01 11:28 667718 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 18:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 18:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 04:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
--a------ 2006-04-11 20:39 176201 C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2005-08-30 18:42 823362 C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2006-08-22 17:32 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-25 03:26 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
-----c--- 2002-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2006-03-08 20:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a--c--- 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"UMWdf"=3 (0x3)
"perfmons"=2 (0x2)
"WZCSVC"=2 (0x2)
"w32time"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"stisvc"=3 (0x3)
"WudfSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"VSS"=3 (0x3)
"upnphost"=3 (0x3)
"UPS"=3 (0x3)
"StarWindService"=2 (0x2)
"SCardSvr"=3 (0x3)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"Routing"=2 (0x2)
"NtmsSvc"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"RSVP"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"SysmonLog"=3 (0x3)
"ose"=3 (0x3)
"xmlprov"=3 (0x3)
"mnmsrvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NBService"=3 (0x3)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"McrdSvc"=2 (0x2)
"MDM"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)
"SwPrv"=3 (0x3)
"MHN"=3 (0x3)
"dmadmin"=3 (0x3)
"dmserver"=3 (0x3)
"CiSvc"=3 (0x3)
"PolicyAgent"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"MSDTC"=3 (0x3)
"TrkWks"=2 (0x2)
"Browser"=2 (0x2)
"AppMgmt"=3 (0x3)
"aspnet_state"=3 (0x3)
"WmiApSrv"=3 (0x3)
"LPDSVC"=3 (0x3)
"GameConsoleService"=3 (0x3)
"MsSecurity1.209.4"=2 (0x2)
"Tmntsrv"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"PcCtlCom"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\Donna McFarland\\DonnasDocs\\Programs\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\MSPUB.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 PL-40R;CASIO USB MIDI;C:\WINDOWS\system32\Drivers\pl40rwdm.sys [2004-10-01 03:08]
S4 GameConsoleService;GameConsoleService;"C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe" [2007-12-19 19:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 06:13:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 22:45:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
Completion time: 2008-05-11 22:46:18
ComboFix-quarantined-files.txt 2008-05-12 02:46:09
ComboFix2.txt 2008-05-11 02:14:26
ComboFix3.txt 2008-05-09 03:37:11
ComboFix4.txt 2008-05-05 02:55:10
ComboFix5.txt 2008-05-04 23:27:31

Pre-Run: 99,730,542,592 bytes free
Post-Run: 99,849,658,368 bytes free

260 --- E O F --- 2008-04-09 19:04:04
  • 0

#21
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Disable all your security programs again and try the step here. Post the new log it creates when ready. We still have that one rootkit that needs to be removed.
  • 0

#22
MrsFixIt

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
ComboFix 08-05-01.3 - Donna McFarland 2008-05-12 22:26:05.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT -4:00]
Running from: C:\Documents and Settings\Donna McFarland\Desktop\CFMrsFixIt.exe
Command switches used :: C:\Documents and Settings\Donna McFarland\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\drivers\clbdriver.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-08 23:21 . 2008-05-08 23:27 <DIR> d-------- C:\fixwareout
2008-05-05 22:27 . 2008-05-05 22:27 <DIR> d-------- C:\Program Files\Panda Security
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Documents and Settings\Donna McFarland\Application Data\Malwarebytes
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 23:02 . 2008-05-04 23:02 <DIR> d-------- C:\_OTMoveIt
2008-05-04 19:36 . 2008-05-08 23:30 <DIR> d-------- C:\HJT
2008-05-04 02:29 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-04 02:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-04 02:29 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-04 02:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-04 02:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-04 02:29 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-04 01:17 . 2004-08-10 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 09:56 . 2008-05-04 01:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 09:56 . 2008-04-26 09:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-24 20:08 . 2008-04-24 20:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 14:16 . 2008-05-12 16:45 <DIR> d-------- C:\Program Files\StepMania

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 19:18 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\Vso
2008-05-06 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-06 00:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-28 04:18 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\BitTorrent
2008-04-25 00:09 --------- d-----w C:\Program Files\Lavasoft
2008-04-25 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 20:59 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-04-02 20:32 47,360 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\pcouffin.sys
2008-04-02 20:32 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-30 23:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 23:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 22:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2007-01-31 05:55 87,608 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\ezpinst.exe
2007-01-16 20:55 88 -csh--r C:\WINDOWS\system32\6545AE81B9.sys
2007-01-16 20:56 2,828 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_19.27.13.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-04 23:24:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 02:28:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 22:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2006-06-15 22:33:54 1,132,192 ----a-w C:\WINDOWS\Downloaded Program Files\EPUWALcontrol.dll
+ 2007-07-18 17:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2008-05-04 23:24:33 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-05 23:55:39 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-04 23:24:33 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-05 23:55:39 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-04 19:10:02 62,434 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-12 17:21:43 62,434 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-04 19:10:02 402,994 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-12 17:21:43 402,994 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a--c--- 2006-11-25 02:58 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a--c--- 2006-09-28 15:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-08-03 20:51 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 23:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a--c--- 2006-05-22 14:26 694272 C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-09-29 16:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-11-25 03:29 236544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-12-14 01:41 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-12-14 01:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-14 01:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2006-05-01 11:28 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2006-05-01 11:28 667718 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 18:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 18:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 04:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
--a------ 2006-04-11 20:39 176201 C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2005-08-30 18:42 823362 C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2006-08-22 17:32 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-25 03:26 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
-----c--- 2002-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2006-03-08 20:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a--c--- 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"UMWdf"=3 (0x3)
"perfmons"=2 (0x2)
"WZCSVC"=2 (0x2)
"w32time"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"stisvc"=3 (0x3)
"WudfSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"VSS"=3 (0x3)
"upnphost"=3 (0x3)
"UPS"=3 (0x3)
"StarWindService"=2 (0x2)
"SCardSvr"=3 (0x3)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"Routing"=2 (0x2)
"NtmsSvc"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"RSVP"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"SysmonLog"=3 (0x3)
"ose"=3 (0x3)
"xmlprov"=3 (0x3)
"mnmsrvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NBService"=3 (0x3)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"McrdSvc"=2 (0x2)
"MDM"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)
"SwPrv"=3 (0x3)
"MHN"=3 (0x3)
"dmadmin"=3 (0x3)
"dmserver"=3 (0x3)
"CiSvc"=3 (0x3)
"PolicyAgent"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"MSDTC"=3 (0x3)
"TrkWks"=2 (0x2)
"Browser"=2 (0x2)
"AppMgmt"=3 (0x3)
"aspnet_state"=3 (0x3)
"WmiApSrv"=3 (0x3)
"LPDSVC"=3 (0x3)
"GameConsoleService"=3 (0x3)
"MsSecurity1.209.4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\Donna McFarland\\DonnasDocs\\Programs\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\MSPUB.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 PL-40R;CASIO USB MIDI;C:\WINDOWS\system32\Drivers\pl40rwdm.sys [2004-10-01 03:08]
S4 GameConsoleService;GameConsoleService;"C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe" [2007-12-19 19:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CLBDRIVER
.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 06:13:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 22:29:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbinit.dll 1695 bytes

scan completed successfully
hidden files: 5

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\pccguide.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-12 22:32:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-13 02:32:31
ComboFix2.txt 2008-05-12 02:46:19
ComboFix3.txt 2008-05-11 02:14:26
ComboFix4.txt 2008-05-09 03:37:11
ComboFix5.txt 2008-05-05 02:55:10

Pre-Run: 99,802,841,088 bytes free
Post-Run: 99,810,476,032 bytes free

275 --- E O F --- 2008-04-09 19:04:04
  • 0

#23
MrsFixIt

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
When I ran ComboFix this last time, I not only exited from my anti-virus program, but I shut off the Windows firewall & the automatic updates, too. I'm no longer running SpyBot ram-resident, either. I didn't get any error messages during this run, but it looks like I still have some things to clean-up. I'm assuming the mention of 5 hidden files means that 5 things were found that aren't supposed to be there. Is this so? Is ComboFix supposed to be actually getting rid of these? If so, should I just keep trying to run it over & over until I get a clean run? I'm feeling pretty helpless throughout the day, knowing my computer is still "sick", but I don't know the next step to take.
  • 0

#24
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Stubborn little pest we have here. Let's see if we can budge it after doing the below:

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Rootkit::
clbdriver
Driver::
clbdriver
File::
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\SYSTEM32\clbcfg.dat
C:\WINDOWS\SYSTEM32\clbdll.dll
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Is the computer running ok so far?
  • 0

#25
MrsFixIt

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
My version of ComboFix had expired, so I had to download it again. Yes, everything seems to be working now. I haven't ran Ad-aware or SpyBot scans for a while, though. Should I do that, just to be sure nothing is found? I see in this new log, there are no hidden files listed. Does that mean I should be set to go?

Here's the log:


ComboFix 08-05-12.1 - Donna McFarland 2008-05-13 21:51:14.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.573 [GMT -4:00]
Running from: C:\Documents and Settings\Donna McFarland\Desktop\CFMrsFixIt2.exe
Command switches used :: C:\Documents and Settings\Donna McFarland\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\clbcfg.dat
C:\WINDOWS\SYSTEM32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\drivers\clbdriver.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-13 21:43 . 2008-05-13 21:43 <DIR> d-------- C:\CFMrsFixIt
2008-05-08 23:21 . 2008-05-08 23:27 <DIR> d-------- C:\fixwareout
2008-05-05 22:27 . 2008-05-05 22:27 <DIR> d-------- C:\Program Files\Panda Security
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Documents and Settings\Donna McFarland\Application Data\Malwarebytes
2008-05-05 21:35 . 2008-05-05 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 23:02 . 2008-05-04 23:02 <DIR> d-------- C:\_OTMoveIt
2008-05-04 19:36 . 2008-05-08 23:30 <DIR> d-------- C:\HJT
2008-05-04 02:29 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-04 02:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-04 02:29 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-04 02:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-04 02:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-04 02:29 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-04 01:17 . 2004-08-10 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 09:56 . 2008-05-04 01:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 09:56 . 2008-04-26 09:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-24 20:08 . 2008-04-24 20:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 14:16 . 2008-05-13 17:43 <DIR> d-------- C:\Program Files\StepMania

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 19:18 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\Vso
2008-05-06 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-06 00:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-28 04:18 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\BitTorrent
2008-04-25 00:09 --------- d-----w C:\Program Files\Lavasoft
2008-04-25 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 20:59 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-04-02 20:32 47,360 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\pcouffin.sys
2008-04-02 20:32 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-30 23:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 23:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 22:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2007-01-31 05:55 87,608 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\ezpinst.exe
2007-01-16 20:55 88 -csh--r C:\WINDOWS\system32\6545AE81B9.sys
2007-01-16 20:56 2,828 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_19.27.13.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-07-26 04:20:23 110,080 -c--a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24 498,688 -c--a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2004-08-10 11:00:00 110,080 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
+ 2004-08-10 11:00:00 501,248 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
- 2008-05-04 23:24:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 01:53:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 22:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2006-06-15 22:33:54 1,132,192 ----a-w C:\WINDOWS\Downloaded Program Files\EPUWALcontrol.dll
+ 2007-07-18 17:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2004-08-10 11:00:00 10,752 -c--a-w C:\WINDOWS\system32\clb.dll
+ 2005-07-26 04:39:43 110,080 ----a-w C:\WINDOWS\system32\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w C:\WINDOWS\system32\clbcatq.dll
- 2008-05-04 23:24:33 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-05 23:55:39 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-04 23:24:33 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-05 23:55:39 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-10 11:00:00 10,752 ----a-w C:\WINDOWS\system32\dllcache\clb.dll
- 2008-05-04 19:10:02 62,434 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-13 14:57:36 62,434 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-04 19:10:02 402,994 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-13 14:57:36 402,994 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a--c--- 2006-11-25 02:58 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a--c--- 2006-09-28 15:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-08-03 20:51 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 23:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a--c--- 2006-05-22 14:26 694272 C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-09-29 16:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-11-25 03:29 236544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-12-14 01:41 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-12-14 01:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-14 01:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2006-05-01 11:28 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2006-05-01 11:28 667718 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 18:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 18:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 04:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
--a------ 2006-04-11 20:39 176201 C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2005-08-30 18:42 823362 C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2006-08-22 17:32 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-25 03:26 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
-----c--- 2002-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2006-03-08 20:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a--c--- 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"UMWdf"=3 (0x3)
"perfmons"=2 (0x2)
"WZCSVC"=2 (0x2)
"w32time"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"stisvc"=3 (0x3)
"WudfSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"VSS"=3 (0x3)
"upnphost"=3 (0x3)
"UPS"=3 (0x3)
"StarWindService"=2 (0x2)
"SCardSvr"=3 (0x3)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"Routing"=2 (0x2)
"NtmsSvc"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"RSVP"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"SysmonLog"=3 (0x3)
"ose"=3 (0x3)
"xmlprov"=3 (0x3)
"mnmsrvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NBService"=3 (0x3)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"McrdSvc"=2 (0x2)
"MDM"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)
"SwPrv"=3 (0x3)
"MHN"=3 (0x3)
"dmadmin"=3 (0x3)
"dmserver"=3 (0x3)
"CiSvc"=3 (0x3)
"PolicyAgent"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"MSDTC"=3 (0x3)
"TrkWks"=2 (0x2)
"Browser"=2 (0x2)
"AppMgmt"=3 (0x3)
"aspnet_state"=3 (0x3)
"WmiApSrv"=3 (0x3)
"LPDSVC"=3 (0x3)
"GameConsoleService"=3 (0x3)
"MsSecurity1.209.4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\Donna McFarland\\DonnasDocs\\Programs\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\MSPUB.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 PL-40R;CASIO USB MIDI;C:\WINDOWS\system32\Drivers\pl40rwdm.sys [2004-10-01 03:08]
S4 GameConsoleService;GameConsoleService;"C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe" [2007-12-19 19:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 06:13:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 21:54:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\pccguide.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-13 21:57:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 01:57:29
ComboFix2.txt 2008-05-13 02:32:36
ComboFix3.txt 2008-05-12 02:46:19
ComboFix4.txt 2008-05-11 02:14:26
ComboFix5.txt 2008-05-09 03:37:11

Pre-Run: 99,742,257,152 bytes free
Post-Run: 99,760,893,952 bytes free

283 --- E O F --- 2008-04-09 19:04:04
  • 0

Advertisements


#26
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, you may check Spybot S&D and Ad-Aware for any updates and then run a scan. If all they find are tracking cookies, you can just delete them.

In this case the hidden files you had were bad, so yes, it's good now that they are gone :)

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#27
MrsFixIt

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
I ran Ad-aware & SpyBot twice each last night & got a clean run on the second scan for each. I ran them both again tonight, & Ad-ware found only cookies, while SpyBot ran clean. Looks like I'm good to go! I printed out the tutorial & will read all of it. Hopefully, if this happens again, I can take care of it myself as I've always done in the past. This one, however, was a real stinker!

Thank you so much for all of your help! I couldn't have cleaned my computer without it!
  • 0

#28
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP