Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/ELEX.D + Win32/Adware.MultiPlug.H app + homepage hijacked portaldosites.co


  • This topic is locked This topic is locked
10 replies to this topic

#1 gamla7

gamla7

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Same universe
  • Local time:10:56 AM

Posted 12 June 2013 - 05:57 PM

Definition of the PC problem =
Due to recent confrontation with a bunch/bundle of softwareproblems on my old Thinkpad T42 (my only work-mule).
Use to run/test plenty of graphic programs with many install's and un-install's ( Revo_uninstall is my trusted tool - a free tool from a respected professional enterprise) + multiple downloads of files. Normal AVG gives me a warning which I follow closely.  I have no clue where the problem is coming from.  I have some experience with application programs but I am zero into PC architecture and additional installation and security software.  Intend to make a real plan for futur use of internet.  For the moment I tremble and shake when connecting upon internet (maybe should have been wiser earlier on).

 

Only 1 thing flashed my mind = get help with Bleeping Computer !!!
And found ... /forums/t/494903/portaldositescom/?hl=%2Bportaldosites#entry3056818 ...
(which allowed me to do some detection scans - in using the software step by step announced in the refered thread - otherwise no changes were made except the auto mbam quarantaine of 2 threads)
The only things I see/notice after observation and some observation runs is =

 

A/ -  the hacked internet homepage (see further) in 2 browsers Firefox (regular browser) and IExplorer (seldom use). Each restart of the browser opens up an uninvited window =
http://www.portaldosites.com/?utm_source=b&utm_medium=meg&from=meg&uid=FUJITSUXMHT2040AH_NP0JT4A2C6BNT4A2C6BNX&ts=1370754620

 

B/ - 2 threads grabbed by mbam (copied out of log)
...
Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} (Adware.Agent) -> Quarantined and deleted successfully.
...
Files Detected: 1
C:\Documents and Settings\All Users\Application Data\InstallMate\{12CE15DA-FD33-43D4-A13F-B511C92D372C}\Custom.dll (Trojan.MSIL.Injector) -> Quarantined and deleted successfully
...

C/ - 3 threads reported by ESET online scan =

#  C:\Documents and Settings\JP\Application Data\eIntaller\BAC768B110E043ea8E94666CCFF0BF16\eXQ.exe a variant of Win32/ELEX.D application
C:\Documents and Settings\JP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fpahbkdpphenmhgdbmdeppgfgfkahgpm\1\51ab71fc24e8a6.09572711.js Win32/Adware.MultiPlug.H application
C:\Documents and Settings\JP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mfkgljgiecmpcnoehmddfllepgfbnfin\1\51ab71f317b758.08156011.js Win32/Adware.MultiPlug.H application

 

D/ I noticed changes were made in my system setting = normaly the windows firewall is always active (had no reason to de-activate) = no access to restore points = no access to add/remove programs in the winxp system = also notice that the PC sudden has become very slow like its moving in gelly (weird).

 

E/ screen317'security check showed me almost all was de-activated except avgwdsvc.exe - AVG avgrsx.exe
AVG avgnsx.exe - AVG avgemc.exe

 

F/ the logs of the different programs I run are multilanguage - maybe because my PC is working with programs in different languages.

 

In correct order I can post all the LOGS or text from the programs as mentioned in .../forums/t/494903/portaldositescom/?hl=%2Bportaldosites#entry3056818 .... but the 1st post of this forum told me not to do it in here !!!! 

The entire post can be posted into the correct place after simple indication/request - at your service to cooperate - If I do not react quick enough please pardon me.

 

Friendly regards by Gamla.


============================================================================================================

Addicted to my portable T42 [xp] and a Desk PC with mobo Asus P5WD2 E PREMIUM [vista] - both operational in older OS but want to add both onto Linux.  All my application software works perfect in the XP environment. 


BC AdBot (Login to Remove)

 


#2 67Nero

67Nero

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:56 AM

Posted 12 June 2013 - 06:12 PM

Please post MBAM and ESET logs. Do not attach, or put on quote or code, simply copy->paste here normally. After you have done this, more trained and knowledgeable users can analyze the logs and ask you to scan with some other tools.

trace.

Signature500x83_zps94555895.png


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:56 AM

Posted 12 June 2013 - 06:33 PM

Hello, What I need to know is what the tools did with these, delete .quarantine,cure or nothing.
Win32/ELEX.D Is a bowser and homepage hijacker

The Injector found is very dangerous.
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
This is a Backdoor infection.
 
A note about this.
 
