Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus attack, outerinfo , please help! [RESOLVED]

Started by dadpcfixer1 , May 05 2008 02:19 PM

  • This topic is locked This topic is locked

#1
dadpcfixer1
Posted 05 May 2008 - 02:19 PM

dadpcfixer1

    Member

  • Member
  • PipPip
  • 21 posts
Hello,
I need help again fixing my home computer. I am actually typing this on my laptop. The problem started this morning when the wife said she could not get to some internet sites. I verified this. Internet explored will not even take me to "www.geekstogo.com". I even tried firefox and I cannot get to your site on my home computer. Anyway, I ran "Hijackthis" on the infected pc and below is the logfile:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:16, on 2008-05-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A168E80E-C5EA-4021-8534-7163D4397B35} - C:\WINDOWS\system32\ddcAsRli.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [33350746] rundll32.exe "C:\WINDOWS\system32\jrwlpqvj.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.powertabs.net
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...fix/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.c...geUploader4.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} (Aurigma Image Uploader 2.5) - http://www.blinkz.co...geUploader2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8427 bytes


Also, when I try to ping www.geekstogo.com with the command prompt, it works but the ip address is 127.0.0.1, the local loopback. What the...! When I use the browser to try to reach www.geekstogo.com it fails. Also, other site fail to load also, but geekstogo is just one example.

Also, when I tried to run combofix, it would not run. I renamed combofix to fix and then it ran.

Help Please!
John

Edited by dadpcfixer1, 05 May 2008 - 07:11 PM.

  • 0

Advertisements

#2
fenzodahl512
Posted 06 May 2008 - 05:53 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo.. I'm looking at your log now and currently consulting with experts about your malware problem. I will get back to you as soon as possible.. Thank you for your understanding and patience.. :)


Regards
fenzodahl512
  • 0

#3
dadpcfixer1
Posted 06 May 2008 - 10:08 PM

dadpcfixer1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks for the help. Some sites I can get to. I stll cannot get to your site here. Again, I am typing on my work laptop.
Also, I did go to the outerinfo site and ran the uninstaller. That did not fix anything. Let me know what I should do next.
This is a pretty nasty bug on my puter. That still freaks me out when I ping www.geekstogo i get the local loopback ip of 127.0.0.1.

Thanks,

John
  • 0

#4
fenzodahl512
Posted 07 May 2008 - 09:06 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello dadpcfixer1, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following..

Since you already run ComboFix, please post the log here. Please find the log located at C:\ComboFix.txt


Please download the HostsXpert by funkytoad.
  • Unzip HostsXpert to a convenient folder such as C:\HostsXpert
  • Double-click HostsXpert.exe to run HostsXpert - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Ms Hosts File and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Please post the following logs in your next reply

1. Previous ComboFix log
2. A fresh HijackThis log (after HostsXpert step)


Regards
fenzodahl512
  • 0

#5
dadpcfixer1
Posted 07 May 2008 - 09:46 PM

dadpcfixer1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hello again.

I am typing this again on my work laptop, as I still cannot access www.geekstogo.com with my infected pc.

Ok, first I ran the "hostsexpert" program. It did restore my hosts file.

Below is the combofix log file:

ComboFix 08-05-01.3 - XP 2008-05-05 19:35:45.5 - FAT32x86
Running from: C:\del\Fix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\000080.exe
C:\WINDOWS\SYSTEM32\000090.exe
C:\WINDOWS\SYSTEM32\ieukopwf.ini
C:\WINDOWS\SYSTEM32\ilRsAcdd.ini
C:\WINDOWS\SYSTEM32\ilRsAcdd.ini2
C:\WINDOWS\SYSTEM32\jvqplwrj.ini
C:\WINDOWS\SYSTEM32\SsCccMoq.ini
C:\WINDOWS\SYSTEM32\SsCccMoq.ini2
C:\WINDOWS\system32\ssihfcbi.dll
C:\WINDOWS\SYSTEM32\wcmqtsxp.ini
C:\WINDOWS\system32\xwugeojh.dll
C:\WINDOWS\system32\XycMVvut.ini
C:\WINDOWS\SYSTEM32\XycMVvut.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Documents and Settings\XP\Application Data\SUPERAntiSpyware.com
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-05 07:00 . 2008-05-05 07:01 152 --a------ C:\WINDOWS\wininit.ini
2008-05-05 06:20 . 2008-05-05 06:20 96,832 --------- C:\WINDOWS\SYSTEM32\fwpokuei.dll_old
2008-05-05 06:18 . 2008-05-05 14:23 109,756 --a------ C:\WINDOWS\BM300634da.xml
2008-05-04 14:09 . 2001-08-23 14:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-05-04 14:08 . 2008-05-04 14:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-04 14:08 . 2008-05-04 14:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-29 19:58 . 2008-04-29 19:58 41,296 --a------ C:\WINDOWS\SYSTEM32\xfcodec.dll
2008-04-27 20:27 . 2008-04-27 20:27 5,760,054 --a------ C:\WINDOWS\commie.BMP
2008-04-24 07:21 . 2008-01-11 17:39 145,408 --a------ C:\WINDOWS\SYSTEM32\ZuneMTPZ.dll
2008-04-24 07:21 . 2008-01-11 17:39 70,656 --a------ C:\WINDOWS\SYSTEM32\ZuneIpTransport.dll
2008-04-24 07:21 . 2008-01-11 17:39 62,464 --a------ C:\WINDOWS\SYSTEM32\ZuneUsbTransport.dll
2008-04-24 07:21 . 2008-01-11 17:39 35,840 --a------ C:\WINDOWS\SYSTEM32\ZuneUsbCOnnection.dll
2008-04-13 00:31 . 2008-04-13 00:31 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-04-08 15:20 . 2008-04-08 15:20 <DIR> d-------- C:\Program Files\Packet Tracer 3.2
2008-04-08 15:11 . 2008-04-08 15:11 <DIR> d-------- C:\del
2008-04-07 21:15 . 2008-04-07 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-07 21:14 . 2008-04-07 21:14 <DIR> d-------- C:\Program Files\AIM6
2008-04-07 21:13 . 2008-04-12 11:16 1,818 --ah----- C:\IPH.PH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 02:08 72,824 ----a-w C:\Documents and Settings\i120109\Application Data\GDIPFONTCACHEV1.DAT
2008-03-26 20:12 72,824 ----a-w C:\Documents and Settings\Cheryl\Application Data\GDIPFONTCACHEV1.DAT
2008-03-22 18:09 --------- d-----w C:\Documents and Settings\XP\Application Data\Apple Computer
2008-03-22 17:57 --------- d-----w C:\Program Files\Sun
2008-03-22 17:53 --------- d-----w C:\Program Files\Common Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-03-17 00:32 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-16 21:08 --------- d-----w C:\Program Files\Trend Micro
2008-03-08 21:45 --------- d-----w C:\Program Files\HOJY TECH
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
2006-08-18 17:17 266 --sh--w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-05-05_14.47.32.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-05 19:44:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-05 23:23:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-05 19:44:38 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2008-05-05 23:23:36 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-05-05 19:44:38 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-05 23:23:36 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-05 19:44:38 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-05 23:23:36 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A168E80E-C5EA-4021-8534-7163D4397B35}]
C:\WINDOWS\system32\ddcAsRli.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 21:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 14:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"IMONTRAY"="C:\Program Files\Intel\Intel® Active Monitor\imontray.exe" [2003-11-03 16:44 32768]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14 217088]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"SideWinderTrayV4"="C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe" [1999-11-18 19:12 24650]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 02:49 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-26 09:02 282624]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18 57344]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\SYSTEM32\nvmctray.dll]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27 860160]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-01-11 17:54 166304]
"33350746"="C:\WINDOWS\system32\jrwlpqvj.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160]

C:\Documents and Settings\Stephen\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2008-04-29 19:58:44 2998608]

C:\Documents and Settings\Cheryl\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 16:32:57 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"C:\\Program Files\\Microsoft Games\\Midtown Madness\\midtown.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"C:\\WINDOWS\\System32\\RUNDLL32.EXE"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\windexforlife\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\windexforlife\\counter-strike source\\hl2.exe"=
"C:\\WINDOWS\\System32\\dxdiag.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Steam\\steamapps\\windexforlife\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\windexforlife\\half-life 2 deathmatch\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-01-11 17:54]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-04 01:09]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-04 01:09]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-01-11 17:54]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 19:37:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 32768 bytes
C:\WINDOWS\system32\clb.dll 32768 bytes
C:\WINDOWS\system32\clbcatq.dll 524288 bytes
C:\WINDOWS\system32\clbcatex.dll 131072 bytes
C:\WINDOWS\system32\clbdll.dll 65536 bytes
C:\WINDOWS\system32\clbinit.dll 32768 bytes

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
Completion time: 2008-05-05 19:38:32
ComboFix2.txt 2008-03-19 20:51:44
ComboFix-quarantined-files.txt 2008-05-06 00:38:30

Pre-Run: 156,143,026,176 bytes free
Post-Run: 156,128,673,792 bytes free

199 --- E O F --- 2008-04-21 21:16:13

Here is the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:24 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A168E80E-C5EA-4021-8534-7163D4397B35} - C:\WINDOWS\system32\ddcAsRli.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [33350746] rundll32.exe "C:\WINDOWS\system32\jrwlpqvj.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.powertabs.net
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...fix/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.c...geUploader4.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} (Aurigma Image Uploader 2.5) - http://www.blinkz.co...geUploader2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8087 bytes


I also uploaded a jpg screen shot of the failed tracert command to www.geekstogo.com.

