Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/spy.goldun Bf Nuclabdll.dll


  • Please log in to reply
4 replies to this topic

#1 joop111

joop111

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 25 December 2005 - 06:58 AM

my computer is infected by the following:


Name: nuclabdll
Filename: nuclabdll.dll
Command: C:\WINDOWS\SYSTEM32\nuclabdll.dll
Description: Identified as Trojan.PWS.Egold.

can anyone tell me how to fix this problem?

this is miy hijack-log:

Logfile of HijackThis v1.99.1
Scan saved at 13:06:55, on 25-12-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Progr\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
E:\Progr\Eset\nod32kui.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
e:\Progr\Eset\nod32krn.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
E:\progr\Anti-Blaxx\Anti-Blaxx.exe
E:\progr\firefox\firefox.exe
C:\WINDOWS\regedit.exe
D:\Joop\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Progr\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SmcService] E:\Progr\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nod32kui] "e:\Progr\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\progr\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: nuclabdll - C:\WINDOWS\SYSTEM32\nuclabdll.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - e:\Progr\Eset\nod32krn.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Progr\Sygate\SPF\smc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe


Joop111
Netherlands

Edited by joop111, 25 December 2005 - 07:09 AM.


BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 25 December 2005 - 01:37 PM

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
Install ewido.
During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 joop111

joop111
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 25 December 2005 - 06:59 PM

here are my Ewido log and new hijack log.

Ewido:

---------------------------------------------------------
ewido anti-malware - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 0:53:14, 26-12-2005
+ Rapport samenvatting: B2B0145F

+ Scan resultaten:

HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Schoongemaakt met een backup
[312] C:\WINDOWS\system32\nuclabdll.dll -> Logger.Goldun.ft : Schoongemaakt met een backup
C:\!KillBox\nuclabdll.dll -> Logger.Goldun.ft : Schoongemaakt met een backup
:mozilla.25:C:\Documents and Settings\Joop\Application Data\Mozilla\Firefox\Profiles\p6unvlqb.default\cookies.txt -> Spyware.Cookie.Overture : Schoongemaakt met een backup
:mozilla.26:C:\Documents and Settings\Joop\Application Data\Mozilla\Firefox\Profiles\p6unvlqb.default\cookies.txt -> Spyware.Cookie.Overture : Schoongemaakt met een backup
:mozilla.27:C:\Documents and Settings\Joop\Application Data\Mozilla\Firefox\Profiles\p6unvlqb.default\cookies.txt -> Spyware.Cookie.Doubleclick : Schoongemaakt met een backup
:mozilla.29:C:\Documents and Settings\Joop\Application Data\Mozilla\Firefox\Profiles\p6unvlqb.default\cookies.txt -> Spyware.Cookie.Bluestreak : Schoongemaakt met een backup
:mozilla.37:C:\Documents and Settings\Joop\Application Data\Mozilla\Firefox\Profiles\p6unvlqb.default\cookies.txt -> Spyware.Cookie.Atdmt : Schoongemaakt met een backup
:mozilla.39:C:\Documents and Settings\Joop\Application Data\Mozilla\Firefox\Profiles\p6unvlqb.default\cookies.txt -> Spyware.Cookie.Sitestat : Schoongemaakt met een backup
:mozilla.42:C:\Documents and Settings\Joop\Application Data\Mozilla\Firefox\Profiles\p6unvlqb.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.43:C:\Documents and Settings\Joop\Application Data\Mozilla\Firefox\Profiles\p6unvlqb.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.44:C:\Documents and Settings\Joop\Application Data\Mozilla\Firefox\Profiles\p6unvlqb.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
C:\Documents and Settings\Joop\Local Settings\Temp\temp.frCD09\heur002.dll -> Adware.SpySheriff : Schoongemaakt met een backup
C:\Documents and Settings\Joop\Local Settings\Temp\temp.frE118\heur002.dll -> Adware.SpySheriff : Schoongemaakt met een backup
C:\WINDOWS\system32\nuclabdll.dll -> Logger.Goldun.ft : Schoongemaakt met een backup


::Einde rapport

Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 0:58:48, on 26-12-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Progr\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
E:\Progr\Eset\nod32kui.exe
E:\progr\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
e:\Progr\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
e:\Progr\Eset\nod32krn.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
E:\progr\firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Joop\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Progr\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SmcService] E:\Progr\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nod32kui] "e:\Progr\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\progr\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: nuclabdll - nuclabdll.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - e:\Progr\ewido anti-malware\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - e:\Progr\Eset\nod32krn.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Progr\Sygate\SPF\smc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

Joop111

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 26 December 2005 - 11:41 AM

Fix this with HJT mark it, close IE, click fix checked

O20 - Winlogon Notify: nuclabdll - nuclabdll.dll (file missing)

Delete this folder C:\!KillBox

How are things
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 joop111

joop111
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 27 December 2005 - 04:20 AM

I did not do that yet but it seems that the problem is solved. The problem was that I could not reach some sites using IE (www.realshare.biz, www.oeshare.biz, www.shareplaza.biz). With Firefox I had no problems. But after removing nuclabdll.dll using Ewido I can open these sites with IE again. I want to thank you for your help.

Joop111




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users