Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Chrome and Opera are infected with the PC Keeper virus


  • This topic is locked This topic is locked
22 replies to this topic

#1 ExplodingMonkey

ExplodingMonkey

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 29 January 2017 - 01:02 AM

Greetings gentlemen. I am somehow infected with the the PC Keeper Virus. I have tried everything I own to find and get rid of this virus, but haven't had luck with Malwarebytes, Superantispyware, ADWCleaner. The advertisements pop up all the time, and with other advertisements in my google search results. This is what the advert looks like.

http://i.imgur.com/jiN7PRU.jpg
 

 
I am using Windows 7 Ultimate 64bit. Using Chrome 56.0.2924.76
and Opera 42.0.2393.517
 
Please help me get rid of this virus

Combofix Log
 

 
ComboFix 17-01-29.01 - Donkey 01/29/2017   7:56.1.8 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.16361.10920 [GMT -6:00]
Running from: c:\users\Donkey\Desktop\ComboFix.exe
AV: Panda Free Antivirus *Disabled/Updated* {46AEFD02-ACA3-E038-1FA5-4A15EFD361E0}
FW: Panda Firewall *Disabled* {7E957C27-E6CC-E160-34FA-E3201100269B}
SP: Panda Free Antivirus *Disabled/Updated* {FDCF1CE6-8A99-EFB6-2515-716794542B5D}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 12 bytes in 1 streams.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.pol
D:\install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2016-12-28 to 2017-01-29  )))))))))))))))))))))))))))))))
.
.
2017-01-29 11:02 . 2017-01-29 11:02 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9620B196-7EE7-4E19-99EE-7A0957DAC309}\offreg.4396.dll
2017-01-29 03:56 . 2016-08-08 09:00 70360 ----a-w- c:\windows\system32\drivers\PSKMAD.sys
2017-01-29 03:37 . 2017-01-29 03:37 -------- d-----w- c:\users\Donkey\AppData\Roaming\Enigma Software Group
2017-01-29 03:37 . 2017-01-29 03:37 -------- d-----w- C:\sh4ldr
2017-01-29 03:36 . 2017-01-29 03:36 22704 ----a-w- c:\windows\system32\drivers\EsgScanner.sys
2017-01-29 01:15 . 2017-01-29 01:20 -------- d-----w- c:\program files (x86)\Darkest Dungeon
2017-01-28 03:47 . 2017-01-28 09:37 -------- d-----w- C:\AdwCleaner
2017-01-27 23:15 . 2017-01-28 21:20 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2017-01-27 23:15 . 2017-01-28 09:52 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2017-01-27 23:15 . 2017-01-27 23:15 -------- d-----w- c:\programdata\Malwarebytes
2017-01-27 23:15 . 2016-03-10 20:09 64896 ----a-w- c:\windows\system32\drivers\mwac.sys
2017-01-27 23:15 . 2016-03-10 20:08 140672 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2017-01-27 23:15 . 2016-03-10 20:08 27008 ----a-w- c:\windows\system32\drivers\mbam.sys
2017-01-27 23:10 . 2017-01-09 19:45 12229912 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9620B196-7EE7-4E19-99EE-7A0957DAC309}\mpengine.dll
2017-01-27 21:33 . 2017-01-27 23:19 -------- d-----w- c:\users\Donkey\AppData\Local\PowerMonitor
2017-01-27 21:33 . 2017-01-27 21:33 2048 ----a-w- c:\windows\SysWow64\winver.exe
2017-01-27 21:33 . 2017-01-27 21:33 833024 ----a-w- c:\windows\SysWow64\user32.dll
2017-01-27 21:33 . 2017-01-27 21:33 410624 ----a-w- c:\windows\SysWow64\systemcpl.dll
2017-01-27 21:33 . 2017-01-27 21:33 1536 ----a-w- c:\windows\SysWow64\sppcomapi.dll
2017-01-27 21:33 . 2017-01-27 21:33 113543 ----a-w- c:\windows\SysWow64\slmgr.vbs
2017-01-08 00:27 . 2017-01-08 00:28 -------- d-----w- c:\program files (x86)\Firewatch
2017-01-07 05:49 . 2017-01-07 05:49 -------- d-----w- c:\users\Donkey\AppData\Roaming\OpenOffice
2017-01-07 05:46 . 2017-01-07 05:46 -------- d-----w- c:\program files (x86)\OpenOffice 4
2017-01-07 02:24 . 2017-01-07 02:24 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2017-01-07 02:24 . 2017-01-07 02:24 1707160 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2017-01-07 02:24 . 2017-01-07 02:24 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2017-01-07 02:24 . 2017-01-07 02:24 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2017-01-06 04:09 . 2017-01-06 04:09 -------- d-----w- c:\users\Donkey\AppData\Local\Frima_Studio
