Bundeskriminalamt removal problems

AlpineKris · Dec 2, 2013

kuttus said:
STEP 1: Run a HitmanPro scan
<ol>

STEP 2: Run a scan with ESET Online Scanner
<ol>

<hr />

STEP 3: Run a scan with Kaspersky Virus Removal Tool
-------------------------------------------------------------------

While the Kapersky Virus Removal Tool is still running, and for the next 18 hours will continue, here are the logs of the HitmanPro and ESET runs.

--------------------------------------------------------------

Code:

HitmanPro 3.7.8.208 www.hitmanpro.com Computer name . . . . : HELMUT-NOTEBOOK Windows . . . . . . . : 6.0.2.6002.X86/2 User name . . . . . . : HELMUT-NOTEBOOK\Besitzer UAC . . . . . . . . . : Disabled License . . . . . . . : Free Scan date . . . . . . : 2013-12-02 14:17:38 Scan mode . . . . . . : Normal Scan duration . . . . : 8m 41s Disk access mode . . : Direct disk access (SRB) Cloud . . . . . . . . : Internet Reboot . . . . . . . : No Threats . . . . . . . : 0 Traces . . . . . . . : 24 Objects scanned . . . : 1.722.190 Files scanned . . . . : 30.989 Remnants scanned . . : 340.890 files / 1.350.311 keys Suspicious files ____________________________________________________________ C:\Windows\system32\DBCLIENT.DLL Size . . . . . . . : 210.032 bytes Age . . . . . . . : 429.2 days (2012-09-29 09:05:27) Entropy . . . . . : 6.4 SHA-256 . . . . . : 8395C8F23C50D2203FC3F4A9847ABADDF6F240C593E17A4B3625F3985F423236 Publisher . . . . : Inprise Corporation Description . . . : Borland Database Engine Version . . . . . : 5.0.1.32 Copyright . . . . : Copyright Inprise Corp. 1991-1998 RSA Key Size . . . : 512 Authenticode . . . : Self-signed Fuzzy . . . . . . : 26.0 Program is code signed with a weak certificate. This is common to malware. Program is code self-signed. The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities. Cookies _____________________________________________________________________ C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:conrad.122.2o7.net C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:#####ed-tube.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:geeksaresexy.net C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:h2porn.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:largeporntube.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:oracle.112.2o7.net C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:qporno.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:statcounter.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:stats.paypal.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:statse.webtrendslive.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.etracker.de C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.largeporntube.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.lovethatsex.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.sexkontakt.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.xxxkinky.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:xiti.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:xxxkinky.com C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:yahoogroups.112.2o7.net C:\Users\Besitzer\AppData\Roaming\Microsoft\Windows\Cookies\P8MZRE9P.txt

----------------------------------------------------------------

C:\Users\All Users\et1lri.fdd a variant of Win32/Reveton.W trojan
C:\Users\All Users\f4r7trr.fdd a variant of Win32/Reveton.W trojan
C:\Users\All Users\g9ejwr7t.fdd a variant of Win32/Reveton.W trojan
C:\Users\All Users\lmqfjtfr.fdd a variant of Win32/Reveton.W trojan
C:\Users\All Users\rj8zlcwliq.fdd a variant of Win32/Reveton.W trojan
C:\Users\All Users\wr8f4od.fdd a variant of Win32/Reveton.W trojan
C:\ProgramData\et1lri.fdd a variant of Win32/Reveton.W trojan cleaned by deleting - quarantined
C:\ProgramData\f4r7trr.fdd a variant of Win32/Reveton.W trojan cleaned by deleting - quarantined
C:\ProgramData\g9ejwr7t.fdd a variant of Win32/Reveton.W trojan cleaned by deleting - quarantined
C:\ProgramData\lmqfjtfr.fdd a variant of Win32/Reveton.W trojan cleaned by deleting - quarantined
C:\ProgramData\rj8zlcwliq.fdd a variant of Win32/Reveton.W trojan cleaned by deleting - quarantined
C:\ProgramData\wr8f4od.fdd a variant of Win32/Reveton.W trojan cleaned by deleting - quarantined
E:\Backup Vista-PC\BOOT (L)\Users\Helmut\AppData\Local\Temp\jar_cache6133717273483310499.tmp multiple threats cleaned by deleting - quarantined
E:\Backup Vista-PC\BOOT (L)\Users\Helmut\Desktop\Downloads\XvidSetup.exe.crdownload a variant of Win32/Adware.HotBar.H application cleaned by deleting - quarantined
E:\Backup Vista-PC\BOOT (L)\Users\Helmut\Documents\Downloads\AdvancedPCTweaker_Setup.exe a variant of Win32/Adware.AdvPCTweak application cleaned by deleting - quarantined
E:\Backup Vista-PC\BOOT (L)\Users\Helmut\Documents\Downloads\XvidSetup.exe.crdownload a variant of Win32/Adware.HotBar.H application cleaned by deleting - quarantined
---------------------------------------------------------------

