Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSSkiller deleted \Device\Harddisk0\DR0 now Windows won't boot!


  • This topic is locked This topic is locked
7 replies to this topic

#1 makaveli3005

makaveli3005

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 24 July 2013 - 08:59 PM

Please incorporate everythingg that happened in this post I dont know what else to do to get my computer back up and running using an old computer for now. PLease advise how to get my computer back to life.

 

http://www.bleepingcomputer.com/forums/t/502069/have-a-new-computer-thats-become-very-slow-only-on-webpages-do-i-have-malware/

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 AM

Posted 25 July 2013 - 06:59 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Yes, that wasn´t a good idea.

 

 

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 25 July 2013 - 01:36 PM

Well I don't have a windows installation disc though



#4 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 25 July 2013 - 08:28 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-07-2013
Ran by SYSTEM on 25-07-2013 20:52:34
Running from L:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-09-23] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2013-04-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] -  [x]
HKU\Andrew\...\Run: [AIM] - C:\Program Files (x86)\AIM\aim.exe -cnetwait.odl [67160 2004-12-08] (America Online, Inc.)
HKU\Andrew\...\Run: [RESTART_STICKY_NOTES] - C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Andrew\...\Policies\system: [LogonHoursAction] 2
HKU\Andrew\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Mom\...\Run: [mshtkmgr] - rundll32 "C:\Users\Mom\AppData\Local\Temp\newdepad.dll",CreateProcessNotify [x] <===== ATTENTION
HKU\Mom\...\Run: [extrPlay] - rundll32 "C:\Users\Mom\AppData\Local\Temp\newdepad64.dll",CreateProcessNotify [x] <===== ATTENTION
HKU\Mom\...\Run: [Internet Security] - C:\Users\Mom\AppData\Roaming\isecurity.exe [x]
HKU\Mom\...\Run: [dhWpWLrHmsphLmp.exe] - C:\ProgramData\dhWpWLrHmsphLmp.exe [x]
HKU\Mom\...\Run: [SD2014] - C:\Users\Mom\AppData\Roaming\Nh9Df5dR\Nh9Df5dR.exe [x]
HKU\Mom\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_224_ActiveX.exe -update activex [514952 2013-06-11] (Adobe Systems Incorporated)
HKU\Mom\...\Policies\system: [LogonHoursAction] 2
HKU\Mom\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Officejet 4620 series.lnk
ShortcutTarget: Monitor Ink Alerts - HP Officejet 4620 series.lnk -> C:\Program Files\HP\HP Officejet 4620 series\bin\HPStatusBL.dll (Hewlett-Packard Co.)
 
