View Full Version : Trojan Downloaders, hijackthis closing
DJ Neckspasm
2007-06-13, 01:01
I don't have a hijackthis log to post since one of the viruses on my computer closes the program before it can finish outputting the log. It also likes to close any window with the word hijackthis on it or AVG, I can't browse these forums on my pc and have to use a friend's laptop to post this.
Kasperasky online scan identified a couple trojans and I can get the log file from that if that would be helpful. One weird problem is now everytime I go to change my desktop background the window goes not responding and after end tasking it I get a crash error from a program called "run a dll as an app" follwed by drwatson errors.
I may just end up formatting, the spyware didn't really bother me that much until it started closing browser windows. The idea that a virus on my PC is basically taking control angers me significantly. I take a fair amount of pride in my PC and until this it ran pretty clean. The sad part of all this is I know specifically what caused the initial infection and could have easily avoided it.
pskelley
2007-06-13, 03:18
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I understand, this sounds like a Vundo infection. Give the new HJT Beta a try:
Download Trend Micro Hijack This™
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThislog.
Copy and paste the contents of the log in your next reply
Thanks
DJ Neckspasm
2007-06-13, 14:38
I downloaded hijackthis 2 beta, renamed the exe and copied that over to my desktop from the laptop I'm using right now. It doesn't close the explorer window contaning the file before I can run it but it still closes the program itself before it can finish outputting the log file.
I know I did have a vundo infection previously but I was pretty sure I beat that after using combo fix. Also I occaisionally get an error "clcr has encountered an error and needs to close" which I know is related to some sort of malware.
Are there any other lesser known programs that serve a similar function as hijackthis?
pskelley
2007-06-13, 15:02
Strange I am having no problems with folks not being able to run Trend Micro's version of HJT, and I know of no other program that does what HJT does. I can tell you that with the Vundo infection there is an item in the running program area of the log which does not get removed by Vundofix and must be deleted manually.
You can see it in this log: http://forums.spybot.info/showthread.php?t=14540
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\qcoxpvka.dll",realset
Notice how I remove it manually. In this case there is another vundo related item also. (hackers keep changing the junk to avoid us removing it) In the case of this item (and it is random) if it is not remove the user continues to get a message like you are getting but in the case of the log I am showing, the missing item would be: qcoxpvka.dll
You are getting that message so you either still have Vundo or that last 04 iem has not been removed (may be more also)
If you know the name of .dll creating the error message and you said
Also I occaisionally get an error "clcr has encountered an error and needs to close"
(I need to point our I have not seen only four letters > clcr so you should look closely at the error first.
You can show hidden files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
then navigate to the folder and delete that item. You need to be sure you have the right one. Look at what I did with the log I posted the link to and the tool I used in case of issues. This should stop your error messages, but we will not be able to know if you are clean without a HJT log.
Thanks
DJ Neckspasm
2007-06-13, 23:12
clcr is an exe file not a dll, the full error message was "clcr.exe has encountered a problem and needs to close". I very rarely get any popups but just today I got one and checked the processes in task manager and clcr.exe was running so I end tasked it. I tried searching for clcr and got two results clcr.exe-2d50d8f7.pf and clcrb.log . I deleted the prefetch file but I suspect it will just come back eventually.
I ran vundofix again and it found one item: c:\windows\system32\clk.dll . I clicked remove and eventually it asked me to restart the computer. After it finished restarting I ran vundofix again and it found the same file again. I tried manually deleting it and I got either "file is in use" or "access is denied" I can't remember which
I also got this on startup "fatal error: unable to update tray icon" I kind of doubt that's malware related, I think that's just Trillian acting up.
