Solved Win32.Downloader.gen: [SBI $BCCEBCBD]

tedus987 · Jun 2, 2013

All processes killed
========== OTL ==========
Service HidServ stopped successfully!
Service HidServ deleted successfully!
File %SystemRoot%\System32\hidserv.dll not found.
Error: No service named Winsock - Google Desktop Search Backup Before Last Install was found to stop!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock - Google Desktop Search Backup Before Last Install deleted successfully.
Error: No service named Winsock - Google Desktop Search Backup Before First Install was found to stop!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock - Google Desktop Search Backup Before First Install deleted successfully.
Service WDICA stopped successfully!
Service WDICA deleted successfully!
Service PDRFRAME stopped successfully!
Service PDRFRAME deleted successfully!
Service PDRELI stopped successfully!
Service PDRELI deleted successfully!
Service PDFRAME stopped successfully!
Service PDFRAME deleted successfully!
Service PDCOMP stopped successfully!
Service PDCOMP deleted successfully!
Service PCIDump stopped successfully!
Service PCIDump deleted successfully!
Service lbrtfdc stopped successfully!
Service lbrtfdc deleted successfully!
Service i2omgmt stopped successfully!
Service i2omgmt deleted successfully!
Service Changer stopped successfully!
Service Changer deleted successfully!
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\DOCUME~1\LUKEFI~1\LOCALS~1\Temp\catchme.sys not found.
Error: Unable to stop service KLIF!
Unable to delete service\driver key KLIF.
File move failed. C:\WINDOWS\system32\drivers\klif.sys scheduled to be moved on reboot.
Error: Unable to stop service KL1!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KL1 deleted successfully.
File move failed. C:\WINDOWS\system32\drivers\kl1.sys scheduled to be moved on reboot.
Error: Unable to stop service kl2!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kl2 deleted successfully.
C:\WINDOWS\system32\drivers\kl2.sys moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
HKU\S-1-5-21-602162358-492894223-839522115-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-602162358-492894223-839522115-1012\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry key HKEY_USERS\S-1-5-21-602162358-492894223-839522115-1012\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-602162358-492894223-839522115-1012\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
C:\Documents and Settings\All Users\Application Data\VH56DJI7u87yo moved successfully.
C:\WINDOWS\system32\drivers\xhjdi.sys moved successfully.
C:\WINDOWS\system32\drivers\ofwoag.sys moved successfully.
C:\Documents and Settings\All Users\Application Data\Kaspersky SDK folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 995072 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Luke Fitton
->Temp folder emptied: 13110901 bytes
->Temporary Internet Files folder emptied: 5996106 bytes
->Java cache emptied: 43226 bytes
->FireFox cache emptied: 82584147 bytes
->Google Chrome cache emptied: 434321560 bytes
->Flash cache emptied: 149899 bytes

User: NetworkService
->Temp folder emptied: 1984464 bytes
->Temporary Internet Files folder emptied: 82054 bytes

User: test
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Java cache emptied: 128094 bytes
->Google Chrome cache emptied: 77364019 bytes
->Flash cache emptied: 7822 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: VS removal & admin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 34993943 bytes
->Google Chrome cache emptied: 2265715 bytes
->Flash cache emptied: 683 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 146048 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1195175 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 1042 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 626.00 mb

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: Luke Fitton
->Java cache emptied: 0 bytes

User: NetworkService

User: test
->Java cache emptied: 0 bytes

User: UpdatusUser

User: VS removal & admin
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: Luke Fitton
->Flash cache emptied: 0 bytes

User: NetworkService

User: test
->Flash cache emptied: 0 bytes

User: UpdatusUser

User: VS removal & admin
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 06022013_115709

