Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help ! Virus controlling computer.


  • This topic is locked This topic is locked
23 replies to this topic

#1 klut

klut

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 14 May 2014 - 02:09 AM

Hi 

Recently received virus. I have scanned many times with melwarebytes & also rkill. Anti virus software is Bitfinder which continually blocks processes with files in app folder, which names constantly change. It is also blocking WINDOWS/system32/svchost.exe

When connected to the internet Thunderbird(email) continually crashes, when I remove the Lan cable it works fine?

I did notice the virus turned off the firewall & unchecked show hidden folders? OS is XP.

Have attached the DDS report..

Any help appreciated.

Cheers

Pete

Attached File  attach.txt   23.76KB   5 downloads

Attached File  dds.txt   15.95KB   2 downloads



BC AdBot (Login to Remove)

 


m

#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 14 May 2014 - 10:14 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 klut

klut
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 14 May 2014 - 06:24 PM

Hi

Here are the results. It appears that a USPS attachment for a parcel was clicked on to down load a pickup slip.

Thanks

Pete

 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-05-15 09:20:24
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST320LT0 rev.0001 298.09GB
Running: 28kyscm4.exe; Driver: C:\DOCUME~1\KIDZLI~1\LOCALS~1\Temp\pxtdypod.sys
 
 
---- System - GMER 2.1 ----
 
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwAllocateVirtualMemory [0x9823909C]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwAssignProcessToJobObject [0x98239C66]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwClose [0x9823CB6A]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwConnectPort [0x9823B3F6]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwCreateFile [0x9823A93A]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwCreateKey [0x9823BAEE]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwCreateProcess [0x98239EBC]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwCreateProcessEx [0x98239F72]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwCreateSection [0x9823A25C]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwCreateThread [0x98238A0C]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwDeviceIoControlFile [0x9823BC5E]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwDuplicateObject [0x982400F8]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwFsControlFile [0x9823BF16]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwLoadDriver [0x98239572]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwMakeTemporaryObject [0x9823C912]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwOpenFile [0x9823A72C]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwOpenProcess [0x9823FB50]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwOpenSection [0x9823A02C]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwOpenThread [0x9823FE00]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwProtectVirtualMemory [0x98238F20]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwQueueApcThread [0x98239D8E]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwReplaceKey [0x9823C760]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwRequestPort [0x9823B564]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwRequestWaitReplyPort [0x9823AEF8]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwRestoreKey [0x9823C7EA]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwSecureConnectPort [0x9823B97E]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwSetContextThread [0x98238B7C]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwSetSecurityObject [0x9823C6BA]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwSetSystemInformation [0x9823976C]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwShutdownSystem [0x9823C87C]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwSuspendProcess [0x98238DF8]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwSuspendThread [0x98238CD2]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwSystemDebugControl [0x98239B98]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwTerminateProcess [0x9823FA48]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwTerminateThread [0x982402EA]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwUnloadDriver [0x9823C9A8]
SSDT            \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys  ZwWriteVirtualMemory [0x98238890]
 
SYSENTER        avc3.sys                                                              B9D75000
 
---- Devices - GMER 2.1 ----
 
AttachedDevice  \Driver\Tcpip \Device\Ip                                              bdftdif.sys
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                               SynTP.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                                             bdftdif.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                                             bdftdif.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                           bdftdif.sys
 
---- EOF - GMER 2.1 ----


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 15 May 2014 - 04:20 AM

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 klut

klut
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 15 May 2014 - 07:51 AM

Hi

Below is the report. I had to remove the bitdefender as I couldn't disable. What is the best free anti virus , avast or ?.

Thanks for your help.