Let me know what you think...

John

Attached Thumbnails

  • tracert.jpg

  • 0

#6
fenzodahl512
Posted 08 May 2008 - 11:23 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello dadpcfixer1, thanks for the reply.. Please do the following..

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
clbdriver

File::
C:\WINDOWS\SYSTEM32\fwpokuei.dll_old
C:\WINDOWS\BM300634da.xml
C:\WINDOWS\system32\ddcAsRli.dll
C:\WINDOWS\system32\jrwlpqvj.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll

DirLook::
C:\del


3. Save the above as CFScript.txt on your Desktop

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt




NEXT


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {A168E80E-C5EA-4021-8534-7163D4397B35} - C:\WINDOWS\system32\ddcAsRli.dll (file missing)
O4 - HKLM\..\Run: [33350746] rundll32.exe "C:\WINDOWS\system32\jrwlpqvj.dll",b

Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Please download LSPFix from HERE or HERE.
  • Save and unzip it to your Desktop
  • Run the LSPFix.exe that you have just finished downloading
  • Check the I know what I'm doing box
  • Dont move anything you see. Just click Finish>>




NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.



Please post the following logs in your next reply
1. ComboFix log
2. GMER log
3. A fresh HijackThis log (after GMER step)
  • 0

#7
dadpcfixer1
Posted 08 May 2008 - 07:48 PM

dadpcfixer1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Ok, ran the script to combofix. I had to rename combofix to a different name so it would run.
I deleted those two items with hijackthis.
I ran the LSPFix.
Ran GMER.

I still cannot get to www.geekstogo.com, loopback address still comes up with a ping.

Below are the files requested:

Combofix:

ComboFix 08-05-01.3 - XP 2008-05-08 20:13:04.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.655 [GMT -5:00]
Running from: C:\Documents and Settings\XP\Desktop\omboFix.exe
Command switches used :: C:\Documents and Settings\XP\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM300634da.xml
C:\WINDOWS\system32\cdosys.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\ddcAsRli.dll
C:\WINDOWS\system32\drivers\vmdesched.sys
C:\WINDOWS\SYSTEM32\fwpokuei.dll_old
C:\WINDOWS\system32\jrwlpqvj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM300634da.xml
C:\WINDOWS\SYSTEM32\fwpokuei.dll_old

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Documents and Settings\XP\Application Data\SUPERAntiSpyware.com
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-05 07:00 . 2008-05-05 07:01 152 --a------ C:\WINDOWS\wininit.ini
2008-05-04 14:09 . 2001-08-23 14:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-04-29 19:58 . 2008-04-29 19:58 41,296 --a------ C:\WINDOWS\SYSTEM32\xfcodec.dll
2008-04-27 20:27 . 2008-04-27 20:27 5,760,054 --a------ C:\WINDOWS\commie.BMP
2008-04-24 07:21 . 2008-01-11 17:39 145,408 --a------ C:\WINDOWS\SYSTEM32\ZuneMTPZ.dll
2008-04-24 07:21 . 2008-01-11 17:39 70,656 --a------ C:\WINDOWS\SYSTEM32\ZuneIpTransport.dll
2008-04-24 07:21 . 2008-01-11 17:39 62,464 --a------ C:\WINDOWS\SYSTEM32\ZuneUsbTransport.dll
2008-04-24 07:21 . 2008-01-11 17:39 35,840 --a------ C:\WINDOWS\SYSTEM32\ZuneUsbCOnnection.dll
2008-04-13 00:31 . 2008-04-13 00:31 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 20:20 --------- d-----w C:\Program Files\Packet Tracer 3.2
2008-04-08 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-08 02:14 --------- d-----w C:\Program Files\AIM6
2008-04-02 02:08 72,824 ----a-w C:\Documents and Settings\i120109\Application Data\GDIPFONTCACHEV1.DAT
2008-03-26 20:12 72,824 ----a-w C:\Documents and Settings\Cheryl\Application Data\GDIPFONTCACHEV1.DAT
2008-03-22 18:09 --------- d-----w C:\Documents and Settings\XP\Application Data\Apple Computer
2008-03-22 17:57 --------- d-----w C:\Program Files\Sun
2008-03-22 17:53 --------- d-----w C:\Program Files\Common Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-03-17 00:32 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-16 21:08 --------- d-----w C:\Program Files\Trend Micro
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
2006-08-18 17:17 266 --sh--w C:\Program Files\desktop.ini
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\del ----