 
One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files. I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 gamla7

gamla7
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Same universe
  • Local time:10:56 AM

Posted 14 June 2013 - 06:10 AM

post re #2 - 3 parts = A- MBAM log - B- short ESET-LOG (eset interrupted-reason=?) C- additional reports (2) after run of Malwarebytes Anti-Rootkit 

 

A= MBAM log

 

mbam-log-2013-06-11 (17-18-42).txt

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.11.05

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 7.0.5730.13
JP :: T42 [administrator]

Protection: Enabled

11-6-2013 17:18:42
mbam-log-2013-06-11 (17-18-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 247826
Time elapsed: 14 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\All Users\Application Data\InstallMate\{12CE15DA-FD33-43D4-A13F-B511C92D372C}\Custom.dll (Trojan.MSIL.Injector) -> Quarantined and deleted successfully.

(end)

 

B= ESET log = incomplete short notice (thread) received

 

ESET THREADS.TXT

C:\Documents and Settings\JP\Application Data\eIntaller\BAC768B110E043ea8E94666CCFF0BF16\eXQ.exe a variant of Win32/ELEX.D application
C:\Documents and Settings\JP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fpahbkdpphenmhgdbmdeppgfgfkahgpm\1\51ab71fc24e8a6.09572711.js Win32/Adware.MultiPlug.H application
C:\Documents and Settings\JP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mfkgljgiecmpcnoehmddfllepgfbnfin\1\51ab71f317b758.08156011.js Win32/Adware.MultiPlug.H application

 

C- additional reports (2) after run of Malwarebytes Anti-Rootkit

 

LOGS
1st = mbar-log-xxxxx.txt

Malwarebytes Anti-Rootkit BETA 1.06.0.1003
www.malwarebytes.org

Database version: v2013.06.11.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
JP :: T42 [administrator]

11-6-2013 18:58:31
mbar-log-2013-06-11 (18-58-31).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: Deep Anti-Rootkit Scan | PUP
Objects scanned: 250263
Time elapsed: 27 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

2nd = system-log.txt

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1003

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 7.0.5730.13

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 1.694000 GHz
Memory total: 2146287616, free: 1302290432

Downloaded database version: v2013.06.11.05
Downloaded database version: v2013.05.22.01
Initializing...
------------ Kernel report ------------
     06/11/2013 18:58:16
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
fttqpn.sys
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\System32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
pcmcia.sys
MountMgr.sys
ftdisk.sys
ACPIEC.sys
\WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
PxHelp20.sys
drvmcdb.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Apsx86.sys
ApsHM86.sys
Mup.sys
avgrkx86.sys
avglogx.sys
avgmfx86.sys
avgidshx.sys
agp440.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\System32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\usbuhci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\System32\DRIVERS\usbehci.sys
\SystemRoot\System32\DRIVERS\e1000325.sys
\SystemRoot\System32\DRIVERS\i8042prt.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\SynTP.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\fdc.sys
\SystemRoot\System32\DRIVERS\serial.sys
\SystemRoot\System32\DRIVERS\serenum.sys
\SystemRoot\System32\DRIVERS\parport.sys
\SystemRoot\System32\DRIVERS\nscirda.sys
\SystemRoot\System32\DRIVERS\irenum.sys
\SystemRoot\system32\DRIVERS\AtmelTpm.sys
\SystemRoot\System32\DRIVERS\CmBatt.sys
\SystemRoot\System32\DRIVERS\ibmpmdrv.sys
\SystemRoot\System32\DRIVERS\imapi.sys
\SystemRoot\system32\drivers\sscdbhk5.sys
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\redbook.sys
\SystemRoot\System32\DRIVERS\ks.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\aeaudio.sys
\SystemRoot\system32\DRIVERS\HSFHWICH.sys
\SystemRoot\system32\DRIVERS\HSF_DP.sys
\SystemRoot\system32\DRIVERS\HSF_CNXT.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasirda.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\rdpdr.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\psadd.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\drivers\ssrtln.sys
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\tcpip6.sys
\SystemRoot\system32\DRIVERS\avgtdix.sys
\SystemRoot\System32\DRIVERS\ipnat.sys
\SystemRoot\system32\drivers\ip6fw.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\Drivers\tcusb.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\SystemRoot\System32\drivers\TSMAPIP.SYS
\SystemRoot\System32\drivers\Tppwr.sys
\SystemRoot\System32\Drivers\TPHKDRV.SYS
\SystemRoot\System32\drivers\TDSMAPI.SYS
\SystemRoot\System32\drivers\Smapint.sys
\SystemRoot\System32\Drivers\SCDEmu.SYS
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\System32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\avgldx86.sys
\SystemRoot\system32\DRIVERS\avgidsshimx.sys
\SystemRoot\system32\DRIVERS\avgidsdriverx.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\??\C:\WINDOWS\system32\drivers\mbam.sys
\SystemRoot\system32\drivers\drvnddm.sys
\??\C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys
\SystemRoot\system32\dla\tfsndres.sys
\SystemRoot\system32\dla\tfsnifs.sys
\SystemRoot\system32\dla\tfsnopio.sys
\SystemRoot\system32\dla\tfsnpool.sys
\SystemRoot\system32\DRIVERS\WudfPf.sys
\SystemRoot\system32\dla\tfsnboio.sys
\SystemRoot\system32\dla\tfsncofs.sys
\SystemRoot\system32\dla\tfsndrct.sys
\SystemRoot\system32\dla\tfsnudf.sys
\SystemRoot\system32\dla\tfsnudfa.sys
\SystemRoot\system32\DRIVERS\AegisP.sys
\SystemRoot\System32\DRIVERS\irda.sys
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\s24trans.sys
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\drivers\BrPar.sys
\??\C:\WINDOWS\SYSTEM32\EGATHDRV.SYS
\??\C:\WINDOWS\system32\drivers\ibmfilter.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\??\C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR4
Upper Device Object: 0xffffffff892e4ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000009e\
Lower Device Object: 0xffffffff89311a10
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR3
Upper Device Object: 0xffffffff892f5440
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000009c\
Lower Device Object: 0xffffffff892efb28
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff89b98ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff89b8c940
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff89b98ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89b5fe08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89b40a18, DeviceName: Unknown, DriverName: \Driver\Shockprf\
DevicePointer: 0xffffffff89b98ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89b429e8, DeviceName: \Device\0000008d\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff89b8c940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\Shockprf\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: CCCDCCCD