Cheers Pete

ComboFix 14-05-13.01 - kidzlikeus 05/15/2014  22:22:10.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3318.2249 [GMT 10:00]
Running from: c:\documents and settings\kidzlikeus\My Documents\Downloads\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\KIDZLI~1\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\All Users\Application Data\1399956988.bdinstall.bin
c:\documents and settings\All Users\Application Data\1399957321.4148.bin
c:\documents and settings\All Users\Application Data\1399957321.6112.bin
c:\documents and settings\All Users\Application Data\1399957321.720.bin
c:\documents and settings\All Users\Application Data\1399957641.bdinstall.bin
c:\documents and settings\All Users\Application Data\1400154920.bdinstall.bin
c:\documents and settings\All Users\Application Data\1400154924.bdinstall.bin
c:\documents and settings\All Users\Application Data\1400155750.bdinstall.bin
c:\documents and settings\kidzlikeus\Local Settings\Application Data\jxjvixkn.exe
c:\documents and settings\kidzlikeus\Local Settings\Application Data\pdbauxhk.exe
c:\documents and settings\kidzlikeus\Local Settings\Application Data\sbatgbsd.exe
c:\documents and settings\kidzlikeus\Local Settings\Temp\IadHide4.dll
c:\windows\system32\SET11A.tmp
c:\windows\system32\SET11C.tmp
c:\windows\system32\SET11E.tmp
c:\windows\system32\SET120.tmp
c:\windows\system32\SET128.tmp
c:\windows\system32\SET12A.tmp
c:\windows\system32\SET12C.tmp
c:\windows\system32\Thumbs.db
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-15 to 2014-05-15  )))))))))))))))))))))))))))))))
.
.
2014-05-15 04:11 . 2014-05-15 04:11 322048 ----a-w- c:\windows\system32\wutue.exe.45377.gzquar
2014-05-15 04:08 . 2014-05-15 04:08 322560 ----a-w- c:\windows\system32\efeqzaca.exe.45291.gzquar
2014-05-14 10:27 . 2014-05-14 23:43 -------- d-----w- c:\documents and settings\kidzlikeus\Application Data\Idusevo
2014-05-14 07:17 . 2014-05-14 07:17 17938608 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2014-05-14 07:16 . 2014-05-14 07:16 -------- d-----w- c:\documents and settings\kidzlikeus\Application Data\SUPERAntiSpyware.com
2014-05-14 07:16 . 2014-05-14 07:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2014-05-14 07:16 . 2014-05-14 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2014-05-14 06:21 . 2014-05-14 06:21 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2014-05-14 06:17 . 2010-08-29 22:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-05-14 06:16 . 2014-05-14 06:23 -------- d-----w- C:\AdwCleaner
2014-05-13 08:11 . 2014-05-13 08:11 -------- d-----w- c:\documents and settings\LocalService\Application Data\QuickScan
2014-05-13 01:53 . 2014-05-13 01:53 -------- d-----w- c:\documents and settings\kidzlikeus\Local Settings\Application Data\PCHealth
2014-05-13 01:51 . 2014-05-13 01:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2014-05-06 01:38 . 2008-11-07 08:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2014-05-03 23:50 . 2014-05-03 23:50 -------- d-----w- c:\documents and settings\kidzlikeus\Application Data\DropboxMaster
2014-04-30 04:32 . 2014-05-03 23:46 -------- d-----w- c:\program files\Mozilla Thunderbird
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-14 07:17 . 2012-06-23 00:47 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-05-14 07:17 . 2012-03-14 10:08 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-23 21:03 . 2012-10-23 20:53 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2014-04-23 21:03 . 2012-10-23 20:53 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2014-04-23 21:03 . 2012-10-23 20:53 31560 ----a-w- c:\windows\system32\LMIport.dll
2014-04-23 21:03 . 2012-10-23 20:52 85832 ----a-w- c:\windows\system32\LMIinit.dll
2014-03-18 02:40 . 2014-03-18 02:40 49152 ----a-r- c:\documents and settings\kidzlikeus\Application Data\Microsoft\Installer\{7D5F6110-43F5-46CF-8C3F-5EAF71918F4B}\NewShortcut3_CE3444101D0046CBA9F1EEBEFCF138B2.exe