==================== Services (Whitelisted) =================
 
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [92160 2010-06-16] (Research In Motion Limited)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
S3 easytether; system32\DRIVERS\easytthr.sys [x]
S1 etvoymsx; \??\C:\Windows\system32\drivers\etvoymsx.sys [x]
S1 hlscftjf; \??\C:\Windows\system32\drivers\hlscftjf.sys [x]
S3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-07-25 20:52 - 2013-07-25 20:52 - 00000000 ____D C:\FRST
2013-07-24 16:05 - 2013-07-24 16:05 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-07-24 15:50 - 2013-07-24 15:50 - 00003252 _____ C:\Users\Andrew\Desktop\eset.txt
2013-07-24 10:18 - 2013-07-24 10:18 - 00000000 ____D C:\Program Files (x86)\ESET
2013-07-24 10:15 - 2013-07-24 10:15 - 00015544 _____ C:\Users\Andrew\Desktop\Result.txt
2013-07-24 06:18 - 2013-07-24 06:18 - 00000000 ____D C:\ProgramData\Sun
2013-07-24 06:15 - 2013-07-24 06:15 - 00903080 _____ (Oracle Corporation) C:\Users\Andrew\Downloads\chromeinstall-7u25.exe
2013-07-23 20:06 - 2013-07-23 20:06 - 00290672 _____ C:\Windows\Minidump\072413-29062-01.dmp
2013-07-23 17:28 - 2013-07-23 17:41 - 2204695690 _____ C:\Users\Andrew\Downloads\Camera Uploads (1).zip
2013-07-23 17:10 - 2013-07-23 17:22 - 2204695690 _____ C:\Users\Andrew\Downloads\Camera Uploads.zip
2013-07-22 11:33 - 2013-07-23 07:01 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\HpUpdate
2013-07-22 11:33 - 2013-07-22 11:33 - 00003624 _____ C:\Windows\System32\Tasks\HPCustParticipation HP Officejet 4620 series
2013-07-22 11:32 - 2013-07-22 11:32 - 00002236 _____ C:\Users\Public\Desktop\HP Officejet 4620 series.lnk
2013-07-22 11:32 - 2013-07-22 11:32 - 00001173 _____ C:\Users\Public\Desktop\Shop for Supplies - HP Officejet 4620 series.lnk
2013-07-22 11:32 - 2012-10-17 00:31 - 00741480 ____N (Hewlett-Packard Co.) C:\Windows\System32\HPDiscoPM6412.dll
2013-07-22 11:31 - 2013-07-22 11:31 - 00000057 _____ C:\ProgramData\Ament.ini
2013-07-22 11:31 - 2013-07-22 11:31 - 00000000 ____D C:\Program Files\HP
2013-07-21 11:13 - 2013-07-21 11:13 - 00000000 ____D C:\Users\Andrew\Documents\iDealshare VideoGo
2013-07-21 11:12 - 2013-07-21 11:12 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\iDealshare VideoGo
2013-07-21 11:12 - 2013-07-21 11:12 - 00000000 ____D C:\Program Files (x86)\iDealshare
2013-07-21 11:11 - 2013-07-21 11:22 - 00000000 ____D C:\Users\Andrew\Desktop\qcp
2013-07-21 07:25 - 2012-08-21 09:01 - 00033240 _____ (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2013-07-21 07:24 - 2013-07-21 07:25 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-07-21 07:24 - 2013-07-21 07:25 - 00000000 ____D C:\Program Files\iTunes
2013-07-21 07:24 - 2013-07-21 07:25 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-07-21 07:24 - 2013-07-21 07:24 - 00000000 ____D C:\Program Files\iPod
2013-07-21 07:20 - 2013-07-21 07:21 - 00000000 ____D C:\Program Files\Bonjour
2013-07-21 07:20 - 2013-07-21 07:21 - 00000000 ____D C:\Program Files (x86)\Bonjour
2013-07-21 07:06 - 2013-07-21 08:33 - 00000000 ____D C:\Users\Andrew\Downloads\World.War.Z.2013.CAM.XviD-THC
2013-07-20 16:26 - 2013-07-20 19:56 - 00000000 ____D C:\Users\Andrew\Downloads\Catfish.The.TV.Show.S02E01.720p.HDTV.x264-EVOLVE [PublicHD]
2013-07-20 16:25 - 2013-07-20 18:23 - 00000000 ____D C:\Users\Andrew\Downloads\Catfish.The.TV.Show.S02E03.720p.HDTV.x264-EVOLVE [PublicHD]
2013-07-19 15:03 - 2013-07-19 15:03 - 00000000 ____D C:\Program Files (x86)\QuickTime
2013-07-19 15:01 - 2013-07-19 15:01 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2013-07-19 14:02 - 2013-07-19 14:02 - 00000000 ____D C:\Windows\pss
2013-07-18 16:52 - 2013-07-18 16:55 - 00000000 ____D C:\Users\Andrew\Desktop\New folder
2013-07-16 17:54 - 2013-07-16 17:54 - 00000738 _____ C:\Users\Andrew\Downloads\download
2013-07-11 23:22 - 2013-06-11 15:43 - 14329856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-11 23:22 - 2013-06-11 15:43 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-11 23:22 - 2013-06-11 15:43 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-11 23:22 - 2013-06-11 15:43 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-11 23:22 - 2013-06-11 15:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-11 23:22 - 2013-06-11 15:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-11 23:22 - 2013-06-11 15:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-11 23:22 - 2013-06-11 15:42 - 13760512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-11 23:22 - 2013-06-11 15:42 - 02046976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-11 23:22 - 2013-06-11 15:42 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-11 23:22 - 2013-06-11 15:42 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-11 23:22 - 2013-06-11 15:42 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-11 23:22 - 2013-06-11 15:42 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-11 23:22 - 2013-06-11 15:26 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-11 23:22 - 2013-06-11 15:26 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-11 23:22 - 2013-06-11 15:26 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-11 23:22 - 2013-06-11 15:25 - 19238912 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-11 23:22 - 2013-06-11 15:25 - 15404032 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-11 23:22 - 2013-06-11 15:25 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-11 23:22 - 2013-06-11 15:25 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-11 23:22 - 2013-06-11 15:25 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-11 23:22 - 2013-06-11 15:25 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-11 23:22 - 2013-06-11 15:25 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-11 23:22 - 2013-06-11 15:25 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-11 23:22 - 2013-06-11 15:25 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-11 23:22 - 2013-06-11 15:25 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-11 23:22 - 2013-06-11 15:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-11 23:22 - 2013-06-11 14:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-11 23:22 - 2013-06-11 14:50 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-11 23:22 - 2013-06-06 19:22 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-11 23:22 - 2013-06-06 18:37 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-11 23:05 - 2013-07-11 23:05 - 00499608 _____ C:\Windows\Minidump\071213-34881-01.dmp
2013-07-11 03:05 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-11 03:05 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-11 03:05 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-11 03:05 - 2013-05-05 22:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-11 03:05 - 2013-05-05 20:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-11 03:05 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-11 03:05 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-11 02:52 - 2013-07-11 02:52 - 00498488 _____ C:\Windows\Minidump\071113-37939-01.dmp
2013-07-08 03:06 - 2013-07-08 03:06 - 00618272 _____ C:\Windows\Minidump\070813-35459-01.dmp
2013-07-04 08:49 - 2013-07-04 08:49 - 00604832 _____ C:\Windows\Minidump\070413-32822-01.dmp
2013-07-02 13:28 - 2013-07-02 13:28 - 00471488 _____ C:\Windows\Minidump\070213-29218-01.dmp
 