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 68826177
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Other (0x12)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 68826240  Numsec = 9313920

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 40007761920 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-78120160-78140160)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff892f5440, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff892f6658, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff892f5440, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff892efb28, DeviceName: \Device\0000009c\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 12345678

Partition information:

    Partition 0 type is Other (0xc)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 488392002
    Partition file system is FAT32
    Partition is not bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffffffff892e4ab8, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff892f99d8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff892e4ab8, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89abf760, DeviceName: Unknown, DriverName: \Driver\drvmcdb\
DevicePointer: 0xffffffff89311a10, DeviceName: \Device\0000009e\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 0

Partition information:

    Partition 0 type is Other (0xb)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 32  Numsec = 15656928

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 8016363520 bytes
Sector size: 512 bytes

Done!
Read File:  File "c:\documents and settings\all users\application data\avg2013\chjw\669c16a79c167233.dat:0006e550-af37-4e19-bc90-e4092baf7463" is sparse (flags = 32768)
Scan finished
=======================================

Removal queue found; removal started
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_0_63_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_1_0_63_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_1_r.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_2_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_2_r.mbam...
Removal finished

 

END

 

by Gamla.


============================================================================================================

Addicted to my portable T42 [xp] and a Desk PC with mobo Asus P5WD2 E PREMIUM [vista] - both operational in older OS but want to add both onto Linux.  All my application software works perfect in the XP environment. 


#5 gamla7

gamla7
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Same universe
  • Local time:10:56 AM

Posted 14 June 2013 - 06:22 AM

reply to post #3 - whow what I was afraid for is reality !! no panic = situation is very serious but let us give it a try.

 

1/ answer= What I need to know is what the tools did with these, delete .quarantine,cure or nothing. = reply NOTHING

2/ Let me know what you decide to do = ok, I have full trust upon you = if we work together step by step we will come far, but as I read never to a full 100% safe situation - but 1st I would like us to enterprise all steps we can take and after that we can check the situation - I also take under consideration I have to reinstall this PC completely asap - ok situation accepted  - what about your personal view ?

 

3/ I have no possibility to change towards an indoor new PC - even not in longer term.

 

Thanks - Gamla


============================================================================================================

Addicted to my portable T42 [xp] and a Desk PC with mobo Asus P5WD2 E PREMIUM [vista] - both operational in older OS but want to add both onto Linux.  All my application software works perfect in the XP environment. 


#6 gamla7

gamla7
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Same universe
  • Local time:10:56 AM

Posted 14 June 2013 - 10:58 AM

post #6 new situation Friday 2013 June 14 - 17:40

 

decided to run ESET after previous facts = A- 1st run did not complete but gave a report - B- question was asked did ESET take actions ?

