Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Qone8 Malware


  • This topic is locked This topic is locked
14 replies to this topic

#1 Emma15

Emma15

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 06 November 2013 - 03:04 AM

Hi guys,

 

I'm having a lot of trouble. I installed jdownloader to download youtube videos. During the install, Norton 360 detected malware and put a file in quarantine as detailed in the log below. Everytime Firefox opens, I get qone8 popups and qone8 has taken over my homepages in Firefox and Internet Explorer. I googled qone8 and came across AdwCleaner and downloaded it from http://www.bleepingcomputer.com/download/adwcleaner/dl/125/

It helped a little. But my computer is still laggy and slow. I think there still is more qone8 malware on my computer and perhaps other malware as well.

 

-------------------------------------

 

Here are the Norton 360 and AdwCleaner logs:

 

# AdwCleaner v3.011 - Report created 06/11/2013 at 04:02:16
# Updated 03/11/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Admin - HOME
# Running from : C:\Documents and Settings\Admin\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\eSafe
Folder Deleted : C:\DOCUME~1\Admin\LOCALS~1\Temp\eIntaller
Folder Deleted : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\lu3lrzuc.Profile.1\FCTB
File Deleted : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\1d0l33kw.default\searchplugins\safesearch.xml
File Deleted : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\lu3lrzuc.Profile.1\searchplugins\safesearch.xml

***** [ Shortcuts ] *****

Shortcut Disinfected : C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
Shortcut Disinfected : C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
Shortcut Disinfected : C:\Documents and Settings\Admin\Start Menu\Programs\Internet Explorer.lnk
Shortcut Disinfected : C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Shortcut Disinfected : C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
Shortcut Disinfected : C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

***** [ Registry ] *****

Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WsysSvc
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Data Restored : HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
Data Restored : HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKLM\Software\qone8Software

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\1d0l33kw.default\prefs.js ]

Line Deleted : user_pref("browser.newtab.url", "hxxp://start.qone8.com/newtab/?type=nt&ts=1383668765&from=cor&uid=FUJITSUXMHT2060BH_NR0CT58259PGT58259PGX");
Line Deleted : user_pref("browser.search.defaultenginename", "qone8");
Line Deleted : user_pref("browser.search.selectedEngine", "qone8");

[ File : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\lrv1zeie.Profile.2\prefs.js ]

Line Deleted : user_pref("browser.newtab.url", "hxxp://start.qone8.com/newtab/?type=nt&ts=1383668765&from=cor&uid=FUJITSUXMHT2060BH_NR0CT58259PGT58259PGX");
Line Deleted : user_pref("browser.search.defaultenginename", "qone8");
Line Deleted : user_pref("browser.search.selectedEngine", "qone8");
Line Deleted : user_pref("browser.startup.homepage", "hxxp://start.qone8.com/?type=hp&ts=1383668765&from=cor&uid=FUJITSUXMHT2060BH_NR0CT58259PGT58259PGX");

[ File : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\lu3lrzuc.Profile.1\prefs.js ]

Line Deleted : user_pref("browser.newtab.url", "hxxp://start.qone8.com/newtab/?type=nt&ts=1383668765&from=cor&uid=FUJITSUXMHT2060BH_NR0CT58259PGT58259PGX");
Line Deleted : user_pref("browser.search.defaultenginename", "qone8");
Line Deleted : user_pref("browser.search.selectedEngine", "qone8");
Line Deleted : user_pref("browser.startup.homepage", "hxxp://start.qone8.com/?type=hp&ts=1383668765&from=cor&uid=FUJITSUXMHT2060BH_NR0CT58259PGT58259PGX");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.47.KeywordHistory", "flybuys%2520toolbar%2520whirlpool%7Cremove%2520flybuys%2520toolbar%2520search%2520history%7Cflybuys%2520toolbar%2520privacy%7C[...]
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.AutoSearchEventData", "auto%20search");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.ClearCacheDate", 16);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.DNSCatch", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.DisplayEULA", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.DnsCatchEventData", "dns%20catch");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.EBOMode", false);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.EnableDCAData_xx", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.EnableDCA_xx", false);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.FirstLaunchShown", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.InstallDomain", "flybuys.com.au");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.InstallType", "one_click");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.LoadLayoutDate.100967", 16);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.NewTabSearchEventData", "tab%20search");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.ShowRecommendedOptions", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.StateReportDate", "1379317162961");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.TopRightSearchEventData", "top%20right%20search");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.beforeInstallSaved", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.beforeinstall.homepage", "about%3Ahome");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.beforeinstall.search", "Google");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.comp.search.47.engine_img", "aHR0cDovL3Rvb2xiYXJidWlsZGVyLmZyZWVjYXVzZS5jb20uczMuYW1hem9uYXdzLmNvbS9mYXZpY29ucy95YWhvb19mYXZpY29uX3B1cnBsZV8xNngxNi[...]
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.comp.search.47.engine_url", "aHR0cDovL2F1LnloczQuc2VhcmNoLnlhaG9vLmNvbS95aHMvc2VhcmNoP3RpZD0ldG9vbGlkJmZyPXNmcCZmcjI9JmhzcGFydD1mcmVlY2F1c2UmaHNpbX[...]
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.comp.search.47.text", "Search%20to%20earn%20points");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.customNewTab", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.dcaDefaultMode", false);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.dcaShowInstallerPage", false);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.dcaShowSurvey", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.helpUsImprove", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.hideOthers", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.partnerauth", false);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.processAddrBar", false);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.remove_homepage", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.remove_search", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.restoreSearch", false);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.runcmd.", "1377194971");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.searchHistory", true);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.session", "332AE54E418B78D064642D3F590E1A689A642190EE7D713478567C31310687CA13F2B4F007AEC1CF907F436F2A2B97FB36D34EFECC1A6DF451FAFFEE988D6EFBD09E45EC[...]
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.showFirstLaunchOptions", false);
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.tb_lang", "en");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.tool_id", "100967");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.user_id", "131590765");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.user_key", "050490bee7739037ee52b7f0ecb5eac45c3492e9");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.user_layouts", "100967");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.user_lnames", "flybuys%20Toolbar");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.vars.last_checked_for_balance_component", "1379317202");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.xml_service_url", "6bb94bbf55fe2f255901a560824a6ebe");
Line Deleted : user_pref("freecaused8c4975b9e4b4574b5ab67fe58455a95.yahooSearch", false);

*************************

AdwCleaner[R0].txt - [10173 octets] - [06/11/2013 04:00:45]
AdwCleaner[S0].txt - [9342 octets] - [06/11/2013 04:02:16]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9402 octets] ##########
 

-------------------------------------------------------------------------------------------

 

Norton 360 Log:

 

Filename: help.exe
Threat name: exqWebSearchFull Path: c:\documents and settings\admin\local settings\temp\eintaller\29fa3617c7084bdfa178f33df61b0dc0\help.exe

____________________________

Details
Many Users,  New,  Risk Low

Origin
Downloaded from
 Unknown

Activity
Actions performed: 36

____________________________


On computers as of 6/11/2013 at 3:26:03 AM
Last Used 6/11/2013 at 3:31:12 AM
Startup Item No
Launched No

____________________________


Many Users
Tens of thousands of users in the Norton Community have used this file.

New
This file was released more than 7 days 28 days ago.

Low
This file risk is low.

Threat type: Security Risk. Programs that pose a security or privacy risk and are not already classified as malicious.


____________________________


Source: External Media

Source File:
webinstallerjd2.exe

File Created:
jdownloadersetup_jdownloader.org.exe

File Created:
cor_ar_qone8.exe

File Created:
help.exe


____________________________

File Actions

File: c:\program files\mozilla firefox\searchplugins\v9.xml
No Action Required
File: c:\documents and settings\admin\application data\microsoft\internet explorer\quick launch\onmylike.lnk
No Action Required
File: c:\documents and settings\admin\application data\microsoft\internet explorer\quick launch\user pinned\taskbar\onmylike.lnk
No Action Required
File: c:\documents and settings\admin\desktop\onmylike.lnk
No Action Required
File: c:\documents and settings\admin\local settings\temp\2.ico
No Action Required
File: c:\windows\system32\client.log
No Action Required
File: c:\user data\default\extensions\novo_price_comparison.crx
No Action Required
Infected file: c:\documents and settings\admin\local settings\temp\eintaller\29fa3617c7084bdfa178f33df61b0dc0\help.exe
Removed
Infected file: c:\documents and settings\admin\application data\qone8.exe
Removed
____________________________

Registry Actions

Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main->Default_Page_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
Repaired
Registry change: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main->Default_Page_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
No Action Required
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main->Start Page:http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.1.0.18
Repaired
Registry change: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main->Start Page:http://securityresponse.symantec.com/avcenter/fix_homepage
No Action Required
Registry change: HKEY_USERS\S-1-5-21-1715567821-1482476501-839522115-1003\Software\Wow6432Node\Microsoft\Internet Explorer\Main->Default_Page_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
No Action Required
Registry change: HKEY_USERS\S-1-5-19\Software\Wow6432Node\Microsoft\Internet Explorer\Main->Default_Page_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
No Action Required
Registry change: HKEY_USERS\S-1-5-21-1715567821-1482476501-839522115-500\Software\Wow6432Node\Microsoft\Internet Explorer\Main->Default_Page_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
No Action Required
Registry change: HKEY_USERS\S-1-5-20\Software\Wow6432Node\Microsoft\Internet Explorer\Main->Default_Page_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
No Action Required
Registry change: HKEY_USERS\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer\Main->Default_Page_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
No Action Required
Registry change: HKEY_USERS\S-1-5-21-1715567821-1482476501-839522115-1003\Software\Wow6432Node\Microsoft\Internet Explorer\Main->Start Page:http://securityresponse.symantec.com/avcenter/fix_homepage
No Action Required
Registry change: HKEY_USERS\S-1-5-19\Software\Wow6432Node\Microsoft\Internet Explorer\Main->Start Page:http://securityresponse.symantec.com/avcenter/fix_homepage
No Action Required
Registry change: HKEY_USERS\S-1-5-21-1715567821-1482476501-839522115-500\Software\Wow6432Node\Microsoft\Internet Explorer\Main->Start Page:http://securityresponse.symantec.com/avcenter/fix_homepage
No Action Required
Registry change: HKEY_USERS\S-1-5-20\Software\Wow6432Node\Microsoft\Internet Explorer\Main->Start Page:http://securityresponse.symantec.com/avcenter/fix_homepage
No Action Required
Registry change: HKEY_USERS\.DEFAULT\Software\Wow6432Node\Microsoft\Internet Explorer\Main->Start Page:http://securityresponse.symantec.com/avcenter/fix_homepage
No Action Required
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search->CustomizeSearch:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search->SearchAssistant:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Repaired
Registry change: HKEY_USERS\S-1-5-21-1715567821-1482476501-839522115-1003\Software\Microsoft\Internet Explorer\Main->Start Page:http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.1.0.18
Repaired
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main->Start Page:http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.1.0.18
Repaired
Registry change: HKEY_USERS\S-1-5-21-1715567821-1482476501-839522115-500\Software\Microsoft\Internet Explorer\Main->Start Page:http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.1.0.18
Repaired
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main->Start Page:http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.1.0.18
Repaired
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main->Start Page:http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.1.0.18
Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs->Tabs:res://ieframe.dll/tabswelcome.htm
Repaired
Registry change: HKEY_USERS\S-1-5-21-1715567821-1482476501-839522115-1003\Software\Microsoft\Internet Explorer\Main->Default_Page_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
Repaired
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main->Default_Page_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
Repaired
Registry change: HKEY_USERS\S-1-5-21-1715567821-1482476501-839522115-500\Software\Microsoft\Internet Explorer\Main->Default_Page_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
Repaired
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main->Default_Page_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
Repaired
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main->Default_Page_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
Repaired
____________________________


File Thumbprint - SHA:
4b496121fc73e7bef1a026fa72143daa36032c2bec62017d32d26803e6a8d535
File Thumbprint - MD5:
Not available
 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 06 November 2013 - 04:43 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Emma15

Emma15
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 06 November 2013 - 11:55 AM

Hi Marius,

 

Thank you for your time in helping me. I really appreciate it. Here are the logs:

 

JRT Log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows XP x86
Ran by Admin on Thu 07/11/2013 at  2:30:41.34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted: [File] C:\Documents and Settings\Admin\Application Data\mozilla\firefox\profiles\1d0l33kw.default\searchplugins\safesearch.xml
Emptied folder: C:\Documents and Settings\Admin\Application Data\mozilla\firefox\profiles\lu3lrzuc.Profile.1\minidumps [114 files]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 07/11/2013 at  2:39:17.93
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

 

dds log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.40.2
Run by Admin at 2:51:26 on 2013-11-07
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1526.838 [GMT 11:00]
.
AV: Norton 360 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Norton 360\Engine\21.1.0.18\N360.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Norton 360\Engine\21.1.0.18\N360.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\PC-TV\TwinhanDTV\TwinhanDTV.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.1.0.18
mStart Page = hxxp://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=21.1.0.18
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\21.1.0.18\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\21.1.0.18\ips\ipsbho.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\21.1.0.18\coieplg.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [LoadFujitsuQuickTouch] c:\program files\fujitsu\application panel\QuickTouch.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [EOUApp] c:\program files\intel\wireless\bin\EOUWiz.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winman~1.lnk - c:\program files\pc-tv\winmanager\WinManager.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1381042494500
TCP: NameServer = 10.0.0.138 10.0.0.138
TCP: Interfaces\{663BF77F-E0EE-40F0-A618-0EB23587AF7C} : DHCPNameServer = 10.0.0.138 10.0.0.138
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
LSA: Authentication Packages =  msv1_0 relog_ap
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\1d0l33kw.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.ftp - 147.31.182.137
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http - 147.31.182.137
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 147.31.182.137
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 147.31.182.137
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_117.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-10-05 18:18; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: 2013-10-07 15:47; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_21.0.2.1\coFFPlgn
FF - ExtSQL: 2013-10-07 15:47; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_21.0.2.1\IPSFF
FF - ExtSQL: 2013-10-12 02:54; mozilla_cc@internetdownloadmanager.com; c:\documents and settings\admin\application data\idm\idmmzcc3
FF - ExtSQL: 2013-10-12 03:53; {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}; c:\documents and settings\admin\application data\mozilla\firefox\profiles\1d0l33kw.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2013-10-6 27136]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1501000.012\symds.sys [2013-10-20 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1501000.012\symefa.sys [2013-10-20 935512]
R1 BHDrvx86;BHDrvx86;c:\program files\norton 360\nortondata\21.0.2.1\definitions\bashdefs\20131022.001\BHDrvx86.sys [2013-10-23 1096280]
R1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\n360\1501000.012\ccsetx86.sys [2013-10-20 127064]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2011-4-26 98160]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1501000.012\ironx86.sys [2013-10-20 206936]
R1 Uim_Vim;UIM Virtual Image Plugin;c:\windows\system32\drivers\Uim_Vim.sys [2013-2-18 283600]
R2 N360;Norton 360;c:\program files\norton 360\engine\21.1.0.18\n360.exe [2013-10-20 264360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-10-8 108120]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2013-10-5 4864]
R3 IDSxpx86;IDSxpx86;c:\program files\norton 360\nortondata\21.0.2.1\definitions\ipsdefs\20131030.001\IDSXpx86.sys [2013-11-1 380824]
R3 NAVENG;NAVENG;c:\program files\norton 360\nortondata\21.0.2.1\definitions\virusdefs\20131031.001\NAVENG.SYS [2013-11-1 93272]
R3 NAVEX15;NAVEX15;c:\program files\norton 360\nortondata\21.0.2.1\definitions\virusdefs\20131031.001\NAVEX15.SYS [2013-11-1 1612376]
R3 UDTT2BDA;DTV-DVB USB2 DVB-T receiver;c:\windows\system32\drivers\UDTT2BDA.sys [2013-10-5 81408]
R3 UDTT2HID;UDTT2HID - USB 2.0 HID Driver;c:\windows\system32\drivers\UDTT2HID.sys [2013-10-5 16128]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2013-10-11 11520]
.
=============== Created Last 30 ================
.
2013-11-06 15:30:34    --------    dc----w-    c:\windows\ERUNT
2013-11-06 15:18:05    --------    dc----w-    c:\program files\Mozilla Maintenance Service
2013-11-05 17:00:41    --------    dc----w-    C:\AdwCleaner
2013-11-05 16:28:42    --------    dc----w-    c:\documents and settings\admin\local settings\application data\JDownloader v2.0
2013-11-01 17:00:58    --------    dc----w-    c:\documents and settings\admin\application data\TeamViewer
2013-10-27 06:27:36    --------    dc----w-    c:\documents and settings\admin\local settings\application data\Help
2013-10-26 16:35:17    --------    dc----w-    c:\documents and settings\admin\local settings\application data\CutePDF Writer
2013-10-26 16:34:48    --------    dc----w-    c:\program files\GPLGS
2013-10-26 16:03:43    88688    -c--a-w-    c:\windows\system32\cpwmon2k.dll
2013-10-26 16:03:35    --------    dc----w-    c:\program files\Acro Software
2013-10-20 07:06:08    383576    -c--a-w-    c:\windows\system32\drivers\n360\1501000.012\symtdiv.sys
2013-10-20 07:06:07    446552    -c--a-w-    c:\windows\system32\drivers\n360\1501000.012\symnets.sys
2013-10-20 07:06:07    421592    -c--a-w-    c:\windows\system32\drivers\n360\1501000.012\symtdi.sys
2013-10-20 07:06:07    21520    -c--a-r-    c:\windows\system32\drivers\n360\1501000.012\symelam.sys
2013-10-20 07:06:06    935512    -c--a-w-    c:\windows\system32\drivers\n360\1501000.012\symefa.sys
2013-10-20 07:06:06    367704    -c--a-r-    c:\windows\system32\drivers\n360\1501000.012\symds.sys
2013-10-20 07:06:06    32344    -c--a-r-    c:\windows\system32\drivers\n360\1501000.012\srtspx.sys
2013-10-20 07:06:05    651352    -c--a-w-    c:\windows\system32\drivers\n360\1501000.012\srtsp.sys
2013-10-20 07:06:05    206936    -c--a-r-    c:\windows\system32\drivers\n360\1501000.012\ironx86.sys
2013-10-20 07:06:04    127064    -c--a-w-    c:\windows\system32\drivers\n360\1501000.012\ccsetx86.sys
2013-10-20 07:04:35    14818    -c--a-w-    c:\windows\system32\drivers\n360\1501000.012\symvtcer.dat
2013-10-20 07:04:34    --------    dc----w-    c:\windows\system32\drivers\n360\1501000.012
2013-10-20 05:21:41    --------    dc----w-    C:\Removable Disk (G)
2013-10-20 05:11:33    --------    dc----w-    c:\windows\system32\wbem\repository\FS
2013-10-20 05:11:33    --------    dc----w-    c:\windows\system32\wbem\Repository
2013-10-19 15:49:31    --------    dc----r-    C:\Sandbox
2013-10-18 06:20:41    --------    dc----w-    c:\documents and settings\all users\application data\PlotSoft
2013-10-18 06:20:40    --------    dc----w-    c:\program files\PlotSoft
2013-10-15 05:58:55    --------    dc----w-    C:\New Folder
2013-10-12 17:49:50    --------    dc----w-    c:\program files\MKVtoolnix
2013-10-11 17:03:31    --------    dc-h--w-    c:\windows\system32\GroupPolicy
2013-10-11 16:55:22    --------    dc----w-    c:\program files\VideoLAN
2013-10-11 16:46:30    --------    dc----w-    c:\documents and settings\admin\application data\IDM
2013-10-11 16:46:23    --------    dc----w-    c:\program files\Internet Download Manager
2013-10-11 16:45:45    --------    dc----w-    C:\Internet Download Manager v6.05.14
2013-10-11 15:54:51    --------    dc----w-    c:\documents and settings\all users\application data\IDM
2013-10-11 15:54:51    --------    dc----w-    c:\documents and settings\admin\application data\DMCache
2013-10-11 08:35:31    11520    -c--a-r-    c:\windows\system32\drivers\wdcsam.sys
2013-10-10 16:04:22    692616    -c--a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-10-10 16:04:21    71048    -c--a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-10 16:03:09    --------    dc----w-    c:\documents and settings\admin\local settings\application data\Adobe
2013-10-08 00:26:26    --------    dc----w-    c:\documents and settings\admin\local settings\application data\Sun
2013-10-07 17:36:21    868264    -c--a-w-    c:\windows\system32\npDeployJava1.dll
2013-10-07 17:36:21    790440    -c--a-w-    c:\windows\system32\deployJava1.dll
2013-10-07 17:36:21    144896    -c--a-w-    c:\windows\system32\javacpl.cpl
2013-10-07 17:35:30    94632    -c--a-w-    c:\windows\system32\WindowsAccessBridge.dll
.
==================== Find3M  ====================
.
2013-10-07 16:01:22    142936    -c--a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2013-10-06 16:35:26    60872    -c--a-w-    c:\windows\system32\S32EVNT1.DLL
2013-10-05 16:46:41    17119    -c--a-w-    c:\windows\system32\drivers\AegisP.sys
2013-10-05 09:40:55    44384    -c--a-w-    c:\windows\system32\drivers\tifsfilt.sys
2013-10-05 09:40:55    441760    -c--a-w-    c:\windows\system32\drivers\timntr.sys
2013-10-05 09:40:43    132224    -c--a-w-    c:\windows\system32\drivers\snapman.sys
2013-10-05 09:40:25    368480    -c--a-w-    c:\windows\system32\drivers\tdrpman.sys
2013-08-09 01:56:45    386560    -c--a-w-    c:\windows\system32\themeui.dll
.
============= FINISH:  2:51:41.18 ===============
 

 

 

attach log:

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/10/2013 7:52:19 PM
System Uptime: 7/11/2013 2:13:20 AM (0 hours ago)
.
Motherboard: FUJITSU |  | FJNB1A1
Processor:         Intel® Pentium® M processor 1.73GHz | Onboard | 1729/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 13 GiB total, 6.412 GiB free.
D: is FIXED (NTFS) - 28 GiB total, 23.194 GiB free.
E: is FIXED (NTFS) - 15 GiB total, 13.419 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\326874C0E10
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\326874C0E10
Service: NIC1394
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless 2915ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4223&SUBSYS_10308086&REV_05\4&31177083&0&28F0
Manufacturer: Intel® Corporation
Name: Intel® PRO/Wireless 2915ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4223&SUBSYS_10308086&REV_05\4&31177083&0&28F0
Service: w29n51
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Acronis True Image Home
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8
Agere Systems HDA Modem
Broadcom Gigabit Ethernet
CutePDF Writer 3.0
Fujitsu Hotkey Utility
Fujitsu System Extension Utility
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
Internet Download Manager
Java 7 Update 40
Java Auto Updater
JDownloader 2
LifeBook Application Panel
mCore
mDriver
mDrWiFi
mEoU.msi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Software Update for Web Folders  (English) 14
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
mIWA
mIWCA
MKVtoolnix 2.2.0
mLogView
mMHouse
Mozilla Firefox 25.0 (x86 en-US)
Mozilla Maintenance Service
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
mToolkit
mWlsSafe
mXML
mZConfig
Norton 360
Paragon Backup & Recovery™ 2013 Free
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2870699)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB2834904-v2)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2849470)
Security Update for Windows XP (KB2850869)
Security Update for Windows XP (KB2859537)
Security Update for Windows XP (KB2864063)
Security Update for Windows XP (KB2876217)
Security Update for Windows XP (KB2876315)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21
TwinhanDTV
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2749655)
Update for Windows XP (KB2863058)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 2.1.0
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR 4.20 (32-bit)
WinZip
.
==== Event Viewer Messages From Past Week ========
.
31/10/2013 12:12:43 PM, error: Dhcp [1002]  - The IP address lease 10.0.0.2 for the Network Card with network address 000B5D98F12D has been denied by the DHCP server 10.0.0.138 (The DHCP Server sent a DHCPNACK message).
2/11/2013 1:30:15 AM, error: Dhcp [1002]  - The IP address lease 10.0.0.1 for the Network Card with network address 000B5D98F12D has been denied by the DHCP server 10.0.0.138 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
 

 

 

ark log:

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-11-07 03:26:27
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.0000 55.89GB
Running: logp3brb.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 2.1 ----

SSDT            89A8B118                                      ZwAlertResumeThread
SSDT            89A8B1B0                                      ZwAlertThread
SSDT            89A21310                                      ZwAllocateVirtualMemory
SSDT            89A50D30                                      ZwAssignProcessToJobObject
SSDT            8A2D4C08                                      ZwConnectPort
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS  ZwCreateKey [0xA62A7F50]
SSDT            89A6EB78                                      ZwCreateMutant
SSDT            89A50BE0                                      ZwCreateSymbolicLinkObject
SSDT            89AA9498                                      ZwCreateThread
SSDT            89A50DC8                                      ZwDebugActiveProcess
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS  ZwDeleteKey [0xA62A81D0]
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS  ZwDeleteValueKey [0xA62A8890]
SSDT            89A8A2D0                                      ZwDuplicateObject
SSDT            89A30D90                                      ZwFreeVirtualMemory
SSDT            89A6EC20                                      ZwImpersonateAnonymousToken
SSDT            89A6ECB8                                      ZwImpersonateThread
SSDT            8A2C3AF8                                      ZwLoadDriver
SSDT            89AA4CB0                                      ZwMapViewOfSection
SSDT            89A6EAE0                                      ZwOpenEvent
SSDT            89A306A8                                      ZwOpenProcess
SSDT            89A11320                                      ZwOpenProcessToken
SSDT            89A50F18                                      ZwOpenSection
SSDT            89A6B2D0                                      ZwOpenThread
SSDT            89A50C88                                      ZwProtectVirtualMemory
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS  ZwRenameKey [0xA62A8DF0]
SSDT            89A8B248                                      ZwResumeThread
SSDT            89A70A38                                      ZwSetContextThread
SSDT            89A70AB0                                      ZwSetInformationProcess
SSDT            89A50E60                                      ZwSetSystemInformation
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS  ZwSetValueKey [0xA62A8B10]
SSDT            89A50F90                                      ZwSuspendProcess
SSDT            89A8B2E0                                      ZwSuspendThread
SSDT            899F3040                                      ZwTerminateProcess
SSDT            89A709A0                                      ZwTerminateThread
SSDT            89A4C320                                      ZwUnmapViewOfSection
SSDT            89A122D0                                      ZwWriteVirtualMemory

---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                      SYMTDI.SYS
AttachedDevice  \Driver\Tcpip \Device\Ip                      idmtdi.sys
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0       SynTP.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                     SYMTDI.SYS
AttachedDevice  \Driver\Tcpip \Device\Tcp                     idmtdi.sys
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1        tdrpman.sys
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1        hotcore3.sys
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2        tdrpman.sys
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2        hotcore3.sys
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3        tdrpman.sys
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3        hotcore3.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                     SYMTDI.SYS
AttachedDevice  \Driver\Tcpip \Device\Udp                     idmtdi.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                   SYMTDI.SYS
AttachedDevice  \Driver\Tcpip \Device\RawIp                   idmtdi.sys

---- EOF - GMER 2.1 ----
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 07 November 2013 - 03:23 AM

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Emma15

Emma15
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 08 November 2013 - 10:28 AM

Hi,

 

Do I have to uninstall jdownloader because it contains malware? The malware first infected my computer during jdownloader installation as I described in my first post.

