Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with trojan horse downloader.generic13.cam


  • This topic is locked This topic is locked
119 replies to this topic

#1 jcheck99

jcheck99

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 08 October 2012 - 12:09 AM

i was running avg free software and started hearing noises/advertisements on computer when nothing was on the screen. Then a fake security system tried to alert me to a threat. I ran avg with found 3 threats but were unabe to remove them
irphook.\driver\atapiirp_mj_internal_device_control->OXFFFFFA8004C675A4

Trojan horse downloader.generic13.cam
c:\windows\system32\svhost.exe(1304)

MBP:\\.\PHYSICALDRIVE0\PARTITION3
MBR:SST[RTK]

I tried running AVG, AVAST: they see the threats but are unable to delete.
I ran Malwarebytes and it cannot find anything.
I ran norton virus and it is unable to fully complete the scan. Norton suggested I try thier "eraser" to which it finds nothing. Then they suggested I run thier boot recovery program on from a usb - it found nothing.

The virus wiped out all of my photos, music and documents. But I had them backed up online.
My windows firewall is also not working.
<not related> My computer broke last year and I gave my computer to a friend that had to put a new motherboard on it and now My windows 7 says it is not genuine.
I still have the original back up discs for windows 7 if I need them. Here are the logs you requested.
Thank you so VERY VERY much for any help :)