I'm including the log from the online virus scan I did earlier, hopefully you can glean something useful from this. I changed the formatting a little to make it easier to read. and highlight the actual trojans
KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 13, 2007 11:41:44 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 13/06/2007
Kaspersky Anti-Virus database records: 343181
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Folders
C:\
Scan Statistics
Total number of scanned objects 69955
Number of viruses found 16
Number of infected objects 35
Number of suspicious objects 0
Duration of the scan process 00:38:02
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\ATI MMC\RemoteWonder.txt Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\history.dat Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\key3.db Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\call256.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\chat512.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\index2.dat Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\profile256.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\user1024.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\user16384.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\user4096.dbb Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Skype\djneckspasm\voicemail256.dbb Object is locked skipped
*C:\Documents and Settings\Jason Dove\Application Data\Sun\Java\Deployment\cache\6.0*\24\3e021ed8-2b186ff9/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
[same as *]\24\3e021ed8-2b186ff9/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
[same as *]\24\3e021ed8-2b186ff9/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
[same as *]\24\3e021ed8-2b186ff9 ZIP: infected - 3 skipped
[same as *]\24\3e021ed8-7837c6df/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
[same as *]\24\3e021ed8-7837c6df/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
[same as *]\24\3e021ed8-7837c6df/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
[same as *]\24\3e021ed8-7837c6df ZIP: infected - 3 skipped
[same as *]\38\303a8e66-29990058/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
[same as *]\38\303a8e66-29990058/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
[same as *]\38\303a8e66-29990058/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
[same as *]\38\303a8e66-29990058 ZIP: infected - 3 skipped
[same as *]\47\1f4792f-7ee1e27e/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
[same as *]\47\1f4792f-7ee1e27e/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
[same as *]\47\1f4792f-7ee1e27e/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
[same as *]\47\1f4792f-7ee1e27e ZIP: infected - 3 skipped
C:\Documents and Settings\Jason Dove\Application Data\Thunderbird\Profiles\24vt0ll9.default\abook.mab Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Thunderbird\Profiles\24vt0ll9.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Thunderbird\Profiles\24vt0ll9.default\key3.db Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Thunderbird\Profiles\24vt0ll9.default\Mail\Local Folders\Inbox.msf Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Thunderbird\Profiles\24vt0ll9.default\Mail\Local Folders\Junk.msf Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Thunderbird\Profiles\24vt0ll9.default\Mail\Local Folders\Templates.msf Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Thunderbird\Profiles\24vt0ll9.default\Mail\Local Folders\Trash.msf Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Thunderbird\Profiles\24vt0ll9.default\panacea.dat Object is locked skipped
C:\Documents and Settings\Jason Dove\Application Data\Thunderbird\Profiles\24vt0ll9.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jason Dove\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\Application Data\Microsoft\Zune\CurrentDatabase_365.wmdb Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\History\History.IE5\MSHist012007061220070613\index.dat Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\History\History.IE5\MSHist012007061320070614\index.dat Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\Temp\flaBE.tmp Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\Temp\Perflib_Perfdata_5c4.dat Object is locked skipped
C:\Documents and Settings\Jason Dove\Local Settings\Temporary Internet Files\Content.IE5\47PNQUNX\g1[1].htm Infected: Trojan-Downloader.Win32.Delf.amb skipped
C:\Documents and Settings\Jason Dove\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jason Dove\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jason Dove\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\itouch_crash_info.txt Object is locked skipped
C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Program Files\themexp\Themexp.org File\NNWDAB638.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Program Files\Trillian\users\default\logs\MSN\Query\cjadey@hotmail.com.log Object is locked skipped
C:\Program Files\Uninstall Ask Toolbar.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\QooBox\purity\C\DOCUME~1\JASOND~1\APPLIC~1\TSKS~1\ѕрool32.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\QooBox\Quarantine\C\WINDOWS\retadpu1000272.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\crc.log.vir Infected: Trojan-Downloader.Win32.Agent.apb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\notify.ini.vir Infected: Trojan-Downloader.Win32.Agent.apb skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5B3AB182-9A56-4ACC-8DC6-C3FDF63EFEB3}\RP519\A0049892.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\System Volume Information\_restore{5B3AB182-9A56-4ACC-8DC6-C3FDF63EFEB3}\RP519\A0049893.exe Infected: Trojan.Win32.Inject.bs skipped
C:\System Volume Information\_restore{5B3AB182-9A56-4ACC-8DC6-C3FDF63EFEB3}\RP519\A0049894.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
C:\System Volume Information\_restore{5B3AB182-9A56-4ACC-8DC6-C3FDF63EFEB3}\RP519\A0049910.ini Infected: Trojan-Downloader.Win32.Delf.amb skipped
C:\System Volume Information\_restore{5B3AB182-9A56-4ACC-8DC6-C3FDF63EFEB3}\RP521\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{FC4B4CDB-8A34-4595-A244-94D3DFDB2F3F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cgraz.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\WINDOWS\system32\clcrb.log Infected: Packed.Win32.Klone.g skipped
C:\WINDOWS\system32\clk.dll Infected: Trojan-Downloader.Win32.Delf.amb skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\crc.log Infected: Trojan-Downloader.Win32.Delf.amb skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\eadbeefaffa.dll Object is locked skipped
C:\WINDOWS\system32\notify.ini Infected: Trojan-Downloader.Win32.Delf.amb skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wudb.dll Infected: Trojan-Downloader.Win32.Wswu.a skipped
C:\WINDOWS\TEMP\Cookies\index.dat Object is locked skipped
C:\WINDOWS\TEMP\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Can you recommend a free virus scanner other than avg? Whenever I go to avg's website my browser just closes.
