Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Pop-ups Adware


  • This topic is locked This topic is locked
21 replies to this topic

#1 BenjaminGordonT

BenjaminGordonT

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 09 March 2015 - 01:31 PM

So I went to my mom's house this week and I discovered her computer had adware. Every time her browser starts up 4 or 5 new tabs/windows open up with links to malicious websites. The funny thing is they ALWAYS run through some kind of URL Shortening site like Adfly, sh.st, linkbucks, etc. This alos happens whenever the browser is open, about every 10 minutes. The first thing I did when I saw it was to run AdwCleaner, Junkware Removal Tool, TDSSKiller, HitmanPro, and Malwarebytes. However none of them were able to obliterate the adware. I managed to stop the constant ads by using her hosts file to redirect all the URL Shortening sites to 127.0.0.1 where I set up a temporary Apache server that hosts an HTML file that sends a java message to the browser telling it to close the window. However this fix doesn't work very well because half the time the hosts file doesn't redirect and I have to keep adding URL Shortening sites to the list making it a long list. Plus the Close.Window Java Command only works in Internet Explorer. I have exhausted every means to remove this adware from her computer but I can't figure it out. Please help. I need to eradicate this malware from her computer before I leave next week so try to respond ASAP. I have attached logs from DDS, FRST, and HijackThis in a ZIP file in hopes that you can use them to find the source of the adware and help me remove it. If you need any more information I will be happy to provide it. Also this is the THIRD time I have posted this but it keeps disappearing 15 minutes after I post it. Any assistance is appreciated. Thanks,

 

-Benjamin



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 AM

Posted 11 March 2015 - 08:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

() C:\Users\James\AppData\Local\Temp\nsp91A7.tmp\ns3BDC.tmp
HKU\S-1-5-21-3777394043-3425140921-3123416925-1000\...\Run: [AVG-Secure-Search-Update_0214c] => C:\Users\James\AppData\Roaming\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=a0e24d789d1d47d2a880d1544f64a059-13a8dec66c479af512765a26c0388ade99e20160 /CMPID=0214c
HKU\S-1-5-21-3777394043-3425140921-3123416925-1000\...\Run: [winver.exe] => C:\ProgramData\Microsoft\Windows\Deep Layers\winver.exe [6786560 2014-09-16] (Microsoft Corporation)
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
R4 hitmanpro37; \??\C:\Windows\system32\drivers\hitmanpro37.sys [X]
U3 mbr; \??\C:\Users\James\AppData\Local\Temp\mbr.sys [X]
C:\Users\James\AppData\Local\Temp\nsp91A7.tmp
C:\Users\James\AppData\Local\Temp\feedback.dll
C:\Users\James\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\James\AppData\Local\Temp\MouseKeyboardCenterx86_1033.exe
C:\Users\James\AppData\Local\Temp\oi_{F6B9BBC1-A919-40C1-BAF3-208017B05075}.exe
C:\Users\James\AppData\Local\Temp\ose00000.exe
C:\Users\James\AppData\Local\Temp\ose00001.exe
C:\Users\James\AppData\Local\Temp\ose00002.exe
C:\Users\James\AppData\Local\Temp\Quarantine.exe
C:\Users\James\AppData\Local\Temp\SkypeSetup.exe
C:\Users\James\AppData\Local\Temp\sqlite3.dll
C:\Users\James\AppData\Local\Temp\temp0NikeConnectconnect6pcupdate.exe
C:\Users\James\AppData\Local\Temp\temp1NikeConnectconnect6pcupdate.exe
C:\Users\James\AppData\Local\Temp\temp2NikeConnectconnect6pcupdate.exe

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#3 BenjaminGordonT

BenjaminGordonT
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 11 March 2015 - 11:24 AM

Thanks, nasdaq.
 
I ran FRST with the fixlist.txt you gave me and it seemed to do the trick. No adware upon starting up the browser, so far so good. However I can't say whether it's 100% gone from my system yet. Here is the checkup.txt you asked for. Just for good measure I also added the Fixlog.txt that FRST created after the fix. I will await further instructions.
 
-Benjamin

Results of screen317's Security Check version 0.99.97
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG Internet Security 2015
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java 7 Update 71
Java version 32-bit out of Date!
Java 64-bit 8 Update 31
Adobe Flash Player 16.0.0.305
Adobe Reader XI
Mozilla Firefox 35.0.1 Firefox out of Date!
Google Chrome (40.0.2214.111)
Google Chrome (40.0.2214.115)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbam.exe
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
Malwarebytes Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

Edited by nasdaq, 11 March 2015 - 12:41 PM.
log posted.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 AM

Posted 11 March 2015 - 12:42 PM

Using the Add/Remove Programs applet delete this old version of Java 7 Update 71

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 BenjaminGordonT

BenjaminGordonT
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 11 March 2015 - 07:32 PM

Done. The adware seems to be gone. I did a scan with Malwarebytes and SuperAntiSpyware and all seems to be well. I have installed Bitdefender Total Security in hopes that it will block this stuff better than AVG did. Thanks for your help nasdaq!