2008-05-05 07:48 1782564 --a------ C:\del\Fix.exe


((((((((((((((((((((((((((((( snapshot@2008-05-05_14.47.32.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-05 19:44:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 01:17:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-05 19:44:38 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2008-05-09 01:17:08 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-05-05 19:44:38 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-09 01:17:08 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-05 19:44:38 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-09 01:17:08 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A168E80E-C5EA-4021-8534-7163D4397B35}]
C:\WINDOWS\system32\ddcAsRli.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 21:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 14:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"IMONTRAY"="C:\Program Files\Intel\Intel® Active Monitor\imontray.exe" [2003-11-03 16:44 32768]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14 217088]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"SideWinderTrayV4"="C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe" [1999-11-18 19:12 24650]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 02:49 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-26 09:02 282624]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18 57344]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\SYSTEM32\nvmctray.dll]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27 860160]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-01-11 17:54 166304]
"33350746"="C:\WINDOWS\system32\jrwlpqvj.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160]

C:\Documents and Settings\Stephen\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2008-04-29 19:58:44 2998608]

C:\Documents and Settings\Cheryl\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 16:32:57 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"C:\\Program Files\\Microsoft Games\\Midtown Madness\\midtown.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"C:\\WINDOWS\\System32\\RUNDLL32.EXE"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\windexforlife\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\windexforlife\\counter-strike source\\hl2.exe"=
"C:\\WINDOWS\\System32\\dxdiag.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Steam\\steamapps\\windexforlife\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\windexforlife\\half-life 2 deathmatch\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-01-11 17:54]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-04 01:09]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-04 01:09]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-01-11 17:54]

*Newly Created Service* - CLBDRIVER
.
Contents of the 'Scheduled Tasks' folder
"2008-05-08 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 20:17:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 32768 bytes
C:\WINDOWS\system32\clb.dll 32768 bytes
C:\WINDOWS\system32\clbcatq.dll 524288 bytes
C:\WINDOWS\system32\clbcatex.dll 131072 bytes
C:\WINDOWS\system32\clbdll.dll 65536 bytes
C:\WINDOWS\system32\clbinit.dll 32768 bytes

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ELEMENTS 4.0\PHOTOSHOPELEMENTSFILEAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCDETECT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHIELD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\SYSTEM32\HPZIPM12.EXE
C:\WINDOWS\SYSTEM32\PNKBSTRA.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMAGENT.EXE
C:\PROGRAM FILES\INTEL\INTEL® ACTIVE MONITOR\IMONNT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
.
**************************************************************************
.
Completion time: 2008-05-08 20:20:21 - machine was rebooted [XP]
ComboFix3.txt 2008-03-19 20:51:44
ComboFix-quarantined-files.txt 2008-05-09 01:20:18
ComboFix2.txt 2008-05-06 00:38:36

Pre-Run: 155,601,076,224 bytes free
Post-Run: 155,705,311,232 bytes free

214 --- E O F --- 2008-04-21 21:16:13


Next is GMER:

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-08 20:36:45
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

Code F76CE94C ZwEnumerateKey
Code F76CED0C ZwQueryDirectoryFile
Code F76CED0B NtQueryDirectoryFile

---- Kernel code sections - GMER 1.0.14 ----

? C:\omboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\explorer.exe[2644] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00B63E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\Intel\Intel® Active Monitor\imontray.exe[2804] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00BF3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\McAfee.com\VSO\mcvsshld.exe[2836] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01473E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\McAfee.com\VSO\oasclnt.exe[2852] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00C63E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\WINDOWS\system32\LVCOMSX.EXE[2924] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01053E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text ...

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)

---- Modules - GMER 1.0.14 ----

Module \??\globalroot\systemroot\system32\drivers\vmdesched.sys (*** hidden *** ) F76CD000-F76D1000 (16384 bytes)
---- Processes - GMER 1.0.14 ----

Library C:\WINDOWS\System32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [284] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [460] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [680] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [756] 0x76FD0000
Library C:\WINDOWS\System32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [824] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1004] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1156] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ c:\program files\mcafee.com\agent\mcdetect.exe [1320] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ c:\PROGRA~1\mcafee.com\vso\mcshield.exe [1372] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [1488] 0x76FD0000
Library C:\WINDOWS\System32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1652] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\explorer.exe [2644] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\McAfee.com\VSO\mcvsshld.exe [2836] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\McAfee.com\VSO\oasclnt.exe [2852] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ c:\progra~1\mcafee.com\vso\mcvsescn.exe [2868] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\LVCOMSX.EXE [2924] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Logitech\Video\LogiTray.exe [2944] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe [3056] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe [3156] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Messenger\msmsgs.exe [3496] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Logitech\Video\FxSvr2.exe [3804] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ c:\progra~1\mcafee.com\vso\mcvsftsn.exe [3928] 0x76FD0000