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by richardsons at 0:35:32 on 2012-10-08
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3964.2726 [GMT -4:00]
.
AV: UnThreat AntiVirus *Enabled/Updated* {F8368DCB-A421-E485-9F63-76DC70EAD126}
SP: UnThreat AntiSpyware *Enabled/Updated* {43576C2F-821B-EB0B-A5D3-4DAE0B6D9B9B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
E:\Advanced SystemCare with Antivirus 2013\ascsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Mobile Stream\EasyTether\easytthr.exe
E:\Advanced SystemCare with Antivirus 2013\ASCTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Facebook\Facebook IE Toolbar\FBClientService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://isearch.avg.com/?cid={7DB579A7-3BA3-40EC-A872-3E66DD5C3FDC}&mid=faf0d259250c47d0ba2dd157751927c9-768051ea826ff5935c3ac4719fc5d393b5641cb6&lang=en&ds=AVG&pr=fr&d=2012-09-06 14:53:42&v=12.2.5.4&sap=hp
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
TB: Facebook Toolbar: {a823a630-78c6-4637-af80-aedca5bb74c1} - C:\Program Files (x86)\Facebook\Facebook IE Toolbar\FBIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
EB: Facebook Sidebar: {7202bda4-2d1b-4ac1-9957-9a51e63f2551} - C:\Program Files (x86)\Facebook\Facebook IE Toolbar\FBIEToolbar.dll
uRun: [AnyDVD] C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [EasyTether] "C:\Program Files (x86)\Mobile Stream\EasyTether\easytthr.exe"
uRun: [Advanced SystemCare 5] "E:\Advanced SystemCare with Antivirus 2013\ASCTray.exe" /AutoStart
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{15CFE09C-5852-4532-93A6-B0D99182D982} : DhcpNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{D70972B5-638A-466D-B23B-74DD33C57101} : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{D70972B5-638A-466D-B23B-74DD33C57101}\2594348414254435F4E435D20534F5E4564777F627B6 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D70972B5-638A-466D-B23B-74DD33C57101}\2596368616274637F6E6 : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
BHO-X64: Yontoo Layers - No File
TB-X64: Facebook Toolbar: {A823A630-78C6-4637-AF80-AEDCA5BB74C1} - C:\Program Files (x86)\Facebook\Facebook IE Toolbar\FBIEToolbar.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB-X64: {7202BDA4-2D1B-4AC1-9957-9A51E63F2551} - No File
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;E:\Advanced SystemCare with Antivirus 2013\ascsvc.exe --> E:\Advanced SystemCare with Antivirus 2013\ascsvc.exe [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-8-13 3064000]
R3 easytether;easytether;C:\Windows\system32\DRIVERS\easytthr.sys --> C:\Windows\system32\DRIVERS\easytthr.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\Windows\system32\DRIVERS\rtl8192se.sys --> C:\Windows\system32\DRIVERS\rtl8192se.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S2 ASCAntivirusSrv;AdvancedSystemCareAntivirus;E:\Advanced SystemCare with Antivirus 2013\ascavsvc.exe --> E:\Advanced SystemCare with Antivirus 2013\ascavsvc.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-30 116648]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-5 250568]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-30 116648]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-10 4925184]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-10-08 02:23:51 -------- d-----w- C:\Users\richardsons\AppData\Local\{D3ADBF9A-F962-4C17-BC0D-F8DC04B6B754}
2012-10-08 01:40:42 431176 ----a-w- C:\Windows\System32\drivers\bdfsfltr.sys
2012-10-08 01:40:42 329800 ----a-w- C:\Windows\System32\drivers\trufos.sys
2012-10-08 01:40:40 -------- d-----w- C:\ProgramData\{D76294E6-03B8-4971-AF2E-3F846161A690}
2012-10-08 01:40:39 -------- d-----w- C:\ProgramData\{6F2F3866-38AD-4f48-852C-2FF5DE7A7588}
2012-10-08 01:40:38 -------- d-----w- C:\ProgramData\iobit
2012-10-08 01:40:36 -------- d-----w- C:\Users\richardsons\AppData\Roaming\IObit
2012-10-07 04:24:56 -------- d-----w- C:\Users\richardsons\AppData\Local\NPE
2012-10-07 04:18:44 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2012-10-07 04:04:41 -------- d-----w- C:\ProgramData\Norton
2012-10-07 03:57:41 -------- d-----w- C:\ProgramData\NortonInstaller
2012-10-07 00:40:54 75264 ----a-w- C:\Windows\SysWow64\unacev2.dll
2012-10-07 00:40:54 153088 ----a-w- C:\Windows\SysWow64\unrar3.dll
2012-10-07 00:40:50 -------- d-----w- C:\Users\richardsons\AppData\Roaming\Simply Super Software
2012-10-07 00:40:50 -------- d-----w- C:\ProgramData\Simply Super Software
2012-10-07 00:35:46 -------- d-----w- C:\Program Files (x86)\Yontoo
2012-10-07 00:35:43 -------- d-----w- C:\ProgramData\Tarma Installer