 

-Benjamin



#6 BenjaminGordonT

BenjaminGordonT
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 12 March 2015 - 07:18 AM

Darn. Well first I thought the problem was gone. But turned on my mom's PC today and the problem was back. It opened up a new tab and tried to go to http://209.126.115.159/?username=Lifure1993 before Malwarebytes blocked the site. I think the original adware is gone but there is still something deeper that is corrupting the system. Guess I still need your help nasdaq. Thanks,

 

-Benjamin


Edited by BenjaminsiPod, 12 March 2015 - 07:23 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 AM

Posted 12 March 2015 - 08:21 AM

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

#8 BenjaminGordonT

BenjaminGordonT
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 12 March 2015 - 10:14 AM

Done. But still getting pop-ups :(. In your defence the fix worked and the pop-ups are now few and far between. I'm starting to wonder whether this computer is double compromised and there is still a 2nd adware lurking. I await further instruction. Thanks.

 

-Benjamin



#9 BenjaminGordonT

BenjaminGordonT
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 12 March 2015 - 11:11 AM

Update: OK, so I decided out of desperation to try combofix (Yes I know I wasn't supposed to run it without permission but I was desperate and nothing seemed to be working). However once I ran combofix the ads stopped. I wasn't very optimistic however because this happened once when you gave me the original fix, the adware just came back on reboot. But after rebooting the computer I still didn't see any more ads. So I went to the combofix log and discovered it had quarantined a number of files, and upon further investigation I discovered one file that had matched both the combofix quarantine and the fix you gave me: winver.exe. So I uploaded that file to virustotal.com and BINGO! Identified by 8 antiviruses as adware! Combofix also quarantined a hidden exe on the C Drive that seems to be what recreates winver.exe whenever it is deleted upon reboot. I don't know if I am in the clear yet but this has definitely put a slamming halt to the rain of ads in my browser. I will upload the Combofix Log as well as the Quarantined files Log and the Add/Remove Programs Log for you to see. I will also post the link to the virustotal scan for winver.exe. Please tell me what to do next. Thanks for your help. And sorry for using combofix without permission although I am very glad it worked :)

 

-Benjamin

 

VirusTotal Scan of Winver.exe - https://www.virustotal.com/en/file/11b875350e03c0daae31dac7d91760f415155bcfefd4d2f1ceeb8db873d5221f/analysis/1426180927/


Edited by BenjaminsiPod, 12 March 2015 - 12:24 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 AM

Posted 12 March 2015 - 12:46 PM

It was my mistake. I should have delete the file with my fix. Sorry.


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#11 BenjaminGordonT

BenjaminGordonT
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 12 March 2015 - 12:54 PM

Your fix did delete the file don't get me wrong. But somehow it was recreated upon reboot. If it comes back I will let you know. Otherwise all is indeed well and I will read the article you gave me. Thanks a LOT for your help.

 

-Benjamin



#12 BenjaminGordonT

BenjaminGordonT
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 12 March 2015 - 01:45 PM

Shoot! I reboot the computer and the adware is back. The malicious files are obviously being recreated upon reboot. But how can I find where and how this is happening and stop it? On another note Malwarebytes keeps blocking outbound requests by Internet Explorer and Chrome to access malicious tracking sites. I'm literally at my whit's end I have absolutely no idea what to do. Sorry for the false report (again). Let me know what I should do nasdaq.

 

-Benjamin


Edited by BenjaminsiPod, 12 March 2015 - 01:55 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 AM

Posted 13 March 2015 - 07:22 AM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Wait for further instructions.

#14 BenjaminGordonT

BenjaminGordonT
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 13 March 2015 - 10:18 AM

RogueKiller V10.5.4.0 [Mar 12 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : James [Administrator]
Started from : C:\Users\James\Desktop\RogueKiller.exe
Mode : Delete -- Date : 03/13/2015  10:12:05