The last Log of the Kaspersky will follow suit, when its generated.

AlpineKris · Dec 2, 2013

Kapersky will run for the next 18 hours....

Meanwhile, here is the ESET-Log and Results of the HitmanPro Activity:

-------------------------------------------------------------------------------------------------

C:\Users\All Users\et1lri.fdd a variant of Win32/Reveton.W trojan
C:\Users\All Users\f4r7trr.fdd a variant of Win32/Reveton.W trojan
C:\Users\All Users\g9ejwr7t.fdd a variant of Win32/Reveton.W trojan
C:\Users\All Users\lmqfjtfr.fdd a variant of Win32/Reveton.W trojan
C:\Users\All Users\rj8zlcwliq.fdd a variant of Win32/Reveton.W trojan
C:\Users\All Users\wr8f4od.fdd a variant of Win32/Reveton.W trojan
C:\ProgramData\et1lri.fdd a variant of Win32/Reveton.W trojan cleaned by deleting - quarantined
C:\ProgramData\f4r7trr.fdd a variant of Win32/Reveton.W trojan cleaned by deleting - quarantined
C:\ProgramData\g9ejwr7t.fdd a variant of Win32/Reveton.W trojan cleaned by deleting - quarantined
C:\ProgramData\lmqfjtfr.fdd a variant of Win32/Reveton.W trojan cleaned by deleting - quarantined
C:\ProgramData\rj8zlcwliq.fdd a variant of Win32/Reveton.W trojan cleaned by deleting - quarantined
C:\ProgramData\wr8f4od.fdd a variant of Win32/Reveton.W trojan cleaned by deleting - quarantined
E:\Backup Vista-PC\BOOT (L)\Users\Helmut\AppData\Local\Temp\jar_cache6133717273483310499.tmp multiple threats cleaned by deleting - quarantined
E:\Backup Vista-PC\BOOT (L)\Users\Helmut\Desktop\Downloads\XvidSetup.exe.crdownload a variant of Win32/Adware.HotBar.H application cleaned by deleting - quarantined
E:\Backup Vista-PC\BOOT (L)\Users\Helmut\Documents\Downloads\AdvancedPCTweaker_Setup.exe a variant of Win32/Adware.AdvPCTweak application cleaned by deleting - quarantined
E:\Backup Vista-PC\BOOT (L)\Users\Helmut\Documents\Downloads\XvidSetup.exe.crdownload a variant of Win32/Adware.HotBar.H application cleaned by deleting - quarantined
------------------------------------------------------------------------------------------------

Code:

HitmanPro 3.7.8.208
www.hitmanpro.com

   Computer name . . . . : HELMUT-NOTEBOOK
   Windows . . . . . . . : 6.0.2.6002.X86/2
   User name . . . . . . : HELMUT-NOTEBOOK\Besitzer
   UAC . . . . . . . . . : Disabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-12-02 14:17:38
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 8m 41s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 24

   Objects scanned . . . : 1.722.190
   Files scanned . . . . : 30.989
   Remnants scanned  . . : 340.890 files / 1.350.311 keys