2012-10-03 20:55:53 -------- d-----w- C:\ProgramData\AVAST Software
2012-10-03 20:55:53 -------- d-----w- C:\Program Files\AVAST Software
2012-10-01 04:23:44 -------- d--h--w- C:\Users\richardsons\AppData\Local\{3B953590-9AFA-4E65-A600-F1BC7A77C950}
2012-09-26 04:27:55 -------- d-----w- C:\Users\richardsons\AppData\Roaming\OpenOffice.org
2012-09-21 08:00:37 -------- d--h--w- C:\Users\richardsons\AppData\Roaming\AVG
2012-09-21 08:00:02 -------- d-----w- C:\ProgramData\AVG
2012-09-21 07:59:57 -------- d-sh--w- C:\ProgramData\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
2012-09-21 07:23:25 -------- d--h--w- C:\Users\richardsons\AppData\Roaming\com.amazon.music.uploader
2012-09-14 08:47:08 -------- d--h--w- C:\Users\richardsons\AppData\Local\{D4498334-36C0-4BEF-B284-EC5D6834BD8D}
2012-09-14 08:41:12 -------- d--h--w- C:\Users\richardsons\AppData\Local\{F47B07E4-18C6-4B0F-9D0F-EDAE610CA37D}
2012-09-12 03:21:32 -------- d--h--w- C:\Users\richardsons\AppData\Local\{18819FA4-08FA-406B-A8FC-7ADE25EBF3EE}
.
==================== Find3M ====================
.
2012-08-24 04:57:43 73416 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-24 04:57:43 696520 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-21 03:17:16 39904 ----a-w- C:\Windows\SysWow64\dischandler.exe
2012-08-21 03:15:22 3978240 ----a-w- C:\Windows\SysWow64\ffmpeg.dll
2012-08-21 03:14:04 112640 ----a-w- C:\Windows\SysWow64\ff_vfw.dll
2012-08-21 03:13:52 3480064 ----a-w- C:\Windows\SysWow64\ffdshow.ax
2012-08-21 03:12:48 271360 ----a-w- C:\Windows\SysWow64\TomsMoComp_ff.dll
2012-08-21 03:12:34 99840 ----a-w- C:\Windows\SysWow64\ff_wmv9.dll
2012-08-21 03:12:32 157184 ----a-w- C:\Windows\SysWow64\ff_unrar.dll
2012-08-21 03:12:30 147456 ----a-w- C:\Windows\SysWow64\ff_libmad.dll
2012-08-21 03:12:28 211968 ----a-w- C:\Windows\SysWow64\ff_libdts.dll
2012-08-21 03:12:28 1525760 ----a-w- C:\Windows\SysWow64\ff_samplerate.dll
2012-08-21 03:12:28 114688 ----a-w- C:\Windows\SysWow64\ff_liba52.dll
2012-08-21 03:12:24 330240 ----a-w- C:\Windows\SysWow64\ff_libfaad2.dll
2012-08-21 03:08:04 4079616 ----a-w- C:\Windows\System32\ffmpeg.dll
2012-08-21 03:07:18 474624 ----a-w- C:\Windows\System32\ff_kernelDeint.dll
2012-08-21 03:07:18 127488 ----a-w- C:\Windows\System32\ff_vfw.dll
2012-08-21 03:07:12 4345344 ----a-w- C:\Windows\System32\ffdshow.ax
2012-08-21 03:05:44 631296 ----a-w- C:\Windows\System32\TomsMoComp_ff.dll
2012-08-21 03:05:28 183296 ----a-w- C:\Windows\System32\ff_unrar.dll
2012-08-21 03:05:28 114688 ----a-w- C:\Windows\System32\ff_wmv9.dll
2012-08-21 03:05:26 156160 ----a-w- C:\Windows\System32\ff_libmad.dll
2012-08-21 03:05:24 359424 ----a-w- C:\Windows\System32\ff_libfaad2.dll
2012-08-21 03:05:24 1532928 ----a-w- C:\Windows\System32\ff_samplerate.dll
2012-08-21 03:05:24 116224 ----a-w- C:\Windows\System32\ff_liba52.dll
2012-08-21 03:05:22 223232 ----a-w- C:\Windows\System32\ff_libdts.dll
2012-07-19 18:58:54 1436672 ----a-w- C:\Windows\System32\LAVVideo.ax
2012-07-19 18:58:38 486912 ----a-w- C:\Windows\System32\LAVSplitter.ax
2012-07-19 18:58:34 264704 ----a-w- C:\Windows\System32\LAVAudio.ax
2012-07-19 18:58:32 357376 ----a-w- C:\Windows\System32\IntelQuickSyncDecoder.dll
2012-07-19 18:58:32 202752 ----a-w- C:\Windows\System32\libbluray.dll
2012-07-19 18:58:26 7128652 ----a-w- C:\Windows\System32\avcodec-lav-54.dll
2012-07-19 18:58:26 420110 ----a-w- C:\Windows\System32\swscale-lav-2.dll
2012-07-19 18:58:26 248625 ----a-w- C:\Windows\System32\avutil-lav-51.dll
2012-07-19 18:58:26 174229 ----a-w- C:\Windows\System32\avfilter-lav-3.dll
2012-07-19 18:58:26 110826 ----a-w- C:\Windows\System32\avresample-lav-0.dll
2012-07-19 18:58:26 1074211 ----a-w- C:\Windows\System32\avformat-lav-54.dll
2012-07-19 18:56:30 1114624 ----a-w- C:\Windows\SysWow64\LAVVideo.ax
2012-07-19 18:56:14 399360 ----a-w- C:\Windows\SysWow64\LAVSplitter.ax
2012-07-19 18:56:12 233472 ----a-w- C:\Windows\SysWow64\LAVAudio.ax
2012-07-19 18:56:08 274944 ----a-w- C:\Windows\SysWow64\IntelQuickSyncDecoder.dll
2012-07-19 18:56:08 172544 ----a-w- C:\Windows\SysWow64\libbluray.dll
2012-07-19 18:56:02 6894331 ----a-w- C:\Windows\SysWow64\avcodec-lav-54.dll
2012-07-19 18:56:02 401685 ----a-w- C:\Windows\SysWow64\swscale-lav-2.dll
2012-07-19 18:56:02 232895 ----a-w- C:\Windows\SysWow64\avutil-lav-51.dll
2012-07-19 18:56:02 162743 ----a-w- C:\Windows\SysWow64\avfilter-lav-3.dll
2012-07-19 18:56:02 1111581 ----a-w- C:\Windows\SysWow64\avformat-lav-54.dll
2012-07-19 18:56:02 101820 ----a-w- C:\Windows\SysWow64\avresample-lav-0.dll
2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 0:43:29.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:26 PM

Posted 08 October 2012 - 05:10 PM

Greetings jcheck99 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary. If you would allow me to call you by your first name I would prefer to do that. :thumbup2:


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please do the following for me.


===================================================


Run TDSSKiller by Kaspersky on Vista/7

--------------------

  • Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!!!
  • If you desire you may print out and follow the instructions for performing a scan.
  • Right-click on TDSSKiller.exe and select Run As Administrator.
  • When the program opens, click the Start Scan button.


    Posted Image

  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.


    Posted Image

  • Click Continue > Reboot now to finish the cleaning process.<- Important!!


    Posted Image

  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. Please submit these results with your next reply


===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.


    Posted Image
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.


    Posted Image
  • Please post the contents of the log in your next reply.
NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log
  • aswMBR log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 jcheck99

jcheck99
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 08 October 2012 - 09:50 PM

Hi Gary! My name is Candice
Thank you so much for helping me :)
tds.. wont run. I tried renaming it 123.com I then tried to unistall it so i could reinstal it... and its not under my programs to uninstall. So i re downloaded it naming it td123.com and then tried to run it as admin. but the option does not come up to run as admin. so itried to run it in safe mode and it does not open. So I guess i'll skip step one and move to step 2? download the aw.. program and get back to ya :)

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:26 PM

Posted 08 October 2012 - 10:10 PM

Hi Candice,

Thanks for trying hard! Here is another program I would like you to run for me since we can't get TDSSKiller to run yet. You can run this in addition to aswMBR.


===================================================


ListParts by Farbar for 64 bit Systems

--------------------

  • Please download ListParts.exe (for 64 bit systems) and save it to your desktop
  • Double click the Posted Image icon
  • Select Run
  • Select Scan
  • Select OK and wait for a Result - Notepad document to open on your desktop
  • Please copy and paste the contents in your reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Result.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 jcheck99

jcheck99
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 08 October 2012 - 10:14 PM

Ello :)
ok so same results with the asw program- wont run :(
but i did get the list program to run here are the results!

ListParts by Farbar Version: 02-10-2012
Ran by richardsons (administrator) on 08-10-2012 at 23:12:47
Windows 7 (X64)
Running From: C:\Users\richardsons\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 30%
Total physical RAM: 3963.99 MB
Available physical RAM: 2769.38 MB
Total Pagefile: 7926.17 MB
Available Pagefile: 6672.2 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.65 GB) (Free:377.89 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 3072 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB
Partition 3 Primary 10 MB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 System Rese NTFS Partition 100 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******

#6 jcheck99

jcheck99
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 08 October 2012 - 10:17 PM

oh and i had to bypass this warning that said not to download the list program

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:26 PM

Posted 08 October 2012 - 10:27 PM

Hi Candice,

Excellent work! We hit some pay dirt. You have an infected partition which we are going to take care of right now. Please do the following for me.