---- Services - GMER 1.0.14 ----

Service globalroot\systemroot\system32\drivers\vmdesched.sys (*** hidden *** ) [SYSTEM] clbdriver <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clb.dll
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clb.dll@0 0x00 0x00 0x28 0x0A ...
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clb.dll@1 0xB6 0x00 0xB6 0xEB ...
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatex.dll
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatex.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatex.dll@1 0xCF 0x24 0x2A 0x85 ...
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatq.dll
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatq.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatq.dll@1 0x6A 0xB7 0x9D 0x1D ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll@0 0x00 0x00 0x28 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll@1 0xB6 0x00 0xB6 0xEB ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll@1 0xCF 0x24 0x2A 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll@1 0x6A 0xB7 0x9D 0x1D ...
Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\vmdesched.sys
Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\vmdesched.sys@ driver
Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\vmdesched.sys
Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\vmdesched.sys@ driver
Reg HKLM\SYSTEM\ControlSet002\Services\clbdriver
Reg HKLM\SYSTEM\ControlSet002\Services\clbdriver@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\clbdriver@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\clbdriver@imagepath \??\globalroot\systemroot\system32\drivers\vmdesched.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll@0 0x00 0x00 0x28 0x0A ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll@1 0xB6 0x00 0xB6 0xEB ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll@1 0xCF 0x24 0x2A 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll@1 0x6A 0xB7 0x9D 0x1D ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vmdesched.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vmdesched.sys@ driver
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vmdesched.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vmdesched.sys@ driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\clbdriver
Reg HKLM\SYSTEM\CurrentControlSet\Services\clbdriver@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\clbdriver@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\clbdriver@imagepath \??\globalroot\systemroot\system32\drivers\vmdesched.sys
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData@affid 7
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData@subid run02
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData@control 0x1A 0x00 0x15 0x13 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData@flagged 1
Reg HKLM\SOFTWARE\Classes\CLSID\{0F8B16FA-DDA9-261F-0E4D-D9A33351F591}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{0F8B16FA-DDA9-261F-0E4D-D9A33351F591}\LocalServer32@ C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
Reg HKLM\SOFTWARE\Classes\CLSID\{0F8B16FA-DDA9-261F-0E4D-D9A33351F591}\LocalServer32@LocalServer32 C84DVn-}f(YR]eAR6.jiOUTLOOKFiles>'K2Qps't@=3LoeW%lTmK?

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\SYSTEM32\DRIVERS\vmdesched.sys
File C:\WINDOWS\SYSTEM32\dllcache\clb.dll
File C:\WINDOWS\SYSTEM32\clb.dll
File C:\WINDOWS\SYSTEM32\clbcatq.dll
File C:\WINDOWS\SYSTEM32\clbcatex.dll
File C:\WINDOWS\SYSTEM32\cdosys.dll
File C:\WINDOWS\SYSTEM32\clbinit.dll
File C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
File C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
File C:\WINDOWS\$xpsp1hfm$\KB828741\clbcatq.dll
File C:\WINDOWS\$xpsp1hfm$\KB828741\clbcatex.dll
File C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll
File C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll
File C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll
File C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll
File C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll
File C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll
File C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
File C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll

---- EOF - GMER 1.0.14 ----

Last is Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:47 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.powertabs.net
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...fix/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.c...geUploader4.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} (Aurigma Image Uploader 2.5) - http://www.blinkz.co...geUploader2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8196 bytes


Let me know, I'm starting to get a littled worried :) ,

John
  • 0

#8
fenzodahl512
Posted 09 May 2008 - 10:57 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello John.. Thanks for the reply.. We are doing our best to help you :)

Please do the following..


Please show hidden files and folders. Please visit HERE if you don't know how.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\SYSTEM32\DRIVERS\vmdesched.sys
  • Click on the submit button
  • Please post the results in your next reply.
Please repeat this step with this file: C:\del\Fix.exe
If Jotti server is too busy, please submit the file to VirusTotal instead.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
clbdriver

Rootkit::
C:\WINDOWS\system32\drivers\clbdriver.sys

File::
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\clbdriver]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\clbdriver]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F8B16FA-DDA9-261F-0E4D-D9A33351F591}]

FileLook::
C:\del\Fix.exe


3. Save the above as CFScript.txt on your Desktop

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt



NEXT


Please download WinsockXPFix from HERE.
  • Double-click on WinsockXPFix and click on Fix
It will restart your computer in attempt to fix the internet connection.



