PDA

View Full Version : BiFROSE.LA + not working Internet: res://ieframe.dll/dnserror.htm



Dutch Neon
2007-05-08, 14:53
Having this problem for around 4 days, 4 days ago, during a online game, my NOD32 found 2 trojans ( both win32.trojandownloader.DELF.alw Trojan )

at different times that day, it quarantined them both + Deleted them ( it seemed they were creating unknown .exe files in my C:\ like lol.exe or test.exe ) for 2 days i had no problems at all, but yesterday, Nod32 warned me for a variant of win32.trojanDownloader.small.NRS Trojan. It didnt quarantined it. ( it gave some link: http://zgnxgefjqj.com/dl/loadav702 ) I Started spybot SE and Ad aware SE

This what it did found:

BiFROSE.LA --> Spybot SE

Win32.TrojanDownloader.Agent.am --> Ad Aware SE

After Scanning they would 'delete it' but they both returned.. So i started safe mode and scanned again

Spybot SE found 2 new things besides Bifrose.LA:

1.Microst.security.internetexplorer
2.Security.internetexplorer

So after Deleting them in safe mode, it seemed they were gone pretty much, so i started a scan this night and it found nothing, only NOD32 found win32.trojan downloader.small.NRS Trojan which asked me to delete it yes or no, i said yes.

Today ( and also yesterday ) it seemed like those things were causing my internet not to work:

Almost Not working Internet, Blocking usage of internet games ( counter Strike source ) ( online only ) Same for Outlook Expres, Internet Explorer etc

95% times of my internet it doesnt even tries to load the site but automatically loads the link under: so when i pres enter, it starts loading that:

res://ieframe.dll/dnserror.htm

mIRC mostly tries to load and says buffer space not avaiable, which means that mIRC cant connect to a server cause there are too much connections open or you have too much networks open.

According to the scans this morning, everything is gone, but i still keep getting a not working internet ( on every account on my pc )

Here are the logs ( as my internet isnt working right, il post the Logs here, cause when i try to upload them, they wont upload ( that error again and this post would be gone --> Copied it :P )


Edit: Uploaded

Dutch Neon
2007-05-08, 15:00
Also, Srry that i didnt used hjt 1.99 but i have a hard time getting online with this pc ( Reshreshing a lot and sometimes it works ) il try finding HJT 1.99

Besides this idk how i got those trojans, i think it has to do with www.demonoid.com ( Torrent site )

Dutch Neon
2007-05-08, 15:04
It seems i have a Working Connection at this moment ( maybe could go off soon )

Heres the 1.99.1 Log ( Uploaded )

Mr_JAk3
2007-05-17, 21:31
Hello Dutch Neon and welcome to the Forums :)

Sorry for the delay, I noticed the post in the waiting room....

You're infected, one or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.


Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Dutch Neon
2007-05-17, 23:32
Ok, I did the things you said, When i tried to acces internet after the SDfix scan it seemed my internet wasnt working anymore, but when it finally loaded up ( my start page ) it worked and went up faster ( loading pages ) now its normal again, dunno what the reason was, Logs:


SDFix log:


SDFix: Version 1.84

Run by Alexander Reen - do 17-05-2007 - 21:55:11,48

Microsoft Windows XP [versie 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\Alexander Reen\Application Data\addon.dat - Deleted
C:\WINDOWS\system32\win32sys.exe - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:enabled:Hulp op afstand"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:enabled:MSN Messenger"
"C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe:*:enabled:eTrust Antivirus - Local Scanner"
"C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe:*:enabled:eTrust Antivirus - Realtime monitor"
"C:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe:*:enabled:eTrust Antivirus - RPC Server"
"C:\\Program Files\\NetMeeting\\Conf.exe"="C:\\Program Files\\NetMeeting\\Conf.exe:*:enabled:NetMeeting"
"C:\\Program Files\\Ahead\\Nero MediaHome\\NeroMediaHome.exe"="C:\\Program Files\\Ahead\\Nero MediaHome\\NeroMediaHome.exe:*:enabled:Nero MediaHome"
"C:\\WINDOWS\\system32\\win32sys.exe"="C:\\WINDOWS\\system32\\win32sys.exe:*:Enabled:win32sys"
"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\toxicrevolved\\counter-strike source\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\toxicrevolved\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade(tm)\\Renegade\\game2.exe"="C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade(tm)\\Renegade\\game2.exe:*:Enabled:Renegade"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer(tm) Generals Zero Hour\\generals.exe"="C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer(tm) Generals Zero Hour\\generals.exe:*:Enabled:generals"
"C:\\Program Files\\Call of Duty\\CoDUOMP.exe"="C:\\Program Files\\Call of Duty\\CoDUOMP.exe:*:Enabled:CoDUOMP"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Documents and Settings\\Alexander Reen\\Local Settings\\Temp\\empires_dmw.exe"="C:\\Documents and Settings\\Alexander Reen\\Local Settings\\Temp\\empires_dmw.exe:*:Enabled:empires_dmw"
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade(tm)\\Mod - APathBeyond\\renalert.exe"="C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade(tm)\\Mod - APathBeyond\\renalert.exe:*:Enabled:Renegade"
"C:\\Program Files\\Sierra\\Ground Control Anthology\\gcii.exe"="C:\\Program Files\\Sierra\\Ground Control Anthology\\gcii.exe:*:Enabled:Ground Control II"
"C:\\Program Files\\EA Games\\The Battle for Middle-earth (tm)\\game.dat"="C:\\Program Files\\EA Games\\The Battle for Middle-earth (tm)\\game.dat:*:Enabled:The Battle for Middle-earth (tm)"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\toxicrevolved\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\toxicrevolved\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:enabled:Hulp op afstand"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:enabled:MSN Messenger"
"C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe:*:enabled:eTrust Antivirus - Local Scanner"
"C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe:*:enabled:eTrust Antivirus - Realtime monitor"
"C:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe:*:enabled:eTrust Antivirus - RPC Server"
"C:\\Program Files\\NetMeeting\\Conf.exe"="C:\\Program Files\\NetMeeting\\Conf.exe:*:enabled:NetMeeting"
"C:\\Program Files\\Ahead\\Nero MediaHome\\NeroMediaHome.exe"="C:\\Program Files\\Ahead\\Nero MediaHome\\NeroMediaHome.exe:*:enabled:Nero MediaHome"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\system32\winb0x\winb0x.exe
C:\Program Files\Common Files\X10\Common\x10prod.sys

Finished





HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 22:31:57, on 17-5-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sitecom\Sitecom WLAN\WLANUTL.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Anti-Malware exes\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Sitecom WLAN Client Utility.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=IStart
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137485512046
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137485687609
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Mr_JAk3
2007-05-18, 22:16
Ok let's see...

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\winb0x\winb0x.exe
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

:bigthumb:

Dutch Neon
2007-05-19, 01:53
I think the log is a bit hard to read, so i also uploaded a pic in office 2007 of the log.

--------

Complete scanning result of "winb0x.exe", received in VirusTotal at 05.19.2007, 00:34:12 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.16.1 05.18.2007 no virus found
AntiVir 7.4.0.23 05.18.2007 ADSPY/DollarRvenue.J
Authentium 4.93.8 05.18.2007 is a security risk or a "backdoor" program
Avast 4.7.997.0 05.18.2007 no virus found
AVG 7.5.0.467 05.18.2007 BackDoor.Generic6.CID
BitDefender 7.2 05.18.2007 MemScan:Backdoor.Bifrose.NQ
CAT-QuickHeal 9.00 05.18.2007 no virus found
ClamAV devel-20070416 05.18.2007 Trojan.Pakes-248
DrWeb 4.33 05.18.2007 no virus found
eSafe 7.0.15.0 05.17.2007 Win32.Bifrose.acs
eTrust-Vet 30.7.3643 05.18.2007 no virus found
Ewido 4.0 05.18.2007 Adware.DollarRvenue
FileAdvisor 1 05.19.2007 High threat detected
Fortinet 2.85.0.0 05.18.2007 suspicious
F-Prot 4.3.2.48 05.18.2007 W32/Backdoor
F-Secure 6.70.13030.0 05.18.2007 Backdoor.Win32.Bifrose.acs
Ikarus T3.1.1.7 05.18.2007 Backdoor.VB.EV
Kaspersky 4.0.2.24 05.19.2007 Backdoor.Win32.Bifrose.acs
McAfee 5034 05.18.2007 BackDoor-CEP.svr
Microsoft 1.2503 05.18.2007 no virus found
NOD32v2 2277 05.18.2007 no virus found
Norman 5.80.02 05.18.2007 W32/Smalldoor.ANRN
Panda 9.0.0.4 05.18.2007 Generic Backdoor
Prevx1 V2 05.19.2007 no virus found
Sophos 4.17.0 05.18.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 VIPRE.Suspicious
Symantec 10 05.19.2007 no virus found
TheHacker 6.1.6.118 05.18.2007 Backdoor/Bifrose.acs
VBA32 3.12.0 05.18.2007 no virus found
VirusBuster 4.3.7:9 05.18.2007 no virus found
Webwasher-Gateway 6.0.1 05.18.2007 Ad-Spyware.DollarRvenue.J
Aditional Information
File size: 1236071 bytes
MD5: 8a58e166e21c1ae90d3f965fd1269469
SHA1: dcfc2d6403bbea2440edd07285d31c0b2a47e8f0
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=8a58e166e21c1ae90d3f965fd1269469
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Dutch Neon
2007-05-19, 02:02
Tried to check the pic but its a bit small, heres the link of the scan ( if this works i dont know )