Started ESET run and finished perfect - new report =

 

C:\Documents and Settings\JP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fpahbkdpphenmhgdbmdeppgfgfkahgpm\1\51ab71fc24e8a6.09572711.js Win32/Adware.MultiPlug.H application cleaned by deleting - quarantined

C:\Documents and Settings\JP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mfkgljgiecmpcnoehmddfllepgfbnfin\1\51ab71f317b758.08156011.js
Win32/Adware.MultiPlug.H application cleaned by deleting - quarantined

E:\JP_BESTANDEN\PDF FILES\DOWNLOADS\videoinspector.exe multiple threats cleaned by deleting - quarantined

E:\JP_BESTANDEN\SOFTWARE\BEARSHARE\BSINSTALL.exe Win32/Adware.180Solutions application cleaned by deleting - quarantined

 

Conclusion and new facts = from the 1st report only  file eXQ.exe a variant of Win32/ELEX.D application (in a map called eIntaller) is still present on PC (but not reported in 2nd ESET report) - the two other files were detected in 2nd report and now cleaned by deleting - quarantined. Simultaneously 2 other *.exe files were cleaned by deleting - quarantined

 

Still focus upon the eXQ.exe file - I await further instruction and do not touch my PC before receiving advice by moderator.

Sorry for this previous impulse, totally my mistake.

 

Gamla


Edited by gamla7, 14 June 2013 - 11:00 AM.

============================================================================================================

Addicted to my portable T42 [xp] and a Desk PC with mobo Asus P5WD2 E PREMIUM [vista] - both operational in older OS but want to add both onto Linux.  All my application software works perfect in the XP environment. 


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:56 AM

Posted 14 June 2013 - 02:17 PM

Ok, this " eXQ.exe" is not a good file.
 
Let's try one more tool here.
 
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation. For instructions with screenshots, please refer to the How to use SUPERAntiSpyware to scan and remove malware from your computer Guide.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.
)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all other options as they are set):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the Control Center screen.
  • Back on the main screen, under "Select Scan Type" check the box for Complete Scan.
  • If your computer is badly infected, be sure to check the box next to Enable Rescue Scan (Highly Infected Systems ONLY).
  • Click the Scan your computer... button.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
To retrieve the scan log after reboot, launch SUPERAntiSpyware again.
  • Click the View Scan Logs button at the bottom.
  • This will open the Scanner Logs Window.
  • Click on the log to highlight it and then click on View Selected Log to open it.
  • Copy and paste the scan log results in your next reply.
-- Some types of malware will disable security tools. If SUPERAntiSpyware will not install, please refer to these instructions for using the SUPERAntiSpyware Installer. If SUPERAntiSpyware is already installed but will not run, then follow the instructions for using RUNSAS.EXE to launch the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 gamla7

gamla7
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Same universe
  • Local time:10:56 AM

Posted 15 June 2013 - 09:36 AM

Hello Dear people, again here are some LOGS to read :

 

LOG 01 SAS

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/15/2013 at 05:03 AM

Application Version : 5.6.1020

Core Rules Database Version : 10535
Trace Rules Database Version: 8347

Scan type       : Quick Scan
Total Scan Time : 00:05:55

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 504
Memory threats detected   : 0
Registry items scanned    : 32602
Registry threats detected : 0
File items scanned        : 7163
File threats detected     : 96

Adware.Tracking Cookie
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.estat.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.lucidmedia.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
track.adform.net [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
track.adform.net [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.adform.net [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.tradedoubler.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.tradedoubler.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.tradedoubler.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
tracking.publicidees.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.adtechus.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.mediaforge.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.liveperson.net [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
server.iad.liveperson.net [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.liveperson.net [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.eset.122.2o7.net [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.overture.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.adtech.de [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.dmtracker.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
demandmedia.trc.taboola.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
demandmedia.trc.taboola.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
demandmedia.trc.taboola.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
demandmedia.trc.taboola.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
www.yourlustmedia.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.ero-advertising.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.pu.trafficshop.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.pu.trafficshop.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.exoclick.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.adultfriendfinder.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.ero-advertising.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.adultfriendfinder.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.adultfriendfinder.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.adultfriendfinder.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.adultfriendfinder.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.adultfriendfinder.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.adultfriendfinder.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.adultfriendfinder.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.adultfriendfinder.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.exoclick.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.exoclick.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.exoclick.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.accounts.google.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.accounts.google.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.accounts.google.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
accounts.google.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
accounts.google.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.mediaforge.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.mediaforge.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.steelhousemedia.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.px.steelhousemedia.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.fastclick.net [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
m1.webstats.motigo.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.microsoftsto.112.2o7.net [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.c1.atdmt.com [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
.wileypublishing.112.2o7.net [ C:\DOCUMENTS AND SETTINGS\JP\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QTKLWI3Q.DEFAULT\COOKIES.SQLITE ]
accounts.google.com [ C:\DOCUMENTS AND SETTINGS\JP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
www.stampmedia.be [ C:\DOCUMENTS AND SETTINGS\JP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.stampmedia.be [ C:\DOCUMENTS AND SETTINGS\JP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.stampmedia.be [ C:\DOCUMENTS AND SETTINGS\JP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.stampmedia.be [ C:\DOCUMENTS AND SETTINGS\JP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.stampmedia.be [ C:\DOCUMENTS AND SETTINGS\JP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\JP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\JP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
accounts.google.com [ C:\DOCUMENTS AND SETTINGS\JP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
accounts.google.com [ C:\DOCUMENTS AND SETTINGS\JP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
accounts.google.com [ C:\DOCUMENTS AND SETTINGS\JP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
accounts.youtube.com [ C:\DOCUMENTS AND SETTINGS\JP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]

LOG 02 SAS

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/15/2013 at 06:06 AM

Application Version : 5.6.1020

Core Rules Database Version : 10535
Trace Rules Database Version: 8347

Scan type       : Complete Scan
Total Scan Time : 01:01:32

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 511
Memory threats detected   : 0
Registry items scanned    : 39356
Registry threats detected : 0
File items scanned        : 41722
File threats detected     : 5

Trojan.Agent/Gen-Cryptor[Egun]
F:\C BACKUP DEFRAG\MIJN DOCUMENTEN\DOWNLOADS\HOSTFIX.EXE

Adware.Tracking Cookie
.c.atdmt.com [ C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\Q22R7WN4.DEFAULT\COOKIES.SQLITE ]
.c.atdmt.com [ C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\Q22R7WN4.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\Q22R7WN4.DEFAULT\COOKIES.SQLITE ]
.c1.atdmt.com [ C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\Q22R7WN4.DEFAULT\COOKIES.SQLITE ]

Additional info - noticed = the backdoor exe file was present in the same place on HD but not recognized by SAS.

After running 2 scans = (sorry 1st was quick where it should have been a complete scan - but new architecture of program (layout) opposed the tutor confused me   -  I took together all courage left and kicked that unwanted backdoor file manually  out of the "door" which to my surprise went quickly and positive - and run a full scan with the by SAS provided software - and post the log here =

 

Log 3 - SAS

 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/15/2013 at 08:48 AM

Application Version : 5.6.1012

Core Rules Database Version : 10535
Trace Rules Database Version: 8347

Scan type       : Complete Scan
Total Scan Time : 00:57:26

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 537
Memory threats detected   : 0
Registry items scanned    : 39335
Registry threats detected : 0
File items scanned        : 39020
File threats detected     : 0

 

I guess the fight against the infection has taken us towards a positive outcome (??)

Many thanks to the complete team for all help, patience and assistance.
But the troubles are not over yet.  I still have the infected/hijacked homepages of the internet-explorer and the firefox-explorer.
What program can remove whatever causing this situation ? Do I have to open a new forum thread ?

And I prefer (with desire) a HiJackThis log analysed to be sure about the actual situation of my T42 (so needed to make my damaged life possible) ?

 

Gamla.


============================================================================================================

Addicted to my portable T42 [xp] and a Desk PC with mobo Asus P5WD2 E PREMIUM [vista] - both operational in older OS but want to add both onto Linux.  All my application software works perfect in the XP environment. 


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:56 AM

Posted 15 June 2013 - 09:44 AM

Ok, it looks like the rest is deeply hooked. We need a new topic about infected/hijacked homepages of the internet-explorer and the firefox-explorer

We should get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 gamla7

gamla7
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Same universe
  • Local time:10:56 AM

Posted 15 June 2013 - 08:52 PM

Hi dear boopme -

 

I will carefully read your last post with the preparation guide and follow your guidance.

Guess I will need some time to execute all new steps. 

See you back later. Thank you and also have a nice day!

 

Gamla


============================================================================================================

Addicted to my portable T42 [xp] and a Desk PC with mobo Asus P5WD2 E PREMIUM [vista] - both operational in older OS but want to add both onto Linux.  All my application software works perfect in the XP environment. 


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:56 AM

Posted 17 June 2013 - 08:42 PM

You're welcome gamla7

Your new topic is here, thank you.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.
The current wait time is 1 - 2 days and ALL logs are answered.
If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users