2014-03-18 02:40 . 2014-03-18 02:40 49152 ----a-r- c:\documents and settings\kidzlikeus\Application Data\Microsoft\Installer\{7D5F6110-43F5-46CF-8C3F-5EAF71918F4B}\NewShortcut1_CE3444101D0046CBA9F1EEBEFCF138B2_1.exe
2014-03-18 02:40 . 2014-03-18 02:40 49152 ----a-r- c:\documents and settings\kidzlikeus\Application Data\Microsoft\Installer\{7D5F6110-43F5-46CF-8C3F-5EAF71918F4B}\DatabaseRepair_116B79E778BA4FE8BD6B967DB1BB46F1.exe
2014-03-18 02:40 . 2014-03-18 02:40 45056 ----a-r- c:\documents and settings\kidzlikeus\Application Data\Microsoft\Installer\{7D5F6110-43F5-46CF-8C3F-5EAF71918F4B}\ARPPRODUCTICON.exe
2014-02-26 01:59 . 2014-03-12 01:42 13312 ------w- c:\windows\system32\xp_eos.exe
2014-02-25 03:30 . 2006-08-03 03:24 668672 ----a-w- c:\windows\system32\wininet.dll
2014-02-25 03:30 . 2012-03-14 09:53 81920 ----a-w- c:\windows\system32\ieencode.dll
2014-02-25 03:30 . 2006-08-03 03:24 61952 ----a-w- c:\windows\system32\tdc.ocx
2014-02-25 01:44 . 2006-08-03 03:23 369664 ----a-w- c:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\documents and settings\kidzlikeus\Application Data\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\documents and settings\kidzlikeus\Application Data\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\documents and settings\kidzlikeus\Application Data\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\documents and settings\kidzlikeus\Application Data\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2012-03-18 20480]
"SanDiskSecureAccess_Manager.exe"="c:\documents and settings\kidzlikeus\Application Data\SanDisk\SanDiskSecureAccess_Manager.exe" [2013-01-30 30705792]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2014-01-06 5625624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-15 888832]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 89541]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-18 188416]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\updnavi\updnavi.exe" [2006-07-21 331776]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-11-17 80688]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2006-03-09 90112]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2005-11-01 242688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2005-11-01 61440]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2007-08-09 106496]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2006-07-22 233472]
"PSUtility"="c:\program files\Fujitsu\PSUtility\TrayManager.exe" [2006-07-05 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-05-31 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-05-31 974848]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2007-07-12 2560000]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-06-12 56080]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]
"RTHDCPL"="RTHDCPL.EXE" [2012-03-26 16844800]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-01-20 43848]
"WD Quick View"="c:\program files\Western Digital\WD Quick View\WDDMStatus.exe" [2012-09-19 5236664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2013-04-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-01-20 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
.
c:\documents and settings\kidzlikeus\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\kidzlikeus\Application Data\Dropbox\bin\Dropbox.exe /systemstartup [2014-5-8 32668056]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start [2012-3-18 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2012-3-18 768528]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2014-04-23 21:03 85832 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSUTY]
2006-06-02 09:04 32768 ----a-w- c:\windows\system32\PSUWNP.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Fujitsu\\Security Panel Application\\User\\FJSECU.exe"=
"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe"=
"c:\\Program Files\\Microsoft SQL Server\\MSSQL10_50.BTHORNE\\MSSQL\\Binn\\sqlservr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
"c:\\Documents and Settings\\kidzlikeus\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