Please post the following logs in your next reply..

1. Jotti Scan results (for both files)
2. ComboFix log
3. HijackThis log (after WinsockXPFix step)


Regards
fenzodahl512
  • 0

#9
dadpcfixer1
Posted 09 May 2008 - 07:48 PM

dadpcfixer1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Ok, first thing, I could not find this file:
C:\WINDOWS\SYSTEM32\DRIVERS\vmdesched.sys

It is gone. I even ran that gmer.exe prog to see if it showed up in there as it did in the past post. It did not.

Second, I did the second file located here: c:\del\fix.exe. That file was my original combofix file that I renamed to fix because my computer would not let me run it with the name combofix, but would with fix.

The results of the scan of the c:\del\fix.exe were the same as the omboFix.exe file I was using to run combofix.
Below arew the results:



Service load: 0% 100%

File: omboFix.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 454ad54c474a76625d87102aa5ab2879
Packers detected: PE_PATCH.UPX, UPX
Bit9 reports:

Scanner results
Scan taken on 10 May 2008 01:38:28 (GMT)
A-Squared Found nothing
AntiVir Found APPL/Tool.NirCmd.D, APPL/Rmadmin.131072, SPR/Tool.PV
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found BackDoor.W32.Agent.ahj
Dr.Web Found BATCH.Virus, SCRIPT.Virus, Program.PsExec.171 (probable variant)
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found RAT/ProcLaunch
Ikarus Found Backdoor.Win32.VB.awx, Win32.SuspectCrc, Trojan-Downloader.Win32.Agent.aww
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Bck/VB.XB
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found BackDoor.TerraBit


Here is the combofix log. I ran it twice since I didnot get a log file the first time:

ComboFix 08-05-01.3 - XP 2008-05-09 20:18:26.8 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.670 [GMT -5:00]
Running from: C:\Documents and Settings\XP\Desktop\omboFix.exe
Command switches used :: C:\Documents and Settings\XP\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\clbdriver.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 )))))))))))))))))))))))))))))))
.

2008-05-09 13:00 . 2008-05-09 13:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-09 13:00 . 2008-05-09 13:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-08 20:30 . 2008-05-09 17:24 250 --a------ C:\WINDOWS\gmer.ini
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Documents and Settings\XP\Application Data\SUPERAntiSpyware.com
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-05 07:00 . 2008-05-05 07:01 152 --a------ C:\WINDOWS\wininit.ini
2008-05-04 14:09 . 2001-08-23 14:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-04-29 19:58 . 2008-04-29 19:58 41,296 --a------ C:\WINDOWS\SYSTEM32\xfcodec.dll
2008-04-27 20:27 . 2008-04-27 20:27 5,760,054 --a------ C:\WINDOWS\commie.BMP
2008-04-24 07:21 . 2008-01-11 17:39 145,408 --a------ C:\WINDOWS\SYSTEM32\ZuneMTPZ.dll
2008-04-24 07:21 . 2008-01-11 17:39 70,656 --a------ C:\WINDOWS\SYSTEM32\ZuneIpTransport.dll
2008-04-24 07:21 . 2008-01-11 17:39 62,464 --a------ C:\WINDOWS\SYSTEM32\ZuneUsbTransport.dll
2008-04-24 07:21 . 2008-01-11 17:39 35,840 --a------ C:\WINDOWS\SYSTEM32\ZuneUsbCOnnection.dll
2008-04-13 00:31 . 2008-04-13 00:31 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 20:20 --------- d-----w C:\Program Files\Packet Tracer 3.2
2008-04-08 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-08 02:14 --------- d-----w C:\Program Files\AIM6
2008-04-02 02:08 72,824 ----a-w C:\Documents and Settings\i120109\Application Data\GDIPFONTCACHEV1.DAT
2008-03-26 20:12 72,824 ----a-w C:\Documents and Settings\Cheryl\Application Data\GDIPFONTCACHEV1.DAT
2008-03-22 18:09 --------- d-----w C:\Documents and Settings\XP\Application Data\Apple Computer
2008-03-22 17:57 --------- d-----w C:\Program Files\Sun
2008-03-22 17:53 --------- d-----w C:\Program Files\Common Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-03-17 00:32 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-16 21:08 --------- d-----w C:\Program Files\Trend Micro
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
2006-08-18 17:17 266 --sh--w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-05-05_14.47.32.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-07-26 04:20:24 110,080 ------w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24 498,688 ------w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2004-03-06 02:04:58 110,080 ------w C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll
+ 2004-03-05 23:05:00 499,712 ------w C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll
+ 2001-08-23 19:00:00 100,864 ------w C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll
+ 2001-08-23 19:00:00 468,480 ------w C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll
+ 2004-08-04 07:56:42 110,080 ------w C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
+ 2004-08-04 07:56:42 501,248 ------w C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
+ 2004-03-06 02:16:10 110,080 ----a-w C:\WINDOWS\$xpsp1hfm$\KB828741\clbcatex.dll
+ 2004-03-06 02:16:12 499,712 ----a-w C:\WINDOWS\$xpsp1hfm$\KB828741\clbcatq.dll
- 2008-05-05 19:44:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-10 01:21:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 01:30:12 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-04 01:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
+ 2004-08-04 07:56:42 110,080 ------w C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll
+ 2004-08-04 07:56:42 501,248 ------w C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll
+ 2001-08-23 19:00:00 10,752 ----a-w C:\WINDOWS\SYSTEM32\clb.dll
+ 2005-07-26 04:39:44 110,080 ----a-w C:\WINDOWS\SYSTEM32\clbcatex.dll
+ 2005-07-26 04:39:44 498,688 ----a-w C:\WINDOWS\SYSTEM32\clbcatq.dll
- 2008-05-05 19:44:38 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2008-05-09 01:17:08 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-05-05 19:44:38 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-09 01:17:08 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-05 19:44:38 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-09 01:17:08 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2001-08-23 19:00:00 10,752 ----a-w C:\WINDOWS\SYSTEM32\dllcache\clb.dll
+ 2008-05-09 01:30:12 86,097 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 21:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 14:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"IMONTRAY"="C:\Program Files\Intel\Intel® Active Monitor\imontray.exe" [2003-11-03 16:44 32768]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14 217088]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"SideWinderTrayV4"="C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe" [1999-11-18 19:12 24650]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 02:49 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-26 09:02 282624]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18 57344]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\SYSTEM32\nvmctray.dll]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27 860160]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-01-11 17:54 166304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160]