==================== One Month Modified Files and Folders =======
 
2013-07-25 20:52 - 2013-07-25 20:52 - 00000000 ____D C:\FRST
2013-07-24 20:42 - 2010-06-02 17:09 - 00000000 ____D C:\Windows\Minidump
2013-07-24 20:42 - 2010-05-14 11:21 - 00000000 ____D C:\users\Mom
2013-07-24 20:42 - 2010-05-13 13:58 - 00000000 ____D C:\ProgramData\NVIDIA
2013-07-24 20:42 - 2010-05-12 13:27 - 00000000 ____D C:\users\Andrew
2013-07-24 20:42 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-07-24 16:05 - 2013-07-24 16:05 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-07-24 15:50 - 2013-07-24 15:50 - 00003252 _____ C:\Users\Andrew\Desktop\eset.txt
2013-07-24 10:18 - 2013-07-24 10:18 - 00000000 ____D C:\Program Files (x86)\ESET
2013-07-24 10:15 - 2013-07-24 10:15 - 00015544 _____ C:\Users\Andrew\Desktop\Result.txt
2013-07-24 06:18 - 2013-07-24 06:18 - 00000000 ____D C:\ProgramData\Sun
2013-07-24 06:17 - 2010-10-25 05:38 - 00000000 ____D C:\Program Files (x86)\Java
2013-07-24 06:15 - 2013-07-24 06:15 - 00903080 _____ (Oracle Corporation) C:\Users\Andrew\Downloads\chromeinstall-7u25.exe
2013-07-24 05:53 - 2013-03-24 14:18 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-24 05:53 - 2009-07-13 20:45 - 00015152 _____ C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-24 05:53 - 2009-07-13 20:45 - 00015152 _____ C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-24 05:52 - 2012-03-11 09:30 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-24 05:50 - 2010-05-12 16:17 - 01431317 _____ C:\Windows\WindowsUpdate.log
2013-07-24 05:46 - 2012-03-11 09:30 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-24 05:46 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-24 05:46 - 2009-07-13 20:51 - 00146382 _____ C:\Windows\setupact.log
2013-07-23 20:06 - 2013-07-23 20:06 - 00290672 _____ C:\Windows\Minidump\072413-29062-01.dmp
2013-07-23 20:06 - 2010-06-02 17:09 - 540179059 _____ C:\Windows\MEMORY.DMP
2013-07-23 20:05 - 2010-05-13 13:57 - 01106136 _____ C:\Windows\PFRO.log
2013-07-23 17:41 - 2013-07-23 17:28 - 2204695690 _____ C:\Users\Andrew\Downloads\Camera Uploads (1).zip
2013-07-23 17:22 - 2013-07-23 17:10 - 2204695690 _____ C:\Users\Andrew\Downloads\Camera Uploads.zip
2013-07-23 07:01 - 2013-07-22 11:33 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\HpUpdate
2013-07-22 11:36 - 2010-07-13 12:32 - 00000000 ____D C:\Users\Andrew\AppData\Local\HP
2013-07-22 11:33 - 2013-07-22 11:33 - 00003624 _____ C:\Windows\System32\Tasks\HPCustParticipation HP Officejet 4620 series
2013-07-22 11:33 - 2010-07-13 12:23 - 00000000 ____D C:\Program Files (x86)\HP
2013-07-22 11:32 - 2013-07-22 11:32 - 00002236 _____ C:\Users\Public\Desktop\HP Officejet 4620 series.lnk
2013-07-22 11:32 - 2013-07-22 11:32 - 00001173 _____ C:\Users\Public\Desktop\Shop for Supplies - HP Officejet 4620 series.lnk
2013-07-22 11:31 - 2013-07-22 11:31 - 00000057 _____ C:\ProgramData\Ament.ini
2013-07-22 11:31 - 2013-07-22 11:31 - 00000000 ____D C:\Program Files\HP
2013-07-22 11:31 - 2010-07-13 12:21 - 00000000 ____D C:\ProgramData\HP
2013-07-21 11:22 - 2013-07-21 11:11 - 00000000 ____D C:\Users\Andrew\Desktop\qcp
2013-07-21 11:13 - 2013-07-21 11:13 - 00000000 ____D C:\Users\Andrew\Documents\iDealshare VideoGo
2013-07-21 11:12 - 2013-07-21 11:12 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\iDealshare VideoGo
2013-07-21 11:12 - 2013-07-21 11:12 - 00000000 ____D C:\Program Files (x86)\iDealshare
2013-07-21 10:38 - 2009-07-13 21:13 - 00005172 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-21 08:37 - 2010-06-09 11:32 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\BitTorrent
2013-07-21 08:33 - 2013-07-21 07:06 - 00000000 ____D C:\Users\Andrew\Downloads\World.War.Z.2013.CAM.XviD-THC
2013-07-21 07:25 - 2013-07-21 07:24 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-07-21 07:25 - 2013-07-21 07:24 - 00000000 ____D C:\Program Files\iTunes
2013-07-21 07:25 - 2013-07-21 07:24 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-07-21 07:25 - 2011-10-10 12:37 - 00001783 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-07-21 07:24 - 2013-07-21 07:24 - 00000000 ____D C:\Program Files\iPod
2013-07-21 07:21 - 2013-07-21 07:20 - 00000000 ____D C:\Program Files\Bonjour
2013-07-21 07:21 - 2013-07-21 07:20 - 00000000 ____D C:\Program Files (x86)\Bonjour
2013-07-20 19:56 - 2013-07-20 16:26 - 00000000 ____D C:\Users\Andrew\Downloads\Catfish.The.TV.Show.S02E01.720p.HDTV.x264-EVOLVE [PublicHD]
2013-07-20 18:23 - 2013-07-20 16:25 - 00000000 ____D C:\Users\Andrew\Downloads\Catfish.The.TV.Show.S02E03.720p.HDTV.x264-EVOLVE [PublicHD]
2013-07-19 15:03 - 2013-07-19 15:03 - 00000000 ____D C:\Program Files (x86)\QuickTime
2013-07-19 15:01 - 2013-07-19 15:01 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2013-07-19 14:02 - 2013-07-19 14:02 - 00000000 ____D C:\Windows\pss
2013-07-19 13:41 - 2009-07-13 20:45 - 00419032 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-18 16:55 - 2013-07-18 16:52 - 00000000 ____D C:\Users\Andrew\Desktop\New folder
2013-07-18 16:38 - 2011-03-29 20:19 - 00000000 ____D C:\Program Files (x86)\Windows Live
2013-07-18 16:33 - 2010-05-12 15:55 - 00109680 _____ C:\Users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-18 16:24 - 2010-06-21 06:44 - 00000000 ____D C:\Windows\WindowsMobile
2013-07-16 20:11 - 2012-02-08 14:27 - 00000000 ____D C:\Users\Andrew\.3gpplayer
2013-07-16 20:07 - 2010-05-17 07:56 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\Mozilla
2013-07-16 20:07 - 2010-05-17 07:56 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-07-16 17:54 - 2013-07-16 17:54 - 00000738 _____ C:\Users\Andrew\Downloads\download
2013-07-13 10:34 - 2010-12-07 12:15 - 00000404 ____H C:\Windows\Tasks\Norton Security Scan for Andrew.job
2013-07-12 16:47 - 2012-03-11 09:30 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-07-12 16:47 - 2012-03-11 09:30 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-07-11 23:30 - 2013-03-13 14:49 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-07-11 23:30 - 2013-03-13 14:49 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-07-11 23:29 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-11 23:29 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-11 23:29 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-11 23:05 - 2013-07-11 23:05 - 00499608 _____ C:\Windows\Minidump\071213-34881-01.dmp
2013-07-11 02:52 - 2013-07-11 02:52 - 00498488 _____ C:\Windows\Minidump\071113-37939-01.dmp
2013-07-08 03:06 - 2013-07-08 03:06 - 00618272 _____ C:\Windows\Minidump\070813-35459-01.dmp
2013-07-04 08:49 - 2013-07-04 08:49 - 00604832 _____ C:\Windows\Minidump\070413-32822-01.dmp
2013-07-02 13:28 - 2013-07-02 13:28 - 00471488 _____ C:\Windows\Minidump\070213-29218-01.dmp
 
Files to move or delete:
====================
C:\ProgramData\C__Users_Andrew_AppData_Local_Temp_ir_ext_temp_0_AutoPlay_Docs_Crack_HideIPEasy.exe
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
TDL4: custom:26000022 <===== ATTENTION!
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-07-18 16:25:32
Restore point made on: 2013-07-18 16:27:39
Restore point made on: 2013-07-18 16:28:28
Restore point made on: 2013-07-18 16:29:40
Restore point made on: 2013-07-18 16:31:07
Restore point made on: 2013-07-18 16:34:25
Restore point made on: 2013-07-18 16:35:31
Restore point made on: 2013-07-19 15:03:03
Restore point made on: 2013-07-20 15:52:07
Restore point made on: 2013-07-21 07:21:58
Restore point made on: 2013-07-24 06:17:17
Restore point made on: 2013-07-24 09:09:36
 
==================== Memory info =========================== 
 
Percentage of memory in use: 16%
Total physical RAM: 4059.49 MB
Available physical RAM: 3388.8 MB
Total Pagefile: 4057.64 MB
Available Pagefile: 3389.3 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:931.41 GB) (Free:208.87 GB) NTFS (Disk=0 Partition=2)
Drive e: () (CDROM) (Total:0.05 GB) (Free:0 GB) CDFS
Drive l: (KINGSTON) (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT (Disk=6 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected.
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: EA762631)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931 GB) - (Type=07 NTFS)
 
========================================================
Disk: 6 (Size: 243 MB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=243 MB) - (Type=0E)
 
 
LastRegBack: 2013-07-13 04:28
 
==================== End Of Log ============================


#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 AM

Posted 26 July 2013 - 01:02 AM

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKU\Mom\...\Run: [mshtkmgr] - rundll32 "C:\Users\Mom\AppData\Local\Temp\newdepad.dll",CreateProcessNotify [x] <===== ATTENTION
    HKU\Mom\...\Run: [extrPlay] - rundll32 "C:\Users\Mom\AppData\Local\Temp\newdepad64.dll",CreateProcessNotify [x] <===== ATTENTION
    HKU\Mom\...\Run: [Internet Security] - C:\Users\Mom\AppData\Roaming\isecurity.exe [x]
    HKU\Mom\...\Run: [dhWpWLrHmsphLmp.exe] - C:\ProgramData\dhWpWLrHmsphLmp.exe [x]
    HKU\Mom\...\Run: [SD2014] - C:\Users\Mom\AppData\Roaming\Nh9Df5dR\Nh9Df5dR.exe [x]
    
    S1 etvoymsx; \??\C:\Windows\system32\drivers\etvoymsx.sys [x]
    S1 hlscftjf; \??\C:\Windows\system32\drivers\hlscftjf.sys [x]
    
    C:\Users\Mom\AppData\Local\Temp\newdepad.dll
    C:\Users\Mom\AppData\Local\Temp\newdepad64.dll
    C:\Users\Mom\AppData\Roaming\isecurity.exe
    C:\ProgramData\dhWpWLrHmsphLmp.exe
    C:\Users\Mom\AppData\Roaming\Nh9Df5dR\Nh9Df5dR.exe
    C:\Windows\system32\drivers\etvoymsx.sys
    C:\Windows\system32\drivers\hlscftjf.sys
    C:\ProgramData\C__Users_Andrew_AppData_Local_Temp_ir_ext_temp_0_AutoPlay_Docs_Crack_HideIPEasy.exe
    
    TDL4: custom:26000022 <===== ATTENTION!
    
    CMD: bootrec /fixmbr
    CMD: bootrec /fixboot
     
    

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 26 July 2013 - 08:45 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-07-2013
Ran by SYSTEM at 2013-07-26 09:36:59 Run:1
Running from G:\
Boot Mode: Recovery
==============================================
 
HKU\Mom\Software\Microsoft\Windows\CurrentVersion\Run\\mshtkmgr => Value deleted successfully.
HKU\Mom\Software\Microsoft\Windows\CurrentVersion\Run\\extrPlay => Value deleted successfully.
HKU\Mom\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security => Value deleted successfully.
HKU\Mom\Software\Microsoft\Windows\CurrentVersion\Run\\dhWpWLrHmsphLmp.exe => Value deleted successfully.
HKU\Mom\Software\Microsoft\Windows\CurrentVersion\Run\\SD2014 => Value deleted successfully.
etvoymsx => Service deleted successfully.
hlscftjf => Service deleted successfully.
"C:\Users\Mom\AppData\Local\Temp\newdepad.dll" => File/Directory not found.
"C:\Users\Mom\AppData\Local\Temp\newdepad64.dll" => File/Directory not found.
"C:\Users\Mom\AppData\Roaming\isecurity.exe" => File/Directory not found.
"C:\ProgramData\dhWpWLrHmsphLmp.exe" => File/Directory not found.
"C:\Users\Mom\AppData\Roaming\Nh9Df5dR\Nh9Df5dR.exe" => File/Directory not found.
"C:\Windows\system32\drivers\etvoymsx.sys" => File/Directory not found.
"C:\Windows\system32\drivers\hlscftjf.sys" => File/Directory not found.
C:\ProgramData\C__Users_Andrew_AppData_Local_Temp_ir_ext_temp_0_AutoPlay_Docs_Crack_HideIPEasy.exe => Moved successfully.
 
The operation completed successfully.
The operation completed successfully.
 
=========  bootrec /fixmbr =========
 
??T h e   o p e r a t i o n   c o m p l e t e d   s u c c e s s f u l l y . 
 
========= End of CMD: =========
 
 
=========  bootrec /fixboot =========
 
??T h e   o p e r a t i o n   c o m p l e t e d   s u c c e s s f u l l y . 
 
========= End of CMD: =========
 
 
==== End of Fixlog ====


And I am posting this from the sick computer btw it appears to be working good now.



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 AM

Posted 27 July 2013 - 07:32 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 AM

Posted 30 July 2013 - 10:27 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users