Thread: heur trojan mess - Cannot Update OS - SP3 cannot find CLBCATQ dll's
View Single Post
Old 08-03-2008, 03:06 AM   #1 (permalink)
Roc 65
Registered User
 
Join Date: Jan 2008
Posts: 51
OS: Windows XP sp3


heur trojan mess - Cannot Update OS - SP3 cannot find CLBCATQ dll's
AVG got most of the trojan. One dll found that I was corrupt - c:windows\system32\clbdll.dll was moved to the vault by AVG, but still have issues - ran thru the 5 steps -
winXP SP3 will not load - windows cannot find clbcatq.dll or clbcatex.dll
I tried both SP3 and SP3 for IT Professionals. I'm running WinXP Home Ed.
Did not go into the COM+ fix.
-----------------------------------------------------------------------
ActiveScan.txt attached.
-----------------------------------------------------------------------
Deckard did not create an "extra.txt" file, but here's main.txt:
-----------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-03 04:44:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:01 AM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0C8C77AF-B97A-4FD3-89C0-44098F0CDE6B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E156AAE-FA60-44A1-8E69-2E0E0030F1F6} - (no file)
O2 - BHO: (no name) - {B91C0269-E0E2-4C83-BCFF-131693EB3314} - (no file)
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O15 - Trusted Zone: http://*.ameritrade.com
O15 - Trusted Zone: http://www.cbs.com
O15 - Trusted Zone: http://visitor.constantcontact.com
O15 - Trusted Zone: http://www.evite.com
O15 - Trusted Zone: http://dynamic.abc.go.com
O15 - Trusted Zone: www.seek.com.au
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support2.charter.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093930840796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124160269328
O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - http://www.evite.com/html/imageUploa...eUploader4.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: efcywxWn - efcywxWn.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LSCLFE - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\LSCLFE.exe (file missing)
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Engine.exe
O23 - Service: PD91VMDefrag - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VLFVQCTIFWCLAQ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\VLFVQCTIFWCLAQ.exe

--
End of file - 7570 bytes

-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 04:10:54 0 d-------- C:\WINDOWS\Prefetch
2008-08-03 03:02:27 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-02 20:24:26 0 d-------- C:\Program Files\Panda Security
2008-08-02 18:52:05 0 d-------- C:\WINDOWS\system32\dll
2008-08-02 18:03:44 0 d-------- C:\WINDOWS\system32\scripting
2008-08-02 18:03:39 0 d-------- C:\WINDOWS\l2schemas
2008-08-02 18:03:38 0 d-------- C:\WINDOWS\system32\en
2008-08-02 16:22:01 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-02 14:34:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-08-02 14:05:01 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-07-27 19:37:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 12:25:06 0 d--h----- C:\$AVG8.VAULT$
2008-07-27 12:22:07 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 12:21:43 0 d-------- C:\Program Files\AVG
2008-07-27 12:21:43 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-26 14:09:43 14417920 --a------ C:\Documents and Settings\Owner\ntuser.dat
2008-07-24 22:20:00 638976 --ahs---- C:\WINDOWS\system32\SvCeKnmp.ini2
2008-07-24 22:11:25 0 d-------- C:\Documents and Settings\Owner\Application Data\rhcgo2j0e3cg
2008-07-24 20:22:59 0 d-------- C:\Webstar Cable Modem Drivers
2008-07-23 23:38:16 0 d-------- C:\Program Files\PerformanceTest
2008-07-23 22:31:38 0 d-------- C:\Program Files\WinImage
2008-07-21 2318 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-20 21:39:55 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-07-20 21:08:23 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-20 20:58:14 0 d-------- C:\WINDOWS\Logs
2008-07-15 19:42:09 0 d-------- C:\Program Files\HP
2008-07-15 19:00:14 0 d-------- C:\temp
2008-07-14 12:32:21 0 d-------- C:\Program Files\Quick Screen Capture
2008-07-14 12:32:21 0 d-------- C:\MyCaptures
2008-07-12 19:18:28 0 d-------- C:\Documents and Settings\Owner\Application Data\Opera
2008-07-12 18:01:56 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-12 17:54:42 0 d-------- C:\Program Files\Microsoft.NET
2008-07-12 17:51:58 0 dr-h----- C:\MSOCache
2008-07-12 12:40:54 0 d-------- C:\Program Files\iTunes


-- Find3M Report ---------------------------------------------------------------

2008-08-03 03:54:15 0 d-------- C:\Program Files\Messenger
2008-08-03 03:49:21 0 d-------- C:\Program Files\Windows NT
2008-08-03 03:49:18 0 d-------- C:\Program Files\Movie Maker
2008-08-03 01:38:29 0 d-------- C:\Program Files\SpywareBlaster
2008-08-02 20:16:40 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-02 20:02:23 0 d-------- C:\Program Files\CopyToDVD
2008-08-02 20:00:45 0 d-------- C:\Program Files\Canon Creative
2008-08-02 19:52:21 0 d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-08-02 19:51:44 0 d-------- C:\Program Files\Common Files
2008-08-02 19:42:12 0 d-------- C:\Program Files\ItsDeductibleEX
2008-08-02 14:19:16 0 d-------- C:\Program Files\MSN Encarta Plus
2008-08-02 14:15:33 0 d-------- C:\Program Files\Downloads
2008-08-02 14:05:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-02 13:32:00 0 d-------- C:\Program Files\Bonjour
2008-07-20 17:30:59 0 d-------- C:\Program Files\Doom 3
2008-07-12 17:54:41 0 d-------- C:\Program Files\Windows Messaging
2008-07-12 12:41:12 0 d-------- C:\Program Files\iPod
2008-07-12 12:38:39 0 d-------- C:\Program Files\QuickTime
2008-07-01 13:47:24 0 d-------- C:\Documents and Settings\Owner\Application Data\CopyToDvd
2008-06-02 21:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-05-16 22:27:47 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C8C77AF-B97A-4FD3-89C0-44098F0CDE6B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E156AAE-FA60-44A1-8E69-2E0E0030F1F6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B91C0269-E0E2-4C83-BCFF-131693EB3314}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="C:\WINDOWS\system32\ps2.exe" [09/12/2003 11:13 PM]
"AGRSMMSG"="AGRSMMSG.exe" [03/04/2005 12:01 PM C:\WINDOWS\AGRSMMSG.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [07/25/2003 10:14 AM]
"WMC_AutoUpdate"="" []
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/27/2008 12:21 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcywxWn]
efcywxWn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnKeCvS
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvy14.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.14.lnk]
backup=C:\WINDOWS\pss\Wireless Configuration Utility HW.14.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
"C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphclo2j0e3cg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcgo2j0e3cg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

-- End of Deckard's System Scanner: finished at 2008-08-03 04:47:49 ------------
Roc 65 is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here