Help
This topic is locked
Combofix is not working now. It goes to loading screen but nothing pops up
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient. DO NOT RUN ComboFix unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Redirect Virus Help
Back to top
#32
- Bleepin Gringo
-
- Group: Malware Response Team
- Posts: 85,500
- Joined: 03-July 08
- Gender:Male
- Location:Puerto rico
Posted 20 July 2011 - 07:45 AM
Hello
Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.
Boot into Safe Mode
Reboot your computer in Safe Mode.
after combofix has finished its scan please post the report back here.
Gringo
Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.
Boot into Safe Mode
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
after combofix has finished its scan please post the report back here.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->
<-- Don't worry every little bit helps.
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->
<-- Don't worry every little bit helps.
#33
- Member
-
- Group: Members
- Posts: 22
- Joined: 01-July 11
Posted 20 July 2011 - 08:30 AM
Hey thanks for helping me out with this issue gringo,
I ended up installing Internet Explorer 9 which was jsut released not to long ago, and it was workign fine without any redirects, but after a day it started again,
I was able to run combofix not in safe mode here are the results.
ComboFix 11-07-20.02 - Gardo 20/07/2011 8:17.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.4095.2384 [GMT -4:00]
Running from: c:\users\Gardo\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-20 to 2011-07-20 )))))))))))))))))))))))))))))))
.
.
2011-07-20 12:43 . 2011-07-20 12:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-19 06:43 . 2011-06-20 12:57 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A4556681-25D6-49D6-B019-AAEF76A3898F}\mpengine.dll
2011-07-17 22:27 . 2011-07-17 22:56 -------- d-----w- c:\program files (x86)\Desktop Screen Record 5
2011-07-17 22:19 . 2011-07-17 22:21 -------- d-----w- c:\program files (x86)\SpywareBlaster
2011-07-17 22:19 . 2010-01-10 23:40 118784 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
2011-07-17 22:19 . 2010-01-10 23:40 1071088 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2011-07-17 22:07 . 2011-07-20 12:09 -------- d-----w- C:\32788R22FWJFW
2011-07-12 18:56 . 2011-06-11 02:56 3134464 ----a-w- c:\windows\system32\win32k.sys
2011-07-12 15:54 . 2011-07-12 15:54 -------- d-----w- c:\program files (x86)\ESET
2011-07-11 19:51 . 2011-07-06 23:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-11 19:43 . 2011-07-11 19:43 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-07-11 16:38 . 2011-05-04 08:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-07-11 16:02 . 2011-05-24 23:14 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-07-03 14:52 . 2011-07-03 14:52 388096 ----a-r- c:\users\Gardo\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-01 13:48 . 2011-07-01 13:48 -------- d-----w- c:\program files (x86)\Trend Micro
2011-06-28 19:10 . 2011-06-28 19:10 -------- d-----w- c:\users\Gardo\AppData\Roaming\Malwarebytes
2011-06-28 19:10 . 2011-06-28 19:10 -------- d-----w- c:\programdata\Malwarebytes
2011-06-28 19:10 . 2011-07-16 15:14 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-20 11:46 . 2010-12-26 08:05 268952 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-07-20 11:46 . 2010-12-26 08:05 268952 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-07-20 11:46 . 2010-12-26 08:05 268952 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-06-02 05:56 . 2011-07-12 18:56 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-05-04 02:51 . 2011-06-16 03:11 287744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-05-04 02:51 . 2011-06-16 03:11 157696 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-05-04 02:51 . 2011-06-16 03:11 126464 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-05-03 05:21 . 2011-06-16 03:10 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-03 04:50 . 2011-06-16 03:10 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-04-29 03:13 . 2011-06-16 03:10 461312 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-29 03:12 . 2011-06-16 03:10 399872 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 03:12 . 2011-06-16 03:10 161792 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-27 02:57 . 2011-06-16 03:12 102400 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-04-25 05:32 . 2011-06-16 03:12 1896832 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-04-25 02:44 . 2011-06-16 03:12 499712 ----a-w- c:\windows\system32\drivers\afd.sys
2011-04-22 20:18 . 2011-05-25 00:29 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-21 13:11 . 2011-04-21 13:11 159080 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10138.bin
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2010-05-27 02:40 120176 ----a-w- c:\program files (x86)\EgisTec MyWinLocker\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Hotkey Utility"="c:\program files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe" [2010-08-04 611872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 51456888]
R3 MWLService;MyWinLocker Service;c:\program files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [2010-05-27 305520]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [x]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [x]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe [2010-01-08 23584]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2010-02-04 1039872]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2010-01-28 243232]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\DRIVERS\P0630Vid.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2010-05-27 02:42 137584 ----a-w- c:\program files (x86)\EgisTec MyWinLocker\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]
"mwlDaemon"="c:\program files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe" [2010-05-27 349552]
"OOTag"="c:\program files (x86)\Acer\OOBEOffer\ootag.exe" [2010-02-23 13856]
"lxdxmon.exe"="c:\program files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe" [2010-02-04 672424]
"EzPrint"="c:\program files (x86)\Lexmark 3600-4600 Series\ezprint.exe" [2010-02-04 107176]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://acer.msn.com
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.ro
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Gardo\AppData\Roaming\Mozilla\Firefox\Profiles\9whold6k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{22e03916-85c5-44b0-8dc9-1830c11238d9} - c:\program files (x86)\Elf_1\prxtbElf0.dll
Toolbar-Locked - (no file)
Toolbar-{22e03916-85c5-44b0-8dc9-1830c11238d9} - c:\program files (x86)\Elf_1\prxtbElf0.dll
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKLM-Run-AutoKMS - c:\windows\AutoKMS.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-07-20 09:01:56
ComboFix-quarantined-files.txt 2011-07-20 13:01
.
Pre-Run: 928,360,357,888 bytes free
Post-Run: 928,071,962,624 bytes free
.
- - End Of File - - 2E5C1AC1FEE37E379B3A27B9081C70CC
I ended up installing Internet Explorer 9 which was jsut released not to long ago, and it was workign fine without any redirects, but after a day it started again,
I was able to run combofix not in safe mode here are the results.
ComboFix 11-07-20.02 - Gardo 20/07/2011 8:17.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.4095.2384 [GMT -4:00]
Running from: c:\users\Gardo\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-20 to 2011-07-20 )))))))))))))))))))))))))))))))
.
.
2011-07-20 12:43 . 2011-07-20 12:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-19 06:43 . 2011-06-20 12:57 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A4556681-25D6-49D6-B019-AAEF76A3898F}\mpengine.dll
2011-07-17 22:27 . 2011-07-17 22:56 -------- d-----w- c:\program files (x86)\Desktop Screen Record 5
2011-07-17 22:19 . 2011-07-17 22:21 -------- d-----w- c:\program files (x86)\SpywareBlaster
2011-07-17 22:19 . 2010-01-10 23:40 118784 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
2011-07-17 22:19 . 2010-01-10 23:40 1071088 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2011-07-17 22:07 . 2011-07-20 12:09 -------- d-----w- C:\32788R22FWJFW
2011-07-12 18:56 . 2011-06-11 02:56 3134464 ----a-w- c:\windows\system32\win32k.sys
2011-07-12 15:54 . 2011-07-12 15:54 -------- d-----w- c:\program files (x86)\ESET
2011-07-11 19:51 . 2011-07-06 23:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-11 19:43 . 2011-07-11 19:43 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-07-11 16:38 . 2011-05-04 08:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-07-11 16:02 . 2011-05-24 23:14 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-07-03 14:52 . 2011-07-03 14:52 388096 ----a-r- c:\users\Gardo\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-01 13:48 . 2011-07-01 13:48 -------- d-----w- c:\program files (x86)\Trend Micro
2011-06-28 19:10 . 2011-06-28 19:10 -------- d-----w- c:\users\Gardo\AppData\Roaming\Malwarebytes
2011-06-28 19:10 . 2011-06-28 19:10 -------- d-----w- c:\programdata\Malwarebytes
2011-06-28 19:10 . 2011-07-16 15:14 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-20 11:46 . 2010-12-26 08:05 268952 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-07-20 11:46 . 2010-12-26 08:05 268952 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-07-20 11:46 . 2010-12-26 08:05 268952 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-06-02 05:56 . 2011-07-12 18:56 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-05-04 02:51 . 2011-06-16 03:11 287744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-05-04 02:51 . 2011-06-16 03:11 157696 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-05-04 02:51 . 2011-06-16 03:11 126464 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-05-03 05:21 . 2011-06-16 03:10 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-03 04:50 . 2011-06-16 03:10 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-04-29 03:13 . 2011-06-16 03:10 461312 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-29 03:12 . 2011-06-16 03:10 399872 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 03:12 . 2011-06-16 03:10 161792 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-27 02:57 . 2011-06-16 03:12 102400 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-04-25 05:32 . 2011-06-16 03:12 1896832 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-04-25 02:44 . 2011-06-16 03:12 499712 ----a-w- c:\windows\system32\drivers\afd.sys
2011-04-22 20:18 . 2011-05-25 00:29 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-21 13:11 . 2011-04-21 13:11 159080 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10138.bin
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2010-05-27 02:40 120176 ----a-w- c:\program files (x86)\EgisTec MyWinLocker\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Hotkey Utility"="c:\program files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe" [2010-08-04 611872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 51456888]
R3 MWLService;MyWinLocker Service;c:\program files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [2010-05-27 305520]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [x]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [x]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe [2010-01-08 23584]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2010-02-04 1039872]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2010-01-28 243232]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\DRIVERS\P0630Vid.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2010-05-27 02:42 137584 ----a-w- c:\program files (x86)\EgisTec MyWinLocker\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]
"mwlDaemon"="c:\program files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe" [2010-05-27 349552]
"OOTag"="c:\program files (x86)\Acer\OOBEOffer\ootag.exe" [2010-02-23 13856]
"lxdxmon.exe"="c:\program files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe" [2010-02-04 672424]
"EzPrint"="c:\program files (x86)\Lexmark 3600-4600 Series\ezprint.exe" [2010-02-04 107176]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://acer.msn.com
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.ro
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Gardo\AppData\Roaming\Mozilla\Firefox\Profiles\9whold6k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{22e03916-85c5-44b0-8dc9-1830c11238d9} - c:\program files (x86)\Elf_1\prxtbElf0.dll
Toolbar-Locked - (no file)
Toolbar-{22e03916-85c5-44b0-8dc9-1830c11238d9} - c:\program files (x86)\Elf_1\prxtbElf0.dll
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKLM-Run-AutoKMS - c:\windows\AutoKMS.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-07-20 09:01:56
ComboFix-quarantined-files.txt 2011-07-20 13:01
.
Pre-Run: 928,360,357,888 bytes free
Post-Run: 928,071,962,624 bytes free
.
- - End Of File - - 2E5C1AC1FEE37E379B3A27B9081C70CC
#34
- Bleepin Gringo
-
- Group: Malware Response Team
- Posts: 85,500
- Joined: 03-July 08
- Gender:Male
- Location:Puerto rico
Posted 20 July 2011 - 08:46 AM
Hello
I would like you to go here - https://store.opendns.com/setup/operatingsystem/windows-7
and change the DNS settings on the computer to the ones listed and see if it stops the redirects
gringo
I would like you to go here - https://store.opendns.com/setup/operatingsystem/windows-7
and change the DNS settings on the computer to the ones listed and see if it stops the redirects
gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->
<-- Don't worry every little bit helps.
#35
- Member
-
- Group: Members
- Posts: 22
- Joined: 01-July 11
Posted 21 July 2011 - 08:01 AM
Changing the DNS did not help, I've also did ipconfig/flushdns in cmd after I changed the DNS
This post has been edited by d33j@y: 21 July 2011 - 08:02 AM
#36
- Bleepin Gringo
-
- Group: Malware Response Team
- Posts: 85,500
- Joined: 03-July 08
- Gender:Male
- Location:Puerto rico
Posted 22 July 2011 - 12:55 PM
Please download aswMBR ( 511KB ) to your desktop.
- Double click the aswMBR.exe icon to run it
- Click the Scan button to start the scan
- On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->
<-- Don't worry every little bit helps.
#37
- Member
-
- Group: Members
- Posts: 22
- Joined: 01-July 11
Posted 23 July 2011 - 09:14 AM
aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software
Run date: 2011-07-23 10:13:10
-----------------------------
10:13:10.388 OS Version: Windows x64 6.1.7600
10:13:10.388 Number of processors: 4 586 0x402
10:13:10.388 ComputerName: GARDO-PC UserName: Gardo
10:13:13.009 Initialize success
10:13:28.729 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000057
10:13:28.744 Disk 0 Vendor: WDC_WD10 80.0 Size: 953869MB BusType: 3
10:13:28.760 Disk 0 MBR read successfully
10:13:28.760 Disk 0 MBR scan
10:13:28.775 Disk 0 Windows 7 default MBR code
10:13:28.775 Service scanning
10:13:29.774 Modules scanning
10:13:29.774 Disk 0 trace - called modules:
10:13:29.789 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
10:13:29.789 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a64060]
10:13:29.805 3 CLASSPNP.SYS[fffff8800196d43f] -> nt!IofCallDriver -> [0xfffffa80045d7e40]
10:13:29.805 5 ACPI.sys[fffff88000ebf781] -> nt!IofCallDriver -> \Device\00000057[0xfffffa80045d0060]
10:13:29.821 Scan finished successfully
10:13:50.865 Disk 0 MBR has been saved successfully to "C:\Users\Gardo\Desktop\MBR.dat"
10:13:50.865 The log file has been saved successfully to "C:\Users\Gardo\Desktop\aswMBR.txt"
Run date: 2011-07-23 10:13:10
-----------------------------
10:13:10.388 OS Version: Windows x64 6.1.7600
10:13:10.388 Number of processors: 4 586 0x402
10:13:10.388 ComputerName: GARDO-PC UserName: Gardo
10:13:13.009 Initialize success
10:13:28.729 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000057
10:13:28.744 Disk 0 Vendor: WDC_WD10 80.0 Size: 953869MB BusType: 3
10:13:28.760 Disk 0 MBR read successfully
10:13:28.760 Disk 0 MBR scan
10:13:28.775 Disk 0 Windows 7 default MBR code
10:13:28.775 Service scanning
10:13:29.774 Modules scanning
10:13:29.774 Disk 0 trace - called modules:
10:13:29.789 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
10:13:29.789 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a64060]
10:13:29.805 3 CLASSPNP.SYS[fffff8800196d43f] -> nt!IofCallDriver -> [0xfffffa80045d7e40]
10:13:29.805 5 ACPI.sys[fffff88000ebf781] -> nt!IofCallDriver -> \Device\00000057[0xfffffa80045d0060]
10:13:29.821 Scan finished successfully
10:13:50.865 Disk 0 MBR has been saved successfully to "C:\Users\Gardo\Desktop\MBR.dat"
10:13:50.865 The log file has been saved successfully to "C:\Users\Gardo\Desktop\aswMBR.txt"
#38
- Member
-
- Group: Members
- Posts: 22
- Joined: 01-July 11
Posted 23 July 2011 - 09:25 AM
I ran with updated aswMBR too
aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software
Run date: 2011-07-23 10:16:06
-----------------------------
10:16:06.131 OS Version: Windows x64 6.1.7600
10:16:06.131 Number of processors: 4 586 0x402
10:16:06.131 ComputerName: GARDO-PC UserName: Gardo
10:16:07.130 Initialize success
10:17:53.678 AVAST engine defs: 11072301
10:18:12.070 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000057
10:18:12.070 Disk 0 Vendor: WDC_WD10 80.0 Size: 953869MB BusType: 3
10:18:12.086 Disk 0 MBR read successfully
10:18:12.101 Disk 0 MBR scan
10:18:12.101 Disk 0 Windows 7 default MBR code
10:18:12.117 Service scanning
10:18:13.396 Modules scanning
10:18:13.396 Disk 0 trace - called modules:
10:18:13.412 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
10:18:13.412 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a64060]
10:18:13.427 3 CLASSPNP.SYS[fffff8800196d43f] -> nt!IofCallDriver -> [0xfffffa80045d7e40]
10:18:13.427 5 ACPI.sys[fffff88000ebf781] -> nt!IofCallDriver -> \Device\00000057[0xfffffa80045d0060]
10:18:15.674 AVAST engine scan C:\Windows
10:18:18.575 AVAST engine scan C:\Windows\system32
10:19:26.622 AVAST engine scan C:\Windows\system32\drivers
10:19:33.299 AVAST engine scan C:\Users\Gardo
10:20:24.930 AVAST engine scan C:\ProgramData
10:21:25.645 Scan finished successfully
10:24:14.712 Disk 0 MBR has been saved successfully to "C:\Users\Gardo\Desktop\MBR.dat"
10:24:14.728 The log file has been saved successfully to "C:\Users\Gardo\Desktop\aswMBR.txt"
aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software
Run date: 2011-07-23 10:16:06
-----------------------------
10:16:06.131 OS Version: Windows x64 6.1.7600
10:16:06.131 Number of processors: 4 586 0x402
10:16:06.131 ComputerName: GARDO-PC UserName: Gardo
10:16:07.130 Initialize success
10:17:53.678 AVAST engine defs: 11072301
10:18:12.070 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000057
10:18:12.070 Disk 0 Vendor: WDC_WD10 80.0 Size: 953869MB BusType: 3
10:18:12.086 Disk 0 MBR read successfully
10:18:12.101 Disk 0 MBR scan
10:18:12.101 Disk 0 Windows 7 default MBR code
10:18:12.117 Service scanning
10:18:13.396 Modules scanning
10:18:13.396 Disk 0 trace - called modules:
10:18:13.412 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
10:18:13.412 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a64060]
10:18:13.427 3 CLASSPNP.SYS[fffff8800196d43f] -> nt!IofCallDriver -> [0xfffffa80045d7e40]
10:18:13.427 5 ACPI.sys[fffff88000ebf781] -> nt!IofCallDriver -> \Device\00000057[0xfffffa80045d0060]
10:18:15.674 AVAST engine scan C:\Windows
10:18:18.575 AVAST engine scan C:\Windows\system32
10:19:26.622 AVAST engine scan C:\Windows\system32\drivers
10:19:33.299 AVAST engine scan C:\Users\Gardo
10:20:24.930 AVAST engine scan C:\ProgramData
10:21:25.645 Scan finished successfully
10:24:14.712 Disk 0 MBR has been saved successfully to "C:\Users\Gardo\Desktop\MBR.dat"
10:24:14.728 The log file has been saved successfully to "C:\Users\Gardo\Desktop\aswMBR.txt"
#39
- Bleepin Gringo
-
- Group: Malware Response Team
- Posts: 85,500
- Joined: 03-July 08
- Gender:Male
- Location:Puerto rico
Posted 25 July 2011 - 08:35 AM
Hello
I want you to rerun OTL but to change one of the settings
Under files scans on the right hand side - I want you to change this from 30 days to 90 days
click on scan and send me the new report
gringo
I want you to rerun OTL but to change one of the settings
Under files scans on the right hand side - I want you to change this from 30 days to 90 days
click on scan and send me the new report
gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->
<-- Don't worry every little bit helps.
#40
- Member
-
- Group: Members
- Posts: 22
- Joined: 01-July 11
Posted 27 July 2011 - 10:26 AM
I had my uncle fix the redirect, thanks for your help too! You can close this thread now!
#41
- Bleepin Gringo
-
- Group: Malware Response Team
- Posts: 85,500
- Joined: 03-July 08
- Gender:Male
- Location:Puerto rico
Posted 27 July 2011 - 12:42 PM
do you know what he did?
gringo
gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->
<-- Don't worry every little bit helps.
#42
- Member
-
- Group: Members
- Posts: 22
- Joined: 01-July 11
Posted 27 July 2011 - 12:52 PM
I will ask him what he did and I will send you a private message when he responds.
#43
- Bleepin Gringo
-
- Group: Malware Response Team
- Posts: 85,500
- Joined: 03-July 08
- Gender:Male
- Location:Puerto rico
Posted 27 July 2011 - 06:48 PM
ok thanks
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->
<-- Don't worry every little bit helps.
#44
- Bleepin Gringo
-
- Group: Malware Response Team
- Posts: 85,500
- Joined: 03-July 08
- Gender:Male
- Location:Puerto rico
Posted 30 July 2011 - 05:18 PM
It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.
If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic
Please Only Copy And Paste Reports Into Topic - Do Not Attach
My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->
<-- Don't worry every little bit helps.