http://www.virustotal.com/vt/en/resultadof?cb6663f5fb8d6564fefd070f6dad4d95

Mr_JAk3
2007-05-19, 19:47
Hello :)

Ok the file is definately a bad one...

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

Then Go to My Computer:

Navigate to C:\WINDOWS\system32\winb0x folder. Are there any other files/folders inside?

:bigthumb:

Dutch Neon
2007-05-19, 22:41
Only winb0x.exe

Hard to post again cause it seems my ISP are working on stuff usual in the weekend -_- so my internet is kinda screwded

Mr_JAk3
2007-05-20, 19:59
Hello :)

When you're ready we'll continue with this:

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Dutch Neon
2007-05-21, 14:45
Here ya go :)

"Alexander Reen" - 2007-05-21 13:46:00 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Program Files\Anti-Malware exes\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-21 ))))))))))))))))))))))))))))))))))


2007-05-21 13:44 <DIR> dr-h----- C:\DOCUME~1\ALEXAN~1\Onlangs geopend
2007-05-14 16:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-05-12 13:04 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-05-09 17:58 <DIR> d-------- C:\Program Files\Call of Duty
2007-05-08 19:51 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-05-08 00:05 <DIR> d-------- C:\Program Files\Anti-Malware exes
2007-05-07 20:57 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Onlangs geopend
2007-05-07 19:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-07 19:10 2,097,152 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-07 19:10 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Mijn documenten
2007-05-07 19:10 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-05-07 19:10 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Favorieten
2007-05-07 19:10 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Sjablonen
2007-05-07 19:10 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Netwerkprinteromgeving
2007-05-07 19:10 <DIR> d---s---- C:\DOCUME~1\ADMINI~1\UserData
2007-05-07 19:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-05-07 19:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Bureaublad
2007-05-07 19:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-05-07 19:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-05-07 15:58 <DIR> d--h----- C:\WINDOWS\system32\winb0x
2007-05-05 02:56 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-05-05 02:55 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-02 12:54 <DIR> d-------- C:\DOCUME~1\ALEXAN~1\APPLIC~1\Lionhead Studios
2007-05-02 12:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lionhead Studios
2007-05-02 12:17 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-05-01 21:28 <DIR> d-------- C:\DOCUME~1\ALEXAN~1\APPLIC~1\WinRAR
2007-04-28 01:37 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-04-27 15:30 <DIR> d-------- C:\DOCUME~1\ALEXAN~1\APPLIC~1\MusicIP
2007-04-24 21:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\renguard
2007-04-23 19:35 <DIR> d-------- C:\DOCUME~1\ALEXAN~1\APPLIC~1\Hamachi
2007-04-23 19:34 26,056 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-04-23 19:34 <DIR> d-------- C:\Program Files\Hamachi
2007-04-23 12:16 <DIR> d-------- C:\Program Files\THQ
2007-04-23 12:14 <DIR> d-------- C:\DOCUME~1\ALEXAN~1\APPLIC~1\InstallShield