2017-01-03 01:20 . 2017-01-03 01:20 -------- d-----w- c:\program files (x86)\EM01A
2017-01-02 10:43 . 2017-01-04 02:30 -------- d-----w- c:\program files (x86)\Warhammer Quest
2017-01-02 05:02 . 2017-01-02 07:22 -------- d-----w- c:\program files\Dungeon Rats
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-01-29 04:05 . 2016-09-09 14:20 352 ----a-w- c:\users\Donkey\AppData\Roaming\sp_data.sys
2016-12-09 06:59 . 2016-12-09 06:59 53248 ----a-w- c:\windows\SysWow64\zlib.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2016-04-18 . 06BF84D26A05D400F6B3FB3D3DE0B03A . 1008640 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.19061_none_2b252a2884278aa2\user32.dll
[7] 2016-04-18 . E42CB2576D5C8456C60988B1C908F41A . 1009152 . . [6.1.7601.23265] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.23265_none_2bb2ca019d418cef\user32.dll
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2016-04-18 . E573BD9AB55C8E333C202B9E255F972E . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2017-01-27 . 2C9CC9F492CA596B1B9FC1AE5E916356 . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2016-04-18 . 0A78439765E31510D75C9E2284F3A722 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.19061_none_3579d47ab8884c9d\user32.dll
[7] 2016-04-18 . D0A3A0DBF77EE35CE97E55DE92014E05 . 833024 . . [6.1.7601.23265] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.23265_none_36077453d1a24eea\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2016-12-21 27262432]
"GUDelayStartup"="c:\program files (x86)\Glary Utilities 5\StartupManager.exe" [2016-09-05 43984]
"Google Photos Backup"="c:\users\Donkey\AppData\Local\Programs\Google\Google Photos Backup\Google Photos Backup.exe" [2016-04-08 3790936]
"Spotify Web Helper"="c:\users\Donkey\AppData\Roaming\Spotify\SpotifyWebHelper.exe" [2016-09-09 1523312]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2017-01-28 7943072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2012-02-02 2321072]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2011-12-23 318080]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2011-10-24 174720]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"ACMON"="c:\program files (x86)\ASUS\Splendid\ACMON.exe" [2012-02-07 102568]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2014-06-27 408888]
"FLxHCIm64"="c:\program files\Fresco Logic\Fresco Logic USB3.0 Host Controller\amd64_host\FLxHCIm.exe" [2012-01-15 48128]
"Wondershare Helper Compact.exe"="c:\program files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2014-09-11 2087264]
"PSUAMain"="c:\program files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe" [2016-08-05 109824]
"iSkysoft Helper Compact.exe"="c:\program files (x86)\Common Files\iSkysoft\iSkysoft Helper Compact\ISHelper.exe" [2016-06-20 2131856]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2016-09-23 587288]
"Malwarebytes Anti-Exploit"="c:\program files (x86)\Malwarebytes Anti-Exploit\mbae.exe" [2016-12-14 2650576]
"Gaming Mouse Driver"="c:\program files (x86)\EM01A\Monitor.exe" [2014-11-19 761856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk * 
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Freemake Improver;Freemake Improver;c:\programdata\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe;c:\programdata\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\program files\Enigma Software Group\SpyHunter\SH4Service.exe;c:\program files\Enigma Software Group\SpyHunter\SH4Service.exe [x]
R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys;c:\windows\SYSNATIVE\DRIVERS\amppal.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 EsgScanner;EsgScanner;c:\windows\system32\DRIVERS\EsgScanner.sys;c:\windows\SYSNATIVE\DRIVERS\EsgScanner.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys;c:\windows\SYSNATIVE\DRIVERS\revoflt.sys [x]
R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTSUVSTOR.sys;c:\windows\SYSNATIVE\Drivers\RTSUVSTOR.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R4 RsFx0300;RsFx0300 Driver;c:\windows\system32\DRIVERS\RsFx0300.sys;c:\windows\SYSNATIVE\DRIVERS\RsFx0300.sys [x]
R4 SQLAgent$SIXBITDBSERVER;SQL Server Agent (SIXBITDBSERVER);c:\program files\Microsoft SQL Server\MSSQL12.SIXBITDBSERVER\MSSQL\Binn\SQLAGENT.EXE;c:\program files\Microsoft SQL Server\MSSQL12.SIXBITDBSERVER\MSSQL\Binn\SQLAGENT.EXE [x]
S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [x]
S1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [x]
S1 GUBootStartup;GUBootStartup;c:\windows\System32\drivers\GUBootStartup.sys;c:\windows\SYSNATIVE\drivers\GUBootStartup.sys [x]
S1 NNSALPC;NNSALPC;c:\windows\system32\DRIVERS\NNSAlpc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSAlpc.sys [x]
S1 NNSHTTP;NNSHTTP;c:\windows\system32\DRIVERS\NNSHttp.sys;c:\windows\SYSNATIVE\DRIVERS\NNSHttp.sys [x]
S1 NNSHTTPS;NNSHTTPS;c:\windows\system32\DRIVERS\NNSHttps.sys;c:\windows\SYSNATIVE\DRIVERS\NNSHttps.sys [x]
S1 NNSIDS;NNSIDS;c:\windows\system32\DRIVERS\NNSIds.sys;c:\windows\SYSNATIVE\DRIVERS\NNSIds.sys [x]
S1 NNSNAHSL;Network Activity Hook Server LightWeight Filter Driver;c:\windows\system32\DRIVERS\NNSNAHSL.sys;c:\windows\SYSNATIVE\DRIVERS\NNSNAHSL.sys [x]
S1 NNSPICC;NNSPICC;c:\windows\system32\DRIVERS\NNSPicc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPicc.sys [x]
S1 NNSPIHSW;NNSPIHSW;c:\windows\system32\DRIVERS\NNSPihsw.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPihsw.sys [x]
S1 NNSPOP3;NNSPOP3;c:\windows\system32\DRIVERS\NNSPop3.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPop3.sys [x]
S1 NNSPROT;NNSPROT;c:\windows\system32\DRIVERS\NNSProt.sys;c:\windows\SYSNATIVE\DRIVERS\NNSProt.sys [x]
S1 NNSPRV;NNSPRV;c:\windows\system32\DRIVERS\NNSPrv.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPrv.sys [x]
S1 NNSSMTP;NNSSMTP;c:\windows\system32\DRIVERS\NNSSmtp.sys;c:\windows\SYSNATIVE\DRIVERS\NNSSmtp.sys [x]
S1 NNSSTRM;NNSSTRM;c:\windows\system32\DRIVERS\NNSStrm.sys;c:\windows\SYSNATIVE\DRIVERS\NNSStrm.sys [x]
S1 NNSTLSC;NNSTLSC;c:\windows\system32\DRIVERS\NNSTlsc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSTlsc.sys [x]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys;c:\windows\SYSNATIVE\DRIVERS\psinknc.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AGSService;Adobe Genuine Software Integrity Service;c:\program files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe;c:\program files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [x]
S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [x]
S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [x]
S2 KMS-R@1n;KMS-R@1n;c:\windows\KMS-R@1n.exe;c:\windows\KMS-R@1n.exe [x]
S2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [x]
S2 MSSQL$SIXBITDBSERVER;SQL Server (SIXBITDBSERVER);c:\program files\Microsoft SQL Server\MSSQL12.SIXBITDBSERVER\MSSQL\Binn\sqlservr.exe;c:\program files\Microsoft SQL Server\MSSQL12.SIXBITDBSERVER\MSSQL\Binn\sqlservr.exe [x]
S2 NanoServiceMain;Panda Protection Service;c:\program files (x86)\Panda Security\Panda Security Protection\PSANHost.exe;c:\program files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [x]
S2 NvNetworkService;NVIDIA Network Service;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [x]
S2 PandaAgent;Panda Devices Agent;c:\program files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe;c:\program files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [x]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys;c:\windows\SYSNATIVE\DRIVERS\PSINAflt.sys [x]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys;c:\windows\SYSNATIVE\DRIVERS\PSINFile.sys [x]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys;c:\windows\SYSNATIVE\DRIVERS\PSINProc.sys [x]
S2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys;c:\windows\SYSNATIVE\DRIVERS\PSINProt.sys [x]
S2 PSINReg;PSINReg;c:\windows\system32\DRIVERS\PSINReg.sys;c:\windows\SYSNATIVE\DRIVERS\PSINReg.sys [x]
S2 PSUAService;Panda Product Service;c:\program files (x86)\Panda Security\Panda Security Protection\PSUAService.exe;c:\program files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [x]
S2 RunSwUSB;RunSwUSB;c:\windows\runSW.exe;c:\windows\runSW.exe [x]
S2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe;c:\program files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe [x]
S2 SSUService;Splashtop Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe;c:\program files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe [x]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys;c:\windows\SYSNATIVE\DRIVERS\AMPPAL.sys [x]
S3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;c:\windows\system32\DRIVERS\FLxHCIc.sys;c:\windows\SYSNATIVE\DRIVERS\FLxHCIc.sys [x]
S3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;c:\windows\system32\DRIVERS\FLxHCIh.sys;c:\windows\SYSNATIVE\DRIVERS\FLxHCIh.sys [x]
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys;c:\windows\SYSNATIVE\drivers\MBfilt64.sys [x]
S3 NvStreamKms;NvStreamKms;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [x]
S3 NvStreamNetworkSvc;NVIDIA Streamer Network Service;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
S3 PSKMAD;PSKMAD;c:\windows\system32\DRIVERS\PSKMAD.sys;c:\windows\SYSNATIVE\DRIVERS\PSKMAD.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   SSDPSRV upnphost SCardSvr QWAVE wcncsvc
.
Contents of the 'Scheduled Tasks' folder
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2016-05-02 2398776]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2016-12-06 176440]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = 
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office16\EXCEL.EXE/3000
TCP: DhcpNameServer = 129.176.209.100 129.176.217.100
FF - ProfilePath - c:\users\Donkey\AppData\Roaming\Mozilla\Firefox\Profiles\ypz587h8.default\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-ProductUpdater - c:\program files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe
Wow6432Node-HKU-Default-Run-GarminExpressTrayApp - c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2017-01-29  08:03:27
ComboFix-quarantined-files.txt  2017-01-29 14:03
.
Pre-Run: 21,461,372,928 bytes free
Post-Run: 20,871,454,720 bytes free
.
- - End Of File - - C9C33E2B033A6417872C50C7340931BA
A36C5E4F47E84449FF07ED3517B43A31

Edited by hamluis, 29 January 2017 - 02:09 PM.
Merged posts, moved from AII to MRL - Hamluis.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 30 January 2017 - 08:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs for my review.

Wait for further instructions.

#3 ExplodingMonkey

ExplodingMonkey
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 30 January 2017 - 01:17 PM

done

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 30 January 2017 - 02:44 PM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Windows\KMS-R@1n.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
GroupPolicyScripts: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3602713331-3058630740-4036502352-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~3\Office16\NPSPWRAP.DLL [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Ebates Cash Back) - C:\Users\Donkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\chhjbpecpncaggjpdakmflnfcopglcmi [2017-01-11]
CHR Extension: (Speed Dial [FVD] - New Tab Page, 3D, Sync...) - C:\Users\Donkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\llaficoajjainaijghjlofdfmbjpebpa [2017-01-29]