pskelley
2007-06-13, 23:57
First, I want you to understand it is very difficult for me to work when I am not provided the tools I need to do so.
1) Thanks to andymanchesta and anyone else who helped with the fix.
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.
2) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the results of those two scans.
DJ Neckspasm
2007-06-14, 01:39
I'm sorry if I offended you, believe me I do appreciate the help. I managed to get a hijackthis log for you even though the program still closes, it just barely managed to spit out the log before it shut down.
ComboFix 07-06-13.3 - M:\temp\ComboFix.exe
"Jason Dove" - 2007-06-13 19:47:40 - Service Pack 2 NTFS
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\JASOND~1\APPLIC~1.\dobe~1
C:\WINDOWS\system32\crc.log
C:\WINDOWS\system32\notify.ini
((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))
2007-06-13 12:19 146,944 --------- C:\WINDOWS\system32\clk.dll
2007-06-12 16:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-12 16:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-10 12:03 <DIR> d-------- C:\Fuck Spyware
2007-05-14 09:00 98,304 --a------ C:\WINDOWS\system32CmdLineExt.dll
2007-05-14 09:00 <DIR> dr-h----- C:\DOCUME~1\JASOND~1\APPLIC~1\SecuROM
2007-05-14 09:00 <DIR> d-------- C:\DOCUME~1\JASOND~1\APPLIC~1\Command & Conquer 3 Tiberium Wars
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-13 22:17:04 -------- d-----w C:\DOCUME~1\JASOND~1\APPLIC~1\Skype
2007-06-13 22:15:33 -------- d-----w C:\Program Files\SpeedFan
2007-06-13 22:13:36 25,181 ----a-w C:\WINDOWS\system32\tablet.dat
2007-06-13 22:05:30 24 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000004-00000000-00000007-00001102-00000002-80271102}.dat
2007-06-13 22:05:30 24 ----a-w C:\WINDOWS\system32\DVCState-{00000004-00000000-00000007-00001102-00000002-80271102}.dat
2007-06-13 22:05:15 -------- d-----w C:\DOCUME~1\JASOND~1\APPLIC~1\foobar2000
2007-06-13 14:48:15 -------- d-----w C:\DOCUME~1\JASOND~1\APPLIC~1\uTorrent
2007-06-12 21:14:02 -------- d-----w C:\Program Files\Trillian
2007-06-12 19:51:52 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-05-10 23:49:52 2 ----a-w C:\WINDOWS\system32\wcpicc.exe
2007-05-09 18:14:02 23,040 ----a-w C:\WINDOWS\system32\eadbeefaffa.dll
2007-04-23 03:00:11 -------- d-----w C:\Program Files\TES_Map
2007-04-17 01:17:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 01:15:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 01:15:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 01:15:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 01:15:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 01:15:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 01:15:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 01:15:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-19 18:30:06 60,928 ----a-w C:\WINDOWS\system32\cgraz.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{10E8FA10-60D6-6C55-A348-1EE33DE0F899}=C:\WINDOWS\system32\cgraz.dll [2007-03-19 16:00]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{E5199497-796F-C9DD-2648-E4316E6B11A6}=C:\DOCUME~1\JASOND~1\APPLIC~1\SUPPOR~1\eq joy.exe []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 18:56 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 02:00]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-01-30 16:43]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 12:27]
"AGEIA PhysX SysTray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 17:13]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2006-12-12 15:45]
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="e:\Steam\Steam.exe" [2007-06-10 12:27]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2003-12-03 05:13]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-09 17:00]
"Colibri"="C:\Program Files\Colibri\Colibri.exe" [2006-02-01 08:06]
"Gmvj"="C:\Documents and Settings\Jason Dove\Application Data\T?sks\??ool32.exe" []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\Jason Dove\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jason Dove\Application Data\Mozilla\Firefox\Profiles/253v0nbg.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoUserNameInStartMenu"=01000000
"NoLowDiskSpaceChecks"=1 (0x1)
"NoSharedDocuments"=01000000
"NoRecentDocsMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{AF0BE91A-D92D-44F5-9581-64F629762E5A}"="C:\WINDOWS\system32\clk.dll" [2007-06-13 12:19]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eadbeefaffa]
C:\WINDOWS\system32\eadbeefaffa.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\notifyc]
C:\WINDOWS\system32\clk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auot]
"C:\WINDOWS\system32\RACLE~1\javaw.exe" -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cast anti]
C:\DOCUME~1\JASOND~1\APPLIC~1\CLOCKF~1\Dart Poke Start.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet More Mags Mpeg]
C:\Documents and Settings\All Users\Application Data\user bleh internet more\third soap.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rdjsnnfu]
"C:\Documents and Settings\Jason Dove\Application Data\?dobe\n?tepad.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
smanager.7.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
"c:\program files\zango\zango.exe"
Contents of the 'Scheduled Tasks' folder
2007-06-13 21:30:00 C:\WINDOWS\tasks\A43637A4924DB528.job
2007-06-12 23:56:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 19:48:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-13 19:48:39
C:\ComboFix-quarantined-files.txt ... 2007-06-13 19:48
C:\ComboFix2.txt ... 2007-05-10 21:59
--- E O F ---
SDFix: Version 1.87
Run by Jason Dove - Wed 06/13/2007 - 19:39:41.20
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Killing PID 212 'smss.exe'
Killing PID 288 'winlogon.exe'
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\DOCUME~1\JASOND~1\LOCALS~1\Temp\temp.bat - Deleted
C:\WINDOWS\system32\wudb.dll - Deleted
C:\WINDOWS\wr.txt - Deleted
Removing Temp Files...
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"Z:\\Downloads\\utorrent.exe"="Z:\\Downloads\\utorrent.exe:*:Enabled:æTorrent"
"E:\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe"="E:\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe:*:Enabled:Rainbow Six Vegas"
"E:\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe"="E:\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe:*:Enabled:Rainbow Six Vegas Updater"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. The whole world can talk for free."
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Listing Files with Hidden Attributes:
C:\Program Files\Trillian\users\default\downloads\MSN\dj_neckspasm@hotmail.com\Thumbs.db
C:\Program Files\Image-Line\FL Studio 7\REX Shared Library.dll
C:\Program Files\ATI Multimedia\RemCtrl\x10prod.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
Listing User Accounts:
User accounts for \\MANK
Administrator Guest HelpAssistant
Jason Dove SUPPORT_388945a0
Finished
Logfile of HijackThis v1.99.1
Scan saved at 7:50:33 PM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Colibri\Colibri.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\clcr.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jason Dove\Desktop\analyse.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10E8FA10-60D6-6C55-A348-1EE33DE0F899} - C:\WINDOWS\system32\cgraz.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {E5199497-796F-C9DD-2648-E4316E6B11A6} - C:\DOCUME~1\JASOND~1\APPLIC~1\SUPPOR~1\eq joy.exe (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Steam] "e:\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Colibri] C:\Program Files\Colibri\Colibri.exe
O4 - HKCU\..\Run: [Gmvj] "C:\Documents and Settings\Jason Dove\Application Data\T?sks\??ool32.exe"
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Jason Dove\Application Data\Mozilla\Firefox\Profiles\253v0nbg.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jason Dove\Application Data\Mozilla\Firefox\Profiles/253v0nbg.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: tclock.exe.lnk = C:\Program Files\tclock\tclock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72C792EC-14E8-4496-BAEB-D06BF931EACF}: NameServer = 192.168.0.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: eadbeefaffa - C:\WINDOWS\system32\eadbeefaffa.dll
O20 - Winlogon Notify: notifyc - C:\WINDOWS\system32\clk.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
pskelley
2007-06-14, 02:56
It's surely not that, it is just so difficult to work blind. I appreciate you posting the HJT log.