"c:\\Program Files\\eBay\\Blackthorne\\bin\\BT.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [3/17/2012 12:44 AM 7168]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [3/17/2012 12:13 AM 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [3/17/2012 12:13 AM 35456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/23/2011 2:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/13/2011 7:55 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [10/11/2013 8:54 AM 120088]
R2 FJSPA;FJSPA;c:\program files\Fujitsu\FJSPA\FJSPA.sys [12/7/2006 4:18 PM 17712]
R2 MSSQL$BTHORNE;SQL Server (BTHORNE);c:\program files\Microsoft SQL Server\MSSQL10_50.BTHORNE\MSSQL\Binn\sqlservr.exe [4/24/2011 12:33 AM 42872672]
R2 WDBackup;WD Backup;c:\program files\Western Digital\WD SmartWare\WDBackupEngine.exe [9/19/2012 8:10 PM 1157056]
R2 WDDriveService;WD Drive Manager;c:\program files\Western Digital\WD Drive Manager\WDDriveService.exe [9/19/2012 8:02 PM 248248]
R2 WDRulesService;WD Rules;c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe [9/19/2012 8:10 PM 1177536]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [8/5/2006 9:46 AM 4864]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 LvIBTSvr;Logitech IBT Service;c:\program files\Common Files\LogiShrd\LvIBTSvr\LvIBTSvr.exe [4/2/2007 10:29 PM 76576]
S3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [8/3/2006 1:24 PM 5632]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/14/2014 4:21 PM 40776]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2/3/2014 9:41 PM 18944]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [5/24/2007 3:00 AM 14208]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [4/3/2010 10:56 AM 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [4/3/2010 10:02 AM 240608]
S4 SQLAgent$BTHORNE;SQL Server Agent (BTHORNE);c:\program files\Microsoft SQL Server\MSSQL10_50.BTHORNE\MSSQL\Binn\SQLAGENT.EXE [4/24/2011 12:33 AM 367456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-26 09:29 1078088 ----a-w- c:\program files\Google\Chrome\Application\34.0.1847.131\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 07:17]
.
2014-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 07:57]
.
2014-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-04 00:30]
.
2014-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-04 00:30]
.
2014-05-15 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-12 01:59]
.
2014-05-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-12 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = localhost;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 61.9.133.193 61.9.134.49
FF - ProfilePath - c:\documents and settings\kidzlikeus\Application Data\Mozilla\Firefox\Profiles\xgx8c4nh.default\
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-MsMpSvc
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-05-15 22:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
   bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\LMIinit.dll
c:\windows\system32\PSUWNP.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3476)
c:\docume~1\KIDZLI~1\LOCALS~1\Temp\IadHide4.dll
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\program files\Softex\OmniPass\SCUREDLL.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\documents and settings\kidzlikeus\Application Data\Dropbox\bin\DropboxExt.22.dll
c:\windows\system32\msi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Softex\OmniPass\Omniserv.exe
c:\program files\Common Files\LogiShrd\Bluetooth\LBTServ.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\documents and settings\kidzlikeus\Application Data\Dropbox\bin\Dropbox.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2014-05-15  22:47:22 - machine was rebooted
ComboFix-quarantined-files.txt  2014-05-15 12:47
.
Pre-Run: 157,584,478,208 bytes free
Post-Run: 160,898,113,536 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0133747019FF78D5EE10A78657EDDA37
8F558EB6672622401DA993E1E865C861


