Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I've got a trojan


  • This topic is locked This topic is locked
17 replies to this topic

#1 catbounds

catbounds

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 06 July 2004 - 09:42 AM

Hi,
I'm a newbie to the forum but I've had a computer about 7 years (not this one). Yesterday morning when I turned on the pc, I got a big red message from Norton, telling me I have a virus called Coreflood in windows/system32/clbcalq.dll, but Norton couldn't quarantine or delete it, and I've tried everything to delete; it won't budge, even in safe mode.
Another complication is that as long as Norton was installed, my whole pc was frozen with that red message on the desktop. It wouldn't even let me use task manager, so I uninstalled Norton, reinstalled, and all was well for about 60 seconds, and the message, freezing, came back, so now I'm working without Norton (shudder), trying to find what to do next.
I'm on cable, Windows xp, 80 gig, also have adaware and spybot, which didn't locate anything. I've run Trend Micro on their site, which found nothing.

clbcalq.dll shows up in search, but I can't locate it in Windows Explorer.
Your help will be much appreciated!

Here's my log:
Logfile of HijackThis v1.98.0
Scan saved at 9:29:19 AM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: clbcalq - {A1BFAC1C-C5F1-3AEC-2B10-2BEAE3916D42} - C:\WINDOWS\System32\clbcalq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://www.ebay.com
O16 - DPF: WebWorks Help 2.0 - file://C:\WINDOWS\Help\wwhelp2.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - http://www.pcpitstop.com/mhLbl.cab

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,667 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:30 AM

Posted 06 July 2004 - 01:09 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: clbcalq - {A1BFAC1C-C5F1-3AEC-2B10-2BEAE3916D42} - C:\WINDOWS\System32\clbcalq.dll
O15 - Trusted Zone: http://www.ebay.com
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

Reboot your computer into Safe Mode and delete the following files:

Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\System32\clbcalq.dll

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#3 catbounds

catbounds
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 06 July 2004 - 01:53 PM

Grinler,
I forgot to mention that I had already disabled System Restore.
I followed your instructions, then went to Safe Mode, made sure "Hide Extensions" and "Hide protected operating system" were unchecked but still couldn't locate clbcalq.dll in Windows Explorer. I did a search for it and found it, but it still won't let me delete it. I get this message:
"Cannot delete clbcalq: It is being used by another person or program. Close any programs that might be using the file and try again."
I booted up normally again, did a new log, and clbcalq has returned.
I seem to be doing the right stuff but getting the wrong results!

Logfile of HijackThis v1.98.0
Scan saved at 1:46:05 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: clbcalq - {A1BFAC1C-C5F1-3AEC-2B10-2BEAE3916D42} - C:\WINDOWS\System32\clbcalq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: WebWorks Help 2.0 - file://C:\WINDOWS\Help\wwhelp2.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - http://www.pcpitstop.com/mhLbl.cab

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,667 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:30 AM

Posted 06 July 2004 - 03:10 PM

Do the following:

Please do the following:

Download the program FindNFix from the following location:
http://freeatlast100.100free.com/

Once it is downloaded, double-click on the file to run it. Follow the prompts to install the program. Once it is installed a window will open up showing the installation directory and a bunch of files in the right section of the window.

On the right portion of the window look for the file called !LOG!.bat and double-click on it. It will scan through your computer for a while, so be patient. When it is completed it will automatically open a notepad window called Log.txt.

Copy the contents of that file into a reply to this post.

#5 catbounds

catbounds
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 06 July 2004 - 03:58 PM

Here are the results from FindNFix:


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)

The type of the file system is NTFS.
C: is not dirty.

Tue 07/06/2004
3:51pm up 0 days, 0:23

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........
**File C:\FindNFix\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.


No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»»»(*5*)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs =
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group VALUED-CB7D4C82\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINDOWS\
notepad.exe Sat Aug 18 2001 7:00:00a A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\
notepad.exe Sat Aug 18 2001 7:00:00a A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

No matches found.

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x VALUED-CB7D4C82\catherine bounds
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: VALUED-CB7D4C82\catherine bounds

Primary Group: VALUED-CB7D4C82\None



»»»»»»Backups created...»»»»»»
3:56pm up 0 days, 0:27
Tue 07/06/2004

A C:\FindNFix\keyback.hiv
--a-- - - - - - 8,192 07-06-2004 keyback.hiv
A C:\FindNFix\keys1\winkey.reg
--a-- - - - - - 287 07-06-2004 winkey.reg

»»Performing string scan....
00001150: vk f AppInit_DLLs G
00001190: h vk UDeviceNotSelectedTimeout 1 5
000011D0: P 9 0 vk ' zGDIProcessHandle
00001210:Quota" vk 8 Spooler2 y e s _ h
00001250: ` vk 5swapdisk vk
00001290: . TransmissionRetryTimeout h `
000012D0: vk ' USERProcessHandleQuota
00001310:
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
fùAppInit_DLLs֍æG
--------------
--------------
yes
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710


**File C:\FindNFix\WIN.TXT
regf       Pugf


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,667 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:30 AM

Posted 06 July 2004 - 04:01 PM

Ok that found nothing. Do me a favor and email the file in question to grinler@yahoo.com and I will install it and see if I can see what it does.

Please zip the file first

#7 catbounds

catbounds
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 06 July 2004 - 04:08 PM

Ok, here it comes.

#8 QuaGon

QuaGon

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 06 July 2004 - 04:23 PM

that sounds alot like wot ive got, but that freeatlast thingy found sumthing on mine...


btw grinler nice one, were wud we b without ya *shudders at the thought*

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,667 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:30 AM

Posted 06 July 2004 - 04:29 PM

Cat, I still have not received it.

#10 catbounds

catbounds
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 06 July 2004 - 04:38 PM

Grinler,
It seemed to go. I'll try again.
cat

#11 catbounds

catbounds
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 06 July 2004 - 05:32 PM

I sent it 3 times, and it hasn't been returned. Did you get it?
cat

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,667 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:30 AM

Posted 06 July 2004 - 07:40 PM

Nope I am not receiving it. Are you zipping it up first?

#13 catbounds

catbounds
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 06 July 2004 - 09:38 PM

Yes, I zipped it, and the process went so fast and easy. I sent forwards of that one the next 2 times. I'll go back and make a whole new email.
cat

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,667 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:30 AM

Posted 06 July 2004 - 11:48 PM

Received it. I will install it tomorrow and take a look at it.

#15 catbounds

catbounds
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 07 July 2004 - 11:06 AM

Just to update you, I installed Trojan Hunter, and it won't recognize clbcalq as a threat, neither will it let me delete or change the name. I tried installing Norton Anti-virus from another CD, not Systemworks, hoping the Trojan wouldn't recognize it this time, but the same thing happened, the red virus alert message popped up within 5 minutes, and everything was frozen on my computer until I uninstalled Norton for the 3rd time.

Reformat keeps coming to mind, but I've never done it on this computer, just an old one that I use as a guinea pig, and I've got so many graphics programs, plugins, etc., on this one that starting over would take weeks, so I'm praying it doesn't come to that. I've had this pc 18 months.

I downloaded a program called Process Explorer, trying to find out what other processes are using that file that keep me from deleting it. I've attached a screen capture, not sure if it's anything that would shed light on this. I'm still trying to learn how to use it.

Attached Files


Edited by catbounds, 07 July 2004 - 11:43 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users