===================================================


Running a ListParts Fix

--------------

  • Press the windows key Posted Image + r on your keyboard at the same time
  • Type Notepad and press Enter
  • Copy and paste the contents of the code box below into Notepad.

    Disk=0 Partition=2 active               
    Disk=0 Partition=4 type=07
    custom
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fix.txt to the flash drive where ListParts is located.
  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...


    Posted Image

  • Select the Command Prompt option.
  • A command window will open.
  • Type notepad then hit Enter.
  • Notepad will open.
  • Click File > Open then select Computer.
  • Note down the drive letter for your USB Drive.
  • Close Notepad.
[*]Back in the command window ....
  • Type e:/listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • Type e:/listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • ListParts will start to run.
  • Press the Fix button.
  • ListParts will process the script in Fix.txt
  • When finished please press the Scan button.
  • A log Result.txt will be saved to the flash drive.
[*]Close the command window.
[*]Boot back into normal mode and post me the Result.txt log please.
[/list]
===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Result.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 jcheck99

jcheck99
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 08 October 2012 - 10:33 PM

when saving.. what did you mean to the "flash drive" where list parts is located? I saved listparts in desktopis that where i should save the fix.txt?

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:26 PM

Posted 08 October 2012 - 10:37 PM

Yes please save the ListParts program on your flash drive and then you will save the Notepad document there as well. Sorry for the confusion.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 jcheck99

jcheck99
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 08 October 2012 - 10:52 PM

ok got it all saved. but when i try to boot in repair it just sits there in a blank screen that says windows is loading files. also super slow all of a sudden on restart. i waited 10 mins on that screen. should i wait longer?

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:26 PM

Posted 08 October 2012 - 10:57 PM

Force a shutdown if you must and attempt it again.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 jcheck99

jcheck99
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 08 October 2012 - 11:22 PM

Still a no go. Im replying from my phone. Computer still stuck on blank screen that says windows is loading files

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:26 PM

Posted 08 October 2012 - 11:26 PM

Hi Candice,

I will provide alternate instructions in the morning. I am finishing up for the evening.

Sorry for the frustration but no worries, we are on our way.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 jcheck99

jcheck99
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 08 October 2012 - 11:28 PM

Ok thank you!

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:26 PM

Posted 09 October 2012 - 09:04 AM

Hi Candice,

I would like to try to run TDSSKiller again but do it a little differently. This is the easier of the 2 options I am considering.

Please do this.


===================================================


Run TDSSKiller by Kaspersky With Changed Parameters From Malwarebytes Folder

--------------------

  • Locate the TDSSKiller icon on your desktop, right click, and select Delete
  • If you do not already have Malwarebytes Anti-Malware please download and install it on your computer but do not run the program
  • Download a new copy of TDSSKiller and save it in the following location

    • C:\Program Files\Malwarebytes' Anti-Malware\Chameleon
  • Press the windows key Posted Image + r on your keyboard at the same time
  • Type cmd and press Enter
  • Copy and paste the following after the command prompt and press Enter

    "C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" /o
  • A black DOS prompt will appear with a prompt to press any key to continue, please do.
  • Using Windows Explorer navigate to and double click on the following file:

    C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\TDSSKiller.exe
  • Click on Change parameters


    Posted Image

  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures
  • If you are asked to reboot please do so and you should be returned to the TDSSKiller screen
  • Click OK


    Posted Image

  • Press Start Scan
  • If Malicious objects are found, ensure Cure is selected (it should be by default)
  • If Suspicious objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • Click Continue then click Reboot now
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users