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\system32\drivers\klif.sys scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\drivers\kl1.sys scheduled to be moved on reboot.
C:\Documents and Settings\Luke Fitton\Local Settings\Temp\~DF862C.tmp moved successfully.
C:\Documents and Settings\Luke Fitton\Local Settings\Application Data\Mozilla\Firefox\Profiles\z65wym3e.default\startupCache\startupCache.4.little moved successfully.
C:\Documents and Settings\Luke Fitton\Local Settings\Application Data\Mozilla\Firefox\Profiles\z65wym3e.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Luke Fitton\Local Settings\Application Data\Mozilla\Firefox\Profiles\z65wym3e.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Luke Fitton\Local Settings\Application Data\Mozilla\Firefox\Profiles\z65wym3e.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Luke Fitton\Local Settings\Application Data\Mozilla\Firefox\Profiles\z65wym3e.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Luke Fitton\Local Settings\Application Data\Mozilla\Firefox\Profiles\z65wym3e.default\_CACHE_CLEAN_ moved successfully.
File\Folder C:\WINDOWS\temp\ZLT06182.TMP not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

tedus987 · Jun 2, 2013

Results of screen317's Security Check version 0.99.64
Windows XP Service Pack 3 x86
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Please wait while WMIC compiles updated MOF files.d
I
s
p
l
a
y
N
a
m
e
ECHO is off.
A
V
G
ECHO is off.
A
n
t
I
V
I
r
u
s
ECHO is off.
F
r
e
ECHO is off.
E
d
I
t
I
o
n
ECHO is off.
2
0
1
2
ECHO is off.
Z
o
n
e
A
l
a
r
m
ECHO is off.
E
x
t
r
e
m
e
ECHO is off.
S
e
c
u
r
I
t
y
ECHO is off.
A
n
t
I
v
I
r
u
s
ECHO is off.
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.75.0.1300
Java(TM) 6 Update 24
Java 7 Update 21
Adobe Flash Player 11.7.700.202
Adobe Reader XI
Mozilla Firefox (21.0)
Google Chrome 26.0.1410.64
Google Chrome 27.0.1453.94
````````Process Check: objlist.exe by Laurent````````
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgnsx.exe
CheckPoint ZoneAlarm vsmon.exe
CheckPoint ZoneAlarm zatray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 8%
````````````````````End of Log``````````````````````

tedus987 · Jun 2, 2013

Farbar Service Scanner Version: 31-05-2013 01
Ran by Luke Fitton (administrator) on 02-06-2013 at 12:17:58
Running from "C:\Documents and Settings\Luke Fitton\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(15) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x100000000C00000005000000010000000200000003000000040000005A00000008000000090000000A0000000B0000000D0000000E0000000F0000000600000007000000

**** End of log ****

tedus987 · Jun 2, 2013

Just finished ESET, no threats found, next step?

Broni · Jun 2, 2013

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. (Windows XP only) Run defrag at your convenience.

12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

13. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

14. Please, let me know, how your computer is doing.

tedus987 · Jun 3, 2013

Ok, let me run the original scans to make sure, (I know, I get paranoid by these things. plus I know spybot and zone alarm detected it but malwarebytes didn't), once all clear I'll do all that stuff... this is going to be a long day.

tedus987 · Jun 3, 2013

Ok, spybot found something, not an exe file or a folder like before, but a registry key,

Win32.Downloader.gen: [SBI $37CF691B] Autorun settings (SearchProtect) (Registry value, fixed)
HKEY_USERS\S-1-5-21-602162358-492894223-839522115-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchProtect
this leads to run an exe file
c:\documents and settings\VS removal and admin\Application Data\SearchProtect\bin\cltmng.exe

this file and folder from

C:\Documents and Settings\VS removal & admin\Application Data

onwards dose not exist on my system.

this leads me to belive that...

a. this is residual code overlooked by the scans

b. a last ditch effort to re-infect me the next time I load that profile. (I haven't done since the first report.)

I'll restart once the other scans are done and re-run the scans, if nothings found I'll perform all the actions on your last post.

tedus987 · Jun 3, 2013

After the reset spybot stated I was clean. the scan's take about 6 hours, I'll have to do the other steps in your privios post tomorrow.