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 20 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | wermgr : C:\ProgramData\Microsoft\Windows\WER\wermgr.exe [-] -> ERROR [0]
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> ERROR [2]
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswMBR -> ERROR [2]
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswVmm -> ERROR [2]
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> ERROR [2]
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswMBR -> ERROR [2]
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswVmm -> ERROR [2]
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme -> ERROR [2]
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer :  [UNITED STATES (US)][UNITED STATES (US)]  -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer :  [UNITED STATES (US)][UNITED STATES (US)]  -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer :  [UNITED STATES (US)][UNITED STATES (US)]  -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F3D69135-2511-4800-8BA1-527FD97CD275} | DhcpNameServer :  [UNITED STATES (US)][UNITED STATES (US)]  -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F3D69135-2511-4800-8BA1-527FD97CD275} | DhcpNameServer :  [UNITED STATES (US)][UNITED STATES (US)]  -> Replaced ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F3D69135-2511-4800-8BA1-527FD97CD275} | DhcpNameServer :  [UNITED STATES (US)][UNITED STATES (US)]  -> Replaced ()
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-3777394043-3425140921-3123416925-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 0  -> Replaced (0)
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-3777394043-3425140921-3123416925-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 0  -> Replaced (0)
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 0  -> Replaced (0)
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 0  -> Replaced (0)
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-3777394043-3425140921-3123416925-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 0  -> Replaced (0)
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-3777394043-3425140921-3123416925-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 0  -> Replaced (0)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[FIREFX:Addon] jv9yk88g.default : Video DownloadHelper [{b9db16a4-6edc-47ec-a1f4-b86292ed211d}] -> Deleted
[FIREFX:Addon] jv9yk88g.default : Mozilla Firefox hotfix [firefox-hotfix@mozilla.org] -> Deleted
[PUM.HomePage][FIREFX:Config] jv9yk88g.default : user_pref("browser.startup.homepage", "calvarynow.com"); -> Replaced (about:home)

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EZEX-08M2NA0 ATA Device +++++
--- User ---
[MBR] d0fb0ec2d59ff4a357315be5c3f88bef
[BSP] 182f0ffe5bf577b788ccf2304043bcd0 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Canon MX700 series USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: AM10 USB Device +++++
--- User ---
[MBR] d563707c095d40065400ed873e283cc5
[BSP] dec9f0908d0564afbcbcc26fa1ab4266 : Legit.Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT16 (0x6) [VISIBLE] Offset (sectors): 32 | Size: 123 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_SCN_03132015_094226.log - RKreport_SCN_03132015_100945.log - RKreport_DEL_03132015_101010.log - RKreport_DEL_03132015_101115.log



#15 BenjaminGordonT

BenjaminGordonT
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 13 March 2015 - 10:20 AM

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-03-13 10:25:59
-----------------------------
10:25:59.588    OS Version: Windows 6.1.7601 Service Pack 1
10:25:59.588    Number of processors: 2 586 0xF0D
10:25:59.588    ComputerName: GORDON-PC  UserName: James
10:26:18.296    Initialize success
10:26:18.514    VM: initialized successfully
10:26:18.514    VM: Intel CPU virtualization not supported
10:26:54.209    AVAST engine defs: 15031300
10:27:06.379    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
10:27:06.379    Disk 0 Vendor: WDC_WD10EZEX-08M2NA0 01.01A01 Size: 953869MB BusType: 3
10:27:06.473    Disk 0 MBR read successfully
10:27:06.473    Disk 0 MBR scan
10:27:06.488    Disk 0 Windows 7 default MBR code
10:27:06.488    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
10:27:06.504    Disk 0 Boot: NTFS     code=1
10:27:06.551    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       953767 MB offset 206848
10:27:06.582    Disk 0 scanning sectors +1953521664
10:27:06.722    Disk 0 scanning C:\Windows\system32\drivers
10:27:16.691    Service scanning
10:27:22.728    Service ehdrv C:\Windows\system32\DRIVERS\ehdrv.sys **LOCKED** 5
10:27:23.180    Service epfwwfpr C:\Windows\system32\DRIVERS\epfwwfpr.sys **LOCKED** 5
10:27:38.102    Modules scanning
10:27:38.102    Disk 0 trace - called modules:
10:27:38.117    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys
10:27:38.117    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86526788]
10:27:38.133    3 CLASSPNP.SYS[8c21059e] -> nt!IofCallDriver -> [0x860818d0]
10:27:38.133    5 ACPI.sys[8ba3d3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x857a2908]
10:27:46.370    AVAST engine scan C:\Windows
10:27:50.770    AVAST engine scan C:\Windows\system32
10:30:10.743    AVAST engine scan C:\Windows\system32\drivers
10:30:22.958    AVAST engine scan C:\Users\James
10:42:23.718    AVAST engine scan C:\ProgramData
10:43:30.693    Disk 0 statistics 3519581/0/0 @ 2.91 MB/s
10:43:30.693    Scan finished successfully
10:45:35.642    Disk 0 MBR has been saved successfully to "C:\Users\James\Desktop\MBR.dat"
10:45:35.657    The log file has been saved successfully to "C:\Users\James\Desktop\aswMBR.txt"






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users