Please be sure "Word Wrap" under format in notepad remains unchecked until we are finished.
E:\Steam\Steam.exe <<< this may be valid, but my scanner is flagging it. Tell me what it is, if you do not know, use these scanners to find out:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
C:\Program Files\Colibri\Colibri.exe <<< assure me this is valid
C:\WINDOWS\system32\clcr.exe <<< there is the item in questions, here is the Google:
http://www.google.com/search?hl=en&q=clcr.exe&btnG=Search
Use the same scanners to find out what it is if you do not know.
I am fairly sure this is a problem and I will schedule removal. If you find out it is not, then do not remove it.
I am concerned about this one: O20 - Winlogon Notify: notifyc - C:\WINDOWS\system32\clk.dll
http://vil.nai.com/vil/content/v_130660.htm
http://www.google.com/search?hl=en&q=clk.dll&btnG=Search
Since this is a backdoor trojan, even though a lot of information is not available, you might want to consider this information:
http://www.dslreports.com/faq/10451
http://www.dslreports.com/faq/10063
and keep a close eye on things.
O20 - Winlogon Notify: eadbeefaffa - C:\WINDOWS\system32\eadbeefaffa.dll
random names, it is a trojan, but no available information.
O2 - BHO: (no name) - {E5199497-796F-C9DD-2648-E4316E6B11A6} - C:\DOCUME~1\JASOND~1\APPLIC~1\SUPPOR~1\eq joy.exe (file missing)
Indication we are probably dealing with LOP: http://inetexplorer.mvps.org/data/lop.htm
http://www.google.com/search?hl=en&q=eq+joy.exe+&btnG=Search
It appears you ran combofix prior to this as I see this item: C:\QooBox\ and some of what Kaspersky is finding is quarantined there. Please remove all of SDfix and combofix, that way Kaspersky will not see that junk.
You also have infections in System Restore which we will clean later.
I am not as familiar with the Kaspersky log as some other, but I believe some of that is an infected Java cache, follow these instructions carefully to clean that cache:
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml
Instructions start here:
Checking for LOP/C2 Media:
Thanks to skate_punk_21 and anyone else who helped with this fix.
1) Please download NoLop to the Desktop from one of these links:
http://www.spywareedge.net/nolop/NoLop.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16
Close any programs you have running since a reboot is required
Double click NoLop.exe to run it
Next, click the button labeled: Search and Destroy
<<your computer will now be scanned for infected files>>
When the scan finishes, if infected, you are prompted to reboot
Click OK
Now click: REBOOT
A Message should popup from NoLop. If not, double click the program again and it will finish.
Please Post the contents of C:\NoLop.log along with a new HijackThis log
(save those logs until you are finished)
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\system32\eadbeefaffa.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
You should be able to enter this item also: C:\WINDOWS\system32\clk.dllIf not, run the proceedure twice.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {10E8FA10-60D6-6C55-A348-1EE33DE0F899} - C:\WINDOWS\system32\cgraz.dll
O2 - BHO: (no name) - {E5199497-796F-C9DD-2648-E4316E6B11A6} - C:\DOCUME~1\JASOND~1\APPLIC~1\SUPPOR~1\eq joy.exe (file missing)
LOP/C2 Media
O4 - HKCU\..\Run: [Gmvj] "C:\Documents and Settings\Jason Dove\Application Data\T?sks\??ool32.exe"
PurityScan/OIN
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\clcr.exe <<< delete that file
C:\Documents and Settings\Jason Dove\Application Data\T?sks\ <<< delete that folder
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log and the log from NoLop. Let me know how the computer is performing.
Thanks
pskelley
2007-06-23, 13:38
No response to instructions since 06-13-2007, topic is closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks...pskelley