Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Get answers fast Google redirect


  • This topic is locked This topic is locked
7 replies to this topic

#1 Nicksdad

Nicksdad

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 12 July 2012 - 08:40 PM

I get intermittent redirects to a "get answers fast" website and it will sometimes appear to be downloading something to my computer. This all appeared to start with an e-mail from my son's hockey coach and a visit to a link for a team's website. It seemed to first download a bunch of trojans to my computer (ZeroAccess?), all of which were cleaned multiple times using too many different programs (Norton, Malwarebytes). I'm still functional, but this think seems to keep coming back. Any help would be greatly appreciated.

EDIT Merged 3 posts into 1 ~~boopme
Hello Nicksdad
Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in this topic,thanks.

boopme,

Thanks for the quick reply. I got way ahead of myself before I decided I was in over my head and should just reach out for help. I did download combofix, but I cant tell if it ran or not.


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by AITTCalandra at 0:34:48 on 2012-07-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.2707 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r201108\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
svchost.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\IBM\Lotus\Notes\nsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Atlas Copco Tools AB\MTCom\MTComSvc.exe
C:\Program Files\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Atlas Copco Tools AB\ACTLicense\ACTLicenseServer.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NTI\NTI Backup Now EZ\BackupNowEZtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe
C:\Program Files\Atlas Copco Tools AB\MTCom\MTComMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Citrix\GoToMeeting\880\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\880\g2mlauncher.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\880\g2mstart.exe" "/Trigger RunAtLogon"
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [AClntUsr] c:\program files\altiris\aclient\AClntUsr.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BackupNowEZtray] "c:\program files\nti\nti backup now ez\BackupNowEZtray.exe" -k
mRun: [utisys] "c:\windows\system32\rundll32.exe" "c:\documents and settings\aittcalandra\application data\utisys.dll",ReadFileTransforms
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\aittca~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mtcomm~1.lnk - c:\program files\atlas copco tools ab\mtcom\MTComMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://acquickr.atlascopco.com/qp2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266410745625
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F091CB57-4293-4369-B663-71AAAC863D4E} : DhcpNameServer = 192.168.0.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: ckpNotify - ckpNotify.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2006-12-10 218112]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2006-12-10 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2006-12-10 204800]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [2006-12-10 19200]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 24365]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-5-29 9216]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2009-2-25 2234320]
R2 ACTLicenseServer;ACT License Server;c:\program files\atlas copco tools ab\actlicense\ACTLicenseServer.exe [2011-3-2 1250304]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-12-13 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-12-13 108392]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-5-24 36400]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-11-11 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-11-11 20840]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\ibm\lotus\notes\nsd.exe [2008-12-6 3315080]
R2 MTCom;MTCom;c:\program files\atlas copco tools ab\mtcom\MTComSvc.exe [2012-2-27 186368]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\nti\nti backup now ez\BackupNowEZSvr.exe [2011-9-23 45592]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-12-13 1839776]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-5-24 109072]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2009-2-25 671472]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-2-6 112128]
R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2009-2-6 12840]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-2-6 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-2-6 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-6-28 106656]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120712.016\NAVENG.SYS [2012-7-12 87928]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120712.016\NAVEX15.SYS [2012-7-12 1589752]
R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2009-2-6 148056]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-2-6 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-2-6 277440]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2008-11-21 113152]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2012-7-7 50704]
.
=============== Created Last 30 ================
.
2012-07-13 00:33:56 -------- d-s---w- C:\ComboFix
2012-07-11 15:16:41 -------- d--h--w- c:\documents and settings\aittcalandra\application data\C2B0B8D2
2012-07-11 02:32:56 -------- d-----w- c:\documents and settings\aittcalandra\local settings\application data\Google
2012-07-11 02:32:18 -------- d-----w- c:\program files\AVAST Software
2012-07-11 02:32:18 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-07-09 01:37:37 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-07-09 01:37:37 -------- d-----w- c:\documents and settings\aittcalandra\local settings\application data\NPE
2012-07-08 02:30:18 -------- d-----w- c:\documents and settings\all users\application data\Downloaded Installations
2012-07-08 02:29:25 -------- d-----w- c:\program files\GFI Software
2012-07-07 23:34:57 381952 ----a-w- c:\documents and settings\aittcalandra\application data\utisys.dll
2012-07-07 23:34:20 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2012-07-07 23:34:20 281104 ----a-w- c:\windows\system32\wpcap.dll
2012-07-07 23:34:20 100880 ----a-w- c:\windows\system32\Packet.dll
2012-07-07 23:34:02 -------- d-----w- c:\documents and settings\all users\application data\F4D55F3B09CF19E0005CC79CD151FC4E
2012-06-28 14:49:09 -------- d-sh--w- C:\found.000
2012-06-25 12:11:06 -------- d-----w- c:\program files\Citrix
2012-06-25 12:10:39 60304 ----a-w- c:\documents and settings\aittcalandra\g2mdlhlpx.exe
.
==================== Find3M ====================
.
2012-07-13 04:25:45 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2012-07-13 04:25:43 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-07-13 04:04:56 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2012-07-12 22:33:15 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-28 14:54:35 58288 ------w- c:\windows\system32\rpcnet.exe
2012-06-14 11:29:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-14 11:29:23 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2011-06-05 02:37:06 3423888 ----a-w- c:\program files\Setup_ExcelMenu.exe
.
============= FINISH: 0:35:26.04 ===============