C:\Documents and Settings\Stephen\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2008-04-29 19:58:44 2998608]

C:\Documents and Settings\Cheryl\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 16:32:57 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"C:\\Program Files\\Microsoft Games\\Midtown Madness\\midtown.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"C:\\WINDOWS\\System32\\RUNDLL32.EXE"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\windexforlife\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\windexforlife\\counter-strike source\\hl2.exe"=
"C:\\WINDOWS\\System32\\dxdiag.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Steam\\steamapps\\windexforlife\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\windexforlife\\half-life 2 deathmatch\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-01-11 17:54]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-04 01:09]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-04 01:09]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-01-11 17:54]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-08 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 20:21:42
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ELEMENTS 4.0\PHOTOSHOPELEMENTSFILEAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCDETECT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHIELD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\SYSTEM32\HPZIPM12.EXE
C:\WINDOWS\SYSTEM32\PNKBSTRA.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMAGENT.EXE
C:\PROGRAM FILES\INTEL\INTEL® ACTIVE MONITOR\IMONNT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
.
**************************************************************************
.
Completion time: 2008-05-09 20:25:04 - machine was rebooted [XP]
ComboFix4.txt 2008-03-19 20:51:44
ComboFix-quarantined-files.txt 2008-05-10 01:25:00
ComboFix3.txt 2008-05-06 00:38:36
ComboFix2.txt 2008-05-09 01:20:24

Pre-Run: 155,479,539,712 bytes free
Post-Run: 155,462,369,280 bytes free

224 --- E O F --- 2008-04-21 21:16:13

Here is the hijack file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:06 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.powertabs.net
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...fix/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.c...geUploader4.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} (Aurigma Image Uploader 2.5) - http://www.blinkz.co...geUploader2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8340 bytes


Also, good news!!!! :) .

I can reach your site now with my infected computer!!!!!!!!!
Im gonna test it out tonight, but it allready seems better.

Let me know....thanks again!!!!!
:)

John
  • 0

#10
dadpcfixer1
Posted 11 May 2008 - 08:29 AM

dadpcfixer1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Well,
The pc seems to be working well. I downloaded lime wire for the wife and kids again, some how it got deinstalled, may be the virus. I did setup limewire to start manually, so it will not be running auto when we log in.

My daughter uses those chat prog, AIM, and yahoo; Im thinking maybee the virus came through there.

Let me know...

John :) :)
  • 0

Advertisements

#11
fenzodahl512
Posted 11 May 2008 - 12:21 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello John.. Glad to hear you could reach us with your computer.. Now lets do the following..


Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please post the Kaspersky Online scan in your next reply..


Regards
fenzodahl512
  • 0

#12
dadpcfixer1
Posted 12 May 2008 - 07:40 PM

dadpcfixer1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Ok, here is the Kaspersky text file results:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 12, 2008 8:37:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/05/2008
Kaspersky Anti-Virus database records: 765113
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 161721
Number of viruses found: 8
Number of infected objects: 20
Number of suspicious objects: 2
Duration of the scan process: 01:43:13

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DD50B10D-4CFA-4AC9-9236-72235684BD29}.bin Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd001.log Object is locked skipped
C:\Documents and Settings\XP\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\XP\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\XP\Local Settings\History\History.IE5\MSHist012008051220080513\index.dat Object is locked skipped
C:\Documents and Settings\XP\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\XP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\XP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\XP\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\XP\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP24\A0001547.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP24\A0001547.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP24\A0001548.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.quk skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP25\A0001570.DLL Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP25\A0001571.DLL Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP25\A0001572.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP25\A0001576.DLL Infected: Trojan.Win32.Monder.db skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP25\A0001590.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP25\A0001591.DLL Infected: Trojan.Win32.Monder.db skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP25\A0001592.DLL Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP26\A0001625.exe Infected: Trojan-Downloader.Win32.Small.ved skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP26\A0001627.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP26\A0001628.DLL Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP30\A0003057.sys Infected: Rootkit.Win32.Agent.aii skipped
C:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP33\change.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\000080.exe.vir Infected: Trojan-Downloader.Win32.Small.ved skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\000090.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ssihfcbi.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xwugeojh.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fwpokuei.dll_old.vir Infected: Trojan.Win32.Monder.db skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\drivers\clbdriver.sys.vir Infected: Rootkit.Win32.Agent.aii skipped
D:\backup\mail\dad\Deleted Items.dbx/[From "Paypal Survey"<[email protected]>][Date Wed, 2 Aug 2006 17:08:12 -0700]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
D:\backup\mail\dad\Deleted Items.dbx MailMSOutlook5: suspicious - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{3435B12F-4893-4C9D-A64E-C84F91EB22F8}\RP33\change.log Object is locked skipped

Scan process completed.


Looks like I still have some infected files...

Let me know...

John
  • 0

#13
fenzodahl512
Posted 13 May 2008 - 04:24 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello John.. Thanks for the reply.. Don't worry about Kaspersky Result.. What it found is from your System Restore and quarantine folder which is harmless to you..

Do you know below file? If you don't, please delete it manually..

D:\backup\mail\dad\Deleted Items.dbx



NEXT


Please download OTCleanIt and save it to Desktop.
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes




NEXT


Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




NEXT


Please Install/Update Sun Java

Updating Java:
  • Go to Start --> Control Panel --> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • It should have next icon next to it: Posted Image
  • Select it and click Remove. This will uninstall the previous (outdated) version of Java.
  • Then Download and install the newest version from here: Java Runtime Environment (JRE) 6 Update 6



NEXT


Let's clean your Restore Points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous Restore Points which are likely to be infected)
To create a new Restore Point.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK. This will flush your old System Restore.
  • Then please UNCHECK the Turn off System Restore.
  • Click again on Apply, and then click OK. This will create a new Restore Point
System Restore will now be active again

If you are using Windows Vista, please go HERE for tutorial on how to use, disable and enable System Restore


NEXT


I noticed that you already have McAfee Antivirus as your antivirus, and SUPERAntiSpyware as your antispyware in your computer :)


However, I haven't seen any third-party firewall in your logs.. Do you have any? If you don't, please install ONLY ONE of these free and excellent firewal below:
After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.


And now, to help protect your computer in the future I would like to recommend you these following free programs. Please do remember to use only ONE "Real-Time Protection" software for EACH Antivirus, AntiSpyware and Firewall.
  • SpywareBlaster 4.0 to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

Lastly, to keep your operating system up to date please visit the link below monthly

To learn more about how to protect yourself while on the internet read this excellent article by Tony Klein: So how did I get infected in the first place?

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)


Have a safe and happy computing day!


Regards
fenzodahl512
  • 0

#14
dadpcfixer1
Posted 14 May 2008 - 10:47 PM

dadpcfixer1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Ok, I deleted that file,

Ran the otcleanit

Ran the atf cleaner (really like that one)

Got my java up to par

Reset and reenabled my windows restore

and download zonealarm for a firewall.


Everything seems to be going well, thanks a whole bunch for helping me out!

John :)
  • 0

#15
fenzodahl512
Posted 15 May 2008 - 07:33 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Glad to hear that John.. You're very much welcome :)


fenzodahl512
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP