Ok, ran the script to combofix. I had to rename combofix to a different name so it would run.
I deleted those two items with hijackthis.
I ran the LSPFix.
Ran GMER.
I still cannot get to www.geekstogo.com, loopback address still comes up with a ping.
Below are the files requested:
Combofix:
ComboFix 08-05-01.3 - XP 2008-05-08 20:13:04.6 -
FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.655 [GMT -5:00]
Running from: C:\Documents and Settings\XP\Desktop\omboFix.exe
Command switches used :: C:\Documents and Settings\XP\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!FILE ::
C:\WINDOWS\BM300634da.xml
C:\WINDOWS\system32\cdosys.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\ddcAsRli.dll
C:\WINDOWS\system32\drivers\vmdesched.sys
C:\WINDOWS\SYSTEM32\fwpokuei.dll_old
C:\WINDOWS\system32\jrwlpqvj.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM300634da.xml
C:\WINDOWS\SYSTEM32\fwpokuei.dll_old
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CLBDRIVER
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Documents and Settings\XP\Application Data\SUPERAntiSpyware.com
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-05 07:00 . 2008-05-05 07:01 152 --a------ C:\WINDOWS\wininit.ini
2008-05-04 14:09 . 2001-08-23 14:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-04-29 19:58 . 2008-04-29 19:58 41,296 --a------ C:\WINDOWS\SYSTEM32\xfcodec.dll
2008-04-27 20:27 . 2008-04-27 20:27 5,760,054 --a------ C:\WINDOWS\commie.BMP
2008-04-24 07:21 . 2008-01-11 17:39 145,408 --a------ C:\WINDOWS\SYSTEM32\ZuneMTPZ.dll
2008-04-24 07:21 . 2008-01-11 17:39 70,656 --a------ C:\WINDOWS\SYSTEM32\ZuneIpTransport.dll
2008-04-24 07:21 . 2008-01-11 17:39 62,464 --a------ C:\WINDOWS\SYSTEM32\ZuneUsbTransport.dll
2008-04-24 07:21 . 2008-01-11 17:39 35,840 --a------ C:\WINDOWS\SYSTEM32\ZuneUsbCOnnection.dll
2008-04-13 00:31 . 2008-04-13 00:31 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 20:20 --------- d-----w C:\Program Files\Packet Tracer 3.2
2008-04-08 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-08 02:14 --------- d-----w C:\Program Files\AIM6
2008-04-02 02:08 72,824 ----a-w C:\Documents and Settings\i120109\Application Data\GDIPFONTCACHEV1.DAT
2008-03-26 20:12 72,824 ----a-w C:\Documents and Settings\Cheryl\Application Data\GDIPFONTCACHEV1.DAT
2008-03-22 18:09 --------- d-----w C:\Documents and Settings\XP\Application Data\Apple Computer
2008-03-22 17:57 --------- d-----w C:\Program Files\Sun
2008-03-22 17:53 --------- d-----w C:\Program Files\Common Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-03-17 00:32 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-16 21:08 --------- d-----w C:\Program Files\Trend Micro
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
2006-08-18 17:17 266 --sh--w C:\Program Files\desktop.ini
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\del ----
2008-05-05 07:48 1782564 --a------ C:\del\Fix.exe
((((((((((((((((((((((((((((( snapshot@2008-05-05_14.47.32.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-05 19:44:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 01:17:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-05 19:44:38 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2008-05-09 01:17:08 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-05-05 19:44:38 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-09 01:17:08 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-05 19:44:38 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-09 01:17:08 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A168E80E-C5EA-4021-8534-7163D4397B35}]
C:\WINDOWS\system32\ddcAsRli.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 21:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 14:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"IMONTRAY"="C:\Program Files\Intel\Intel® Active Monitor\imontray.exe" [2003-11-03 16:44 32768]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14 217088]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"SideWinderTrayV4"="C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe" [1999-11-18 19:12 24650]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 02:49 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-26 09:02 282624]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18 57344]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\SYSTEM32\nvmctray.dll]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27 860160]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-01-11 17:54 166304]
"33350746"="C:\WINDOWS\system32\jrwlpqvj.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160]
C:\Documents and Settings\Stephen\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2008-04-29 19:58:44 2998608]
C:\Documents and Settings\Cheryl\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 16:32:57 147456]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"C:\\Program Files\\Microsoft Games\\Midtown Madness\\midtown.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"C:\\WINDOWS\\System32\\RUNDLL32.EXE"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\windexforlife\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\windexforlife\\counter-strike source\\hl2.exe"=
"C:\\WINDOWS\\System32\\dxdiag.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Steam\\steamapps\\windexforlife\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\windexforlife\\half-life 2 deathmatch\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-01-11 17:54]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-04 01:09]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-04 01:09]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-01-11 17:54]
*Newly Created Service* - CLBDRIVER
.
Contents of the 'Scheduled Tasks' folder
"2008-05-08 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-05-08 20:17:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\drivers\clbdriver.sys 32768 bytes
C:\WINDOWS\system32\clb.dll 32768 bytes
C:\WINDOWS\system32\clbcatq.dll 524288 bytes
C:\WINDOWS\system32\clbcatex.dll 131072 bytes
C:\WINDOWS\system32\clbdll.dll 65536 bytes
C:\WINDOWS\system32\clbinit.dll 32768 bytes
scan completed successfully
hidden files: 6
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ELEMENTS 4.0\PHOTOSHOPELEMENTSFILEAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCDETECT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHIELD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\SYSTEM32\HPZIPM12.EXE
C:\WINDOWS\SYSTEM32\PNKBSTRA.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMAGENT.EXE
C:\PROGRAM FILES\INTEL\INTEL® ACTIVE MONITOR\IMONNT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
.
**************************************************************************
.
Completion time: 2008-05-08 20:20:21 - machine was rebooted [XP]
ComboFix3.txt 2008-03-19 20:51:44
ComboFix-quarantined-files.txt 2008-05-09 01:20:18
ComboFix2.txt 2008-05-06 00:38:36
Pre-Run: 155,601,076,224 bytes free
Post-Run: 155,705,311,232 bytes free
214 --- E O F --- 2008-04-21 21:16:13
Next is GMER:
GMER 1.0.14.14205 -
http://www.gmer.netRootkit scan 2008-05-08 20:36:45
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
Code F76CE94C ZwEnumerateKey
Code F76CED0C ZwQueryDirectoryFile
Code F76CED0B NtQueryDirectoryFile
---- Kernel code sections - GMER 1.0.14 ----
? C:\omboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.14 ----
.text C:\WINDOWS\explorer.exe[2644] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00B63E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\Intel\Intel® Active Monitor\imontray.exe[2804] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00BF3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\McAfee.com\VSO\mcvsshld.exe[2836] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01473E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\McAfee.com\VSO\oasclnt.exe[2852] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00C63E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\WINDOWS\system32\LVCOMSX.EXE[2924] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01053E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text ...
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)
---- Modules - GMER 1.0.14 ----
Module \??\globalroot\systemroot\system32\drivers\vmdesched.sys (*** hidden *** ) F76CD000-F76D1000 (16384 bytes)
---- Processes - GMER 1.0.14 ----
Library C:\WINDOWS\System32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [284] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [460] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [680] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [756] 0x76FD0000
Library C:\WINDOWS\System32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [824] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1004] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1156] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ c:\program files\mcafee.com\agent\mcdetect.exe [1320] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ c:\PROGRA~1\mcafee.com\vso\mcshield.exe [1372] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [1488] 0x76FD0000
Library C:\WINDOWS\System32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1652] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\explorer.exe [2644] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\McAfee.com\VSO\mcvsshld.exe [2836] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\McAfee.com\VSO\oasclnt.exe [2852] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ c:\progra~1\mcafee.com\vso\mcvsescn.exe [2868] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\LVCOMSX.EXE [2924] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Logitech\Video\LogiTray.exe [2944] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe [3056] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe [3156] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Messenger\msmsgs.exe [3496] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Logitech\Video\FxSvr2.exe [3804] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ c:\progra~1\mcafee.com\vso\mcvsftsn.exe [3928] 0x76FD0000
---- Services - GMER 1.0.14 ----
Service globalroot\systemroot\system32\drivers\vmdesched.sys (*** hidden *** ) [SYSTEM] clbdriver <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clb.dll
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clb.dll@0 0x00 0x00 0x28 0x0A ...
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clb.dll@1 0xB6 0x00 0xB6 0xEB ...
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatex.dll
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatex.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatex.dll@1 0xCF 0x24 0x2A 0x85 ...
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatq.dll
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatq.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatq.dll@1 0x6A 0xB7 0x9D 0x1D ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll@0 0x00 0x00 0x28 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll@1 0xB6 0x00 0xB6 0xEB ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll@1 0xCF 0x24 0x2A 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll@1 0x6A 0xB7 0x9D 0x1D ...
Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\vmdesched.sys
Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\vmdesched.sys@ driver
Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\vmdesched.sys
Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\vmdesched.sys@ driver
Reg HKLM\SYSTEM\ControlSet002\Services\clbdriver
Reg HKLM\SYSTEM\ControlSet002\Services\clbdriver@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\clbdriver@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\clbdriver@imagepath \??\globalroot\systemroot\system32\drivers\vmdesched.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll@0 0x00 0x00 0x28 0x0A ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll@1 0xB6 0x00 0xB6 0xEB ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll@1 0xCF 0x24 0x2A 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll@1 0x6A 0xB7 0x9D 0x1D ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vmdesched.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vmdesched.sys@ driver
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vmdesched.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vmdesched.sys@ driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\clbdriver
Reg HKLM\SYSTEM\CurrentControlSet\Services\clbdriver@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\clbdriver@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\clbdriver@imagepath \??\globalroot\systemroot\system32\drivers\vmdesched.sys
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData@affid 7
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData@subid run02
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData@control 0x1A 0x00 0x15 0x13 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData@flagged 1
Reg HKLM\SOFTWARE\Classes\CLSID\{0F8B16FA-DDA9-261F-0E4D-D9A33351F591}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{0F8B16FA-DDA9-261F-0E4D-D9A33351F591}\LocalServer32@ C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
Reg HKLM\SOFTWARE\Classes\CLSID\{0F8B16FA-DDA9-261F-0E4D-D9A33351F591}\LocalServer32@LocalServer32 C84DVn-}f(YR]eAR6.jiOUTLOOKFiles>'K2Qps't@=3LoeW%lTmK?
---- Files - GMER 1.0.14 ----
File C:\WINDOWS\SYSTEM32\DRIVERS\vmdesched.sys
File C:\WINDOWS\SYSTEM32\dllcache\clb.dll
File C:\WINDOWS\SYSTEM32\clb.dll
File C:\WINDOWS\SYSTEM32\clbcatq.dll
File C:\WINDOWS\SYSTEM32\clbcatex.dll
File C:\WINDOWS\SYSTEM32\cdosys.dll
File C:\WINDOWS\SYSTEM32\clbinit.dll
File C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
File C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
File C:\WINDOWS\$xpsp1hfm$\KB828741\clbcatq.dll
File C:\WINDOWS\$xpsp1hfm$\KB828741\clbcatex.dll
File C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll
File C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll
File C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll
File C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll
File C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll
File C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll
File C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
File C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
---- EOF - GMER 1.0.14 ----
Last is Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:47 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone:
http://www.powertabs.netO16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
http://www.comcastsu...fix/tgctlsr.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -
http://lads.myspace....ploader1006.cabO16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) -
http://www.putfile.c...geUploader4.cabO16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} (Aurigma Image Uploader 2.5) -
http://www.blinkz.co...geUploader2.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 8196 bytes
Let me know, I'm starting to get a littled worried
,
John