 

Here are the logs:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.07.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Admin :: HOME [administrator]

8/11/2013 2:47:16 AM
MBAM-log-2013-11-08 (13-07-05).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200088
Time elapsed: 10 hour(s), 19 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\AdwCleaner\Quarantine\C\Documents and Settings\Admin\LOCALS~1\Temp\eIntaller\29FA3617C7084bdfA178F33DF61B0DC0\eGdpSvc.exe.vir (PUP.Optional.Wsys.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\is961225091\cor_ar_qone8.exe (PUP.Optional.Elex.A) -> Quarantined and deleted successfully.
(end)

 

----------------------------------------

 

ESET Online Scanner

 

C:\Documents and Settings\Admin\Desktop\CuteWriter.exe    a variant of Win32/Bundled.Toolbar.Ask.D application

C:\Documents and Settings\Admin\Desktop\ac3filter_2_6_0b.exe    Win32/OpenCandy application

C:\Documents and Settings\Admin\Desktop\flvplayer-setup.exe    multiple threats

 

 

Are these malware programs? - I've already installed these on my computer a while ago.

 

Thanks
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 11 November 2013 - 03:10 AM

These files aren´t malware but contain security risks. I would delete them immediately - your choice.

 

 

Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

 

SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 14 November 2013 - 03:51 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 15 November 2013 - 03:15 AM

This topic has been re-opened at the request of the person who originally posted.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Emma15

Emma15
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 15 November 2013 - 12:45 PM

Hi,

 

Thanks for reopening this topic.

 

JRT Log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows XP x86
Ran by Admin on Fri 15/11/2013 at  3:11:06.57
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Documents and Settings\Admin\Application Data\mozilla\firefox\profiles\lu3lrzuc.Profile.1\minidumps [114 files]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 15/11/2013 at  3:19:19.51
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 Results of screen317's Security Check version 0.99.77  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
Norton 360    
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 40  
 Java version out of Date!
 Adobe Flash Player     11.9.900.117  
 Adobe Reader 8 Adobe Reader out of Date!
 Mozilla Firefox (25.0)
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 36% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

 

 

 

I prefer using Acrobat Reader 8, because it is light. Latest versions just pack too much in. All I need is to be able to read pdfs.
 


Edited by Emma15, 15 November 2013 - 12:48 PM.


#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 18 November 2013 - 03:14 AM

An outdated Adobe product is one of the easiest ways for infections - I strongly recommend to update it!

 

 

Your system is clean now! :)

 

 

Java runtime Environment out of date

Your Java runtime environment is outdated. We will fix this.

  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.

After the reboot
  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.

 

 

 

Adobe Reader out of date

Your Adobe Reader is outdated. We will fix this.


  • Get the actual software from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Run setup and follow the instructions.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  • Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice.
  • Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Emma15

Emma15
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 20 November 2013 - 12:00 AM

Hi Marius,

 

Could you also look at a Hijack This log for me?

 

Thanks



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 20 November 2013 - 03:17 AM

No need to do that. HiJackThis isn´t the common scan program in this forum because it provides way too less information about the scanned system.

We ran DDs and took out everything suspicious it found.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 Emma15

Emma15
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 23 November 2013 - 10:27 AM

What is RevHDD.exe? I have this process running and I can't seem to find out which program installed this process. It appears in msconfig startup process tab as well. Is this a safe process?


Edited by Emma15, 24 November 2013 - 12:08 AM.


#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 25 November 2013 - 03:16 AM

This is a legit process and wouldn´t harm your computer. :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 06 December 2013 - 06:55 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users