Suspicious files ____________________________________________________________

   C:\Windows\system32\DBCLIENT.DLL
      Size . . . . . . . : 210.032 bytes
      Age  . . . . . . . : 429.2 days (2012-09-29 09:05:27)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : 8395C8F23C50D2203FC3F4A9847ABADDF6F240C593E17A4B3625F3985F423236
      Publisher  . . . . : Inprise Corporation
      Description  . . . : Borland Database Engine
      Version  . . . . . : 5.0.1.32
      Copyright  . . . . : Copyright Inprise Corp. 1991-1998
      RSA Key Size . . . : 512
      Authenticode . . . : Self-signed
      Fuzzy  . . . . . . : 26.0
         Program is code signed with a weak certificate. This is common to malware.
         Program is code self-signed.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.


Cookies _____________________________________________________________________

   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:conrad.122.2o7.net
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:#####ed-tube.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:geeksaresexy.net
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:h2porn.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:largeporntube.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:oracle.112.2o7.net
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:qporno.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:statcounter.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:stats.paypal.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:statse.webtrendslive.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.etracker.de
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.largeporntube.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.lovethatsex.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.sexkontakt.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.xxxkinky.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:xiti.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:xxxkinky.com
   C:\Users\Besitzer\AppData\Local\Google\Chrome\User Data\Default\Cookies:yahoogroups.112.2o7.net
   C:\Users\Besitzer\AppData\Roaming\Microsoft\Windows\Cookies\P8MZRE9P.txt

------------------------------------------------------------------------------------------

Kaspersky Log will be sent when generated.

AlpineKris · Dec 3, 2013

Now, something weird has happened (or, maybe this is the usual procedure?)

Last night, when I went to bed, I switched the KVRT (17 hours left to run) to full screen, this noon when I returned (9 hours later) it was gone completely, and no traces (well, no visible traces) of KVRT can be found.

Did the Kaspersky uninstall itself after completion?

Dit the Kaspersky change the view of files and folders? (I usually have the file extensions visible, and hidden system files visible as well. This was changed.)

So there is NO Kaspersky-Log available, unless you might give me a hint where to look for.

Also, please advice how to proceed from here. I have only today (2pm local time here) and tomorrow until noon time left to finish this task, then my sick leave is over. Thank you!

kuttus · Dec 3, 2013

The System File Settings may be changed to default one. No issues... Just work on the computer now and check if you are facing any problems on the computer now..

AlpineKris · Dec 3, 2013

Thank you, Kuttus!

My usual routines are executing with no feasable disruptions or anormalities.

May we leave this thread open for some time, so I can run through a week of usage, to see if there is anything unusual left behind.

Let me thank you again for being patient with an oldtimer, who uses the PCs extensively but has no deeper inside look into the "guts" of the software nirvana ;-)

I am sure I will find a PayPal link to support the site and your charitable work as a volunteer.

Best wishes for the upcoming Christmas days and the New Year

from

••K®IS••

kuttus · Dec 3, 2013

No issues. We can keep this thread as Open.. Feel free to reach me at any time we are happy to help you..

Double click on OTL to run it

Click on the Cleanup button at the top.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
This will remove itself and other tools we may have used.

Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one

For Vista
Create a restore point
Delete all but the most recent restore point

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link

Keep your system updated

Keeping your programs (especially Adobe and Java products) updated is essential. Update Checker will notify you if any of your programs require an update.
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

I also recommend you to switch your antivirus program to a better one. Here are some suggestions:

avast! 7 Home Edition - Don't use it with Online Armor
Avira AntiVir Personal
Microsoft Security Essentials

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.

Online Armor
Comodo Firewall - If you are an advance user

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.

KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

AdBlock

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask

<hr />
What's next?

Bulild up your malware defenses by starting a new thread in Security Configuration Wizard forum.
Learn how to avoid malware by reading this article <a href="http://malwaretips.com/blogs/how-to-easily-avoid-pc-infections/">How to easily avoid malware</a>
Be an active member in the MalwareTips community!

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.

Search

Bundeskriminalamt removal problems

AlpineKris

New Member

AlpineKris

New Member

AlpineKris

New Member

kuttus

Level 2

AlpineKris

New Member

kuttus

Level 2

Similar threads