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 16 May 2014 - 03:30 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is saved to.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.3.1.2183.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 klut

klut
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 16 May 2014 - 08:23 AM

Hi

Here is the log

Cheers 

Pete

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.05.13.01
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
kidzlikeus :: FUJI [administrator]
 
5/16/2014 9:13:14 PM
mbam-log-2014-05-16 (21-13-14).txt
 
Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 354881
Time elapsed: 1 hour(s), 53 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 6
C:\Qoobox\Quarantine\C\Documents and Settings\kidzlikeus\Local Settings\Application Data\jxjvixkn.exe.vir (Spyware.Zbot.VXGen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\kidzlikeus\Local Settings\Application Data\pdbauxhk.exe.vir (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\kidzlikeus\Local Settings\Application Data\sbatgbsd.exe.vir (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5E12502-869D-44CE-9705-ECFDC325B7D0}\RP994\A0056708.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5E12502-869D-44CE-9705-ECFDC325B7D0}\RP994\A0056707.exe (Spyware.Zbot.VXGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5E12502-869D-44CE-9705-ECFDC325B7D0}\RP994\A0056709.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
 
(end)


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 16 May 2014 - 09:43 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 klut

klut
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 16 May 2014 - 08:52 PM

Here is the log.

Cheers

Pete

C:\AdwCleaner\Backup\C\Documents and Settings\kidzlikeus\Application Data\Mozilla\Firefox\Profiles\xgx8c4nh.default\prefs_14_05_2014_16_23_29.js JS/SecurityDisabler.A.Gen potentially unwanted application
C:\AdwCleaner\Quarantine\C\Documents and Settings\kidzlikeus\Application Data\Mozilla\Firefox\Profiles\xgx8c4nh.default\user.js.vir JS/SecurityDisabler.A.Gen potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\APNSetup.exe.vir Win32/Bundled.Toolbar.Ask.E potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\searchhook.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ServiceLocator.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\SO.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\toolbar.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\Toolbar.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ToolbarPS.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\UpdateManager.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ\Passport.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ\Source\program files\AskPartnerNetwork\Toolbar\apnmcp.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ\Source\program files\AskPartnerNetwork\Toolbar\searchhook.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ\Source\program files\AskPartnerNetwork\Toolbar\ServiceLocator.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ\Source\program files\AskPartnerNetwork\Toolbar\SO.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ\Source\program files\AskPartnerNetwork\Toolbar\toolbar.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ\Source\program files\AskPartnerNetwork\Toolbar\Toolbar.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ\Source\program files\AskPartnerNetwork\Toolbar\ToolbarPS.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ\Source\program files\AskPartnerNetwork\Toolbar\toolbar_x64.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ\Source\program files\AskPartnerNetwork\Toolbar\UpdateManager.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ\Source\program files\AskPartnerNetwork\Toolbar\{PartnerID}\Passport.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ\Source\program files\AskPartnerNetwork\Toolbar\{PartnerID}\Passport_x64.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Documents and Settings\kidzlikeus\Application Data\Mozilla\Firefox\Profiles\xgx8c4nh.default\prefs.js JS/SecurityDisabler.A.Gen potentially unwanted application
C:\Documents and Settings\kidzlikeus\Application Data\Mozilla\Firefox\Profiles\xgx8c4nh.default\prefs.js.BAK JS/SecurityDisabler.A.Gen potentially unwanted application
C:\Documents and Settings\kidzlikeus\Application Data\Mozilla\Firefox\Profiles\xgx8c4nh.default\prefs.js.new JS/SecurityDisabler.A.Gen potentially unwanted application
C:\Documents and Settings\kidzlikeus\Application Data\Mozilla\Firefox\Profiles\xgx8c4nh.default\prefs_v5bak.js JS/SecurityDisabler.A.Gen potentially unwanted application
C:\Documents and Settings\kidzlikeus\My Documents\Downloads\cbsidlm-cbsi183-iExplorer-ORG-10969335.exe a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Documents and Settings\kidzlikeus\My Documents\Downloads\media.player.codec.pack.v4.2.4.setup.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application


#10 klut

klut
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 19 May 2014 - 04:44 AM

Hi
Not sure what is the next step?
Cheers
Pete

#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 20 May 2014 - 02:28 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 klut

klut
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 20 May 2014 - 02:53 AM

Hi
Also our email is not able to send. See below. What do we do ?
Cheers
Pete

An error occurred sending mail: The mail server sent an incorrect greeting: nschwcmgw07p BigPond Outbound [OB105. Connection refused. 120.148.213.181 is listed on the Exploits Block List (XBL). Please visit http://www.spamhaus.org/xbl/ for more information..

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 20 May 2014 - 02:57 AM

That´s because your machine was infected with the zeus trojan.

when we´re finished, see this article on how to remove the blocking: http://www.spamhaus.org/faq/section/Spamhaus%20XBL


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 klut

klut
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 20 May 2014 - 03:14 AM

Hi
Ok thanks

#15 klut

klut
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 20 May 2014 - 05:51 AM

Hi

The log.

Cheers

Pete

# AdwCleaner v3.210 - Report created 20/05/2014 at 20:46:32
# Updated 19/05/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : kidzlikeus - FUJI
# Running from : C:\Documents and Settings\kidzlikeus\My Documents\Downloads\adwcleaner_3.210.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v6.0.2900.5512
 
 
-\\ Mozilla Firefox v28.0 (en-US)
 
[ File : C:\Documents and Settings\kidzlikeus\Application Data\Mozilla\Firefox\Profiles\xgx8c4nh.default\prefs.js ]
 
 
-\\ Google Chrome v34.0.1847.137
 
[ File : C:\Documents and Settings\kidzlikeus\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [5071 octets] - [14/05/2014 16:16:54]
AdwCleaner[R1].txt - [5131 octets] - [14/05/2014 16:22:31]
AdwCleaner[R2].txt - [1180 octets] - [20/05/2014 20:33:56]
AdwCleaner[R3].txt - [1241 octets] - [20/05/2014 20:39:45]
AdwCleaner[R4].txt - [1361 octets] - [20/05/2014 20:45:43]
AdwCleaner[S0].txt - [5286 octets] - [14/05/2014 16:23:20]
AdwCleaner[S1].txt - [1302 octets] - [20/05/2014 20:40:41]
AdwCleaner[S2].txt - [1282 octets] - [20/05/2014 20:46:32]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1342 octets] ##########





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users