Broni · Jun 3, 2013

tedus987 · Jun 3, 2013

Ok, malware bytes and zone alarm state I'm clean, I'll start the steps you put down tomorrow morning.

Broni · Jun 3, 2013

tedus987 · Jun 4, 2013

Sorry about this but I'll have to run OTL tomorrow, just spent the last 16 hours waiting for the power to come back on since the heat caused a failure in the local power terminal. were now currently working on a generator on the back of a lorry while a new one is being installed. (think a shipping container on the back of the truck, but the container is the temporary generator, the things huge.)

Broni · Jun 4, 2013

tedus987 · Jun 5, 2013

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 1982736 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Luke Fitton
->Temp folder emptied: 5324213 bytes
->Temporary Internet Files folder emptied: 609813 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 169868101 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 51880 bytes

User: NetworkService
->Temp folder emptied: 2974976 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: test
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: VS removal & admin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1195413 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 174.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: Luke Fitton
->Flash cache emptied: 0 bytes

User: NetworkService

User: test
->Flash cache emptied: 0 bytes

User: UpdatusUser

User: VS removal & admin
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: Luke Fitton
->Java cache emptied: 0 bytes

User: NetworkService

User: test
->Java cache emptied: 0 bytes

User: UpdatusUser

User: VS removal & admin
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

Error creating restore point.

OTL by OldTimer - Version 3.2.69.0 log created on 06052013_192044

Files\Folders moved on Reboot...
C:\Documents and Settings\Luke Fitton\Local Settings\Temp\~DF66B5.tmp moved successfully.
C:\Documents and Settings\Luke Fitton\Local Settings\Application Data\Mozilla\Firefox\Profiles\z65wym3e.default\startupCache\startupCache.4.little moved successfully.
C:\Documents and Settings\Luke Fitton\Local Settings\Application Data\Mozilla\Firefox\Profiles\z65wym3e.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Luke Fitton\Local Settings\Application Data\Mozilla\Firefox\Profiles\z65wym3e.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Luke Fitton\Local Settings\Application Data\Mozilla\Firefox\Profiles\z65wym3e.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Luke Fitton\Local Settings\Application Data\Mozilla\Firefox\Profiles\z65wym3e.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Luke Fitton\Local Settings\Application Data\Mozilla\Firefox\Profiles\z65wym3e.default\_CACHE_CLEAN_ moved successfully.
File\Folder C:\WINDOWS\temp\ZLT0235a.TMP not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

tedus987 · Jun 5, 2013

OK I'm at '4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!'

The PC we're using isn't my main one, other than my YouTube account (of winch I have witness no oddities or unnatural behaviours that would flag the account being hacked). I don't use this PC for any major banking purchases or any important transactions or important online gaming (while Steam used to be on this PC I no longer have my Steam account on this PC and neither me nor my girlfriend have noticed any odd behaviour on or by the account)..

What kind of infection was on this PC and do I simply skip stage 4?

Broni · Jun 5, 2013

It wasn't anything serious. Mostly adwares and garbage.
Your passwords should be OK.

Good luck and stay safe

tedus987 · Jun 6, 2013

Ok,done, and done. thanks for your help, should be fine now since this is only the movie PC and nither mine nor my GF's main PC's.

Broni · Jun 6, 2013

Solved Win32.Downloader.gen: [SBI $BCCEBCBD]

tedus987

Posts: 207 +2

tedus987

Posts: 207 +2

tedus987

Posts: 207 +2

tedus987

Posts: 207 +2

Broni

Posts: 56,041 +516

tedus987

Posts: 207 +2

tedus987

Posts: 207 +2

tedus987

Posts: 207 +2

Broni

Posts: 56,041 +516

tedus987

Posts: 207 +2

Broni

Posts: 56,041 +516

tedus987

Posts: 207 +2

Broni

Posts: 56,041 +516

tedus987

Posts: 207 +2

tedus987

Posts: 207 +2

Broni

Posts: 56,041 +516

tedus987

Posts: 207 +2

Broni

Posts: 56,041 +516

Similar threads

Latest posts