Edited by boopme, 13 July 2012 - 01:20 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:01 AM

Posted 17 July 2012 - 08:30 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Nicksdad

Nicksdad
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 18 July 2012 - 10:17 PM

M0le,

Thanks for your reply. I've defnitely installed too many programs and tried to do way too much already, so hopefully that didn't make things worse. If you need more info or need me to uninstall some of these virus removal tools its no problem. I seem to run fine for the most part, but I still get very intermittent redirects and if I dont close them fast enough I have to go back and remove all the crap it downloads.

Edited by Nicksdad, 18 July 2012 - 10:18 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:01 AM

Posted 19 July 2012 - 02:15 PM

Can you run aswMBR and we'll look for rootkits first

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 Nicksdad

Nicksdad
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 20 July 2012 - 08:53 AM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-20 09:48:33
-----------------------------
09:48:33.281 OS Version: Windows 5.1.2600 Service Pack 3
09:48:33.281 Number of processors: 2 586 0x170A
09:48:33.281 ComputerName: AITLUS0277 UserName:
09:48:34.296 Initialize success
09:49:03.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:49:03.687 Disk 0 Vendor: WDC_WD16 08.0 Size: 152627MB BusType: 3
09:49:03.703 Disk 0 MBR read successfully
09:49:03.703 Disk 0 MBR scan
09:49:03.703 Disk 0 unknown MBR code
09:49:03.703 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 149 MB offset 63
09:49:03.718 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 152476 MB offset 305235
09:49:03.718 Disk 0 scanning sectors +312576705
09:49:03.796 Disk 0 scanning C:\WINDOWS\system32\drivers
09:49:12.265 Service scanning
09:49:22.515 Modules scanning
09:49:28.750 Disk 0 trace - called modules:
09:49:28.765 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
09:49:28.765 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8afa7030]
09:49:29.093 3 CLASSPNP.SYS[ba0c8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a985028]
09:49:29.093 Scan finished successfully
09:50:01.765 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\AITTCalandra\Desktop\MBR.dat"
09:50:01.765 The log file has been saved successfully to "C:\Documents and Settings\AITTCalandra\Desktop\aswMBR.txt"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:01 AM

Posted 20 July 2012 - 07:48 PM

Please run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:01 AM

Posted 23 July 2012 - 08:00 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:01 AM

Posted 24 July 2012 - 07:33 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users