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-20 23:27:09 -------- d-----w C:\DOCUME~1\ALEXAN~1\APPLIC~1\Xfire
2007-05-20 23:26:50 -------- d-----w C:\Program Files\mIRC
2007-05-20 23:23:53 -------- d-----w C:\Program Files\SpywareGuard
2007-05-20 23:23:48 -------- d-----w C:\Program Files\SpywareBlaster
2007-05-20 15:32:59 -------- d-----w C:\Program Files\GameSpy Arcade
2007-05-20 15:21:45 -------- d-s---w C:\Program Files\Xfire
2007-05-19 11:55:20 -------- d-----w C:\Program Files\Winamp
2007-05-18 16:04:05 -------- d-----w C:\Program Files\Guild Wars
2007-05-17 19:37:45 -------- d-----w C:\Program Files\EA Games
2007-05-12 18:40:46 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-02 10:51:05 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-04-28 00:05:11 -------- d-----w C:\DOCUME~1\ALEXAN~1\APPLIC~1\IGN_DLM
2007-04-20 18:19:33 -------- d-----w C:\Program Files\Google
2007-04-11 12:47:31 1,100 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-04-11 12:47:13 -------- d-----w C:\DOCUME~1\ALEXAN~1\APPLIC~1\ATI
2007-04-11 12:38:55 1,324 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-04-10 17:33:27 -------- d-----w C:\DOCUME~1\ALEXAN~1\APPLIC~1\atitray
2007-04-10 17:22:43 451,072 ----a-w C:\WINDOWS\Radeon Omega Drivers v3.8.252 Uninstall.exe
2007-04-07 10:25:59 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-04-04 05:17:58 81,106 ----a-w C:\WINDOWS\system32\perfc013.dat
2007-04-04 05:17:58 464,854 ----a-w C:\WINDOWS\system32\perfh013.dat
2007-04-03 11:20:10 -------- d-----w C:\DOCUME~1\ALEXAN~1\APPLIC~1\Command & Conquer 3 Tiberium Wars
2007-04-03 07:51:18 -------- d--h--r C:\DOCUME~1\ALEXAN~1\APPLIC~1\SecuROM
2007-04-03 07:51:17 98,304 ----a-w C:\WINDOWS\system32CmdLineExt.dll
2007-03-30 14:47:19 1,097 ----a-w C:\WINDOWS\eReg.dat
2007-03-23 14:41:11 -------- d-----w C:\DOCUME~1\ALEXAN~1\APPLIC~1\MAGIX
2007-03-23 14:29:43 101,376 ----a-w C:\WINDOWS\system32\drivers\ACEDRV07.sys
2007-03-17 16:34:51 -------- d-----w C:\DOCUME~1\ALEXAN~1\APPLIC~1\GetRightToGo
2007-03-17 13:45:54 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 13:36:08 -------- d-----w C:\DOCUME~1\ALEXAN~1\APPLIC~1\DivX
2007-03-11 16:22:27 -------- d-----w C:\DOCUME~1\ALEXAN~1\APPLIC~1\My Games
2007-03-08 23:52:05 4,096 ----a-w C:\WINDOWS\d3dx.dat
2007-03-08 15:39:10 579,072 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:39:10 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:39:10 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:37:59 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 23:51:00 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-03-07 23:51:00 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-02-19 00:02:43 286,720 ------w C:\WINDOWS\Setup1.exe
2007-02-19 00:02:41 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-02-15 14:02:42 61 --sh--w C:\WINDOWS\cnerolf.dat
2007-02-08 15:01:25 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-02-05 20:20:07 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}=C:\Program Files\SpywareGuard\dlprotect.dll [2003-08-02 23:24]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" []
"VTTimer"="VTTimer.exe" [2004-01-15 14:33 C:\WINDOWS\system32\VTTimer.exe]
"PCMService"="C:\Program Files\Home Cinema\PowerCinema\PCMService.exe" [2005-06-07 16:48]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-08 23:31]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-10-20 18:40]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 00:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2007-01-09 08:18]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 14:57]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-28 03:40]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 23:53]

*Newly Created Service* -PROCEXP90

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-21 13:47:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-21 13:48:16

--- E O F ---

Mr_JAk3
2007-05-21, 21:28
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

==================

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following folders (if present):
C:\WINDOWS\system32\winb0x

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

Dutch Neon
2007-05-22, 13:19
It Quarntined a backup of SDFIX :S

Anyway, here are the logs:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:15:55 22-5-2007

+ Scan result:



C:\System Volume Information\_restore{9884CFFA-18EB-4D1F-A40F-24774AC0337E}\RP493\A0133759.exe -> Adware.DollarRvenue : Cleaned with backup (quarantined).
C:\Program Files\Anti-Malware exes\SDFix\backups\backups.zip/backups/win32sys.exe -> Backdoor.Sdbot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9884CFFA-18EB-4D1F-A40F-24774AC0337E}\RP465\A0123602.exe -> Backdoor.Sdbot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9884CFFA-18EB-4D1F-A40F-24774AC0337E}\RP473\A0129400.exe -> Backdoor.Sdbot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9884CFFA-18EB-4D1F-A40F-24774AC0337E}\RP488\A0132724.exe -> Backdoor.Sdbot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9884CFFA-18EB-4D1F-A40F-24774AC0337E}\RP488\A0132728.exe -> Backdoor.Sdbot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9884CFFA-18EB-4D1F-A40F-24774AC0337E}\RP470\A0126092.exe/lol.exe -> Downloader.Delf.alw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9884CFFA-18EB-4D1F-A40F-24774AC0337E}\RP470\A0126135.exe/lol.exe -> Downloader.Delf.alw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9884CFFA-18EB-4D1F-A40F-24774AC0337E}\RP469\A0125958.exe -> Logger.BuffaMov.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9884CFFA-18EB-4D1F-A40F-24774AC0337E}\RP487\A0132277.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9884CFFA-18EB-4D1F-A40F-24774AC0337E}\RP487\A0132360.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9884CFFA-18EB-4D1F-A40F-24774AC0337E}\RP489\A0132968.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


HIJACKTHIS:

Logfile of HijackThis v1.99.1
Scan saved at 12:21:22, on 22-5-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sitecom\Sitecom WLAN\WLANUTL.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Anti-Malware exes\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Anti-Malware exes\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Sitecom WLAN Client Utility.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=IStart
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137485512046
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137485687609
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Anti-Malware exes\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Mr_JAk3
2007-05-22, 21:49
Hello :)

Looks much better. How is the computer running?

We'll run one more scanner just in case...

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

Dutch Neon
2007-05-23, 22:43
The scan found 2 normal programs ( 1 normal prog, 1 registry key ) besides that it found the same trojan again but it doesnt show up in the csv file ( got pic of the scan, so im not sure if it deleted it or moved it )

http://img99.imageshack.us/img99/2991/ghgfhgfli1.png

Scan:

Process.exe;C:\Program Files\Anti-Malware exes\SDFix\apps;Tool.Prockill;Incurable.Moved.;

Mr_JAk3
2007-05-24, 16:14
Ok nothing bad there.

How is the computer running? :bigthumb:

Dutch Neon
2007-05-24, 16:49
Fine ( normal ), but isnt that backdoor Trojan a bad file? im not sure if it deleted it :)

Mr_JAk3
2007-05-24, 21:53
Hi again, it is looking clean now :)

The backdoor leftover is easily cleaned, see system restore cleaning from my "stay clean" list below

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Then you should update your Java to the latest version (6u1) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 6
Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

Dutch Neon
2007-05-24, 22:32
Last Question, Can i just delete all the progs you adviced me to use? With the backups etc? :D Anyway thnx for helping :)

Dutch Neon
2007-05-24, 22:34
Oh srry, didnt read that sentence, but does this include back-up files? ( back Ups maps etc )

Dutch Neon
2007-05-24, 23:13
Ok, srry for this tripple post :| But is Registry Mechanic a good prog? i got the licensed version but i never knew if it is rlly that good for your pc :|

Mr_JAk3
2007-05-25, 22:00
Hello :)

Yes you can just delete the programs. Backups too...

I haven't used Registry Mechanic but it sounds like a good program.

:bigthumb:

tashi
2007-06-05, 02:36
Glad we could help, as the problem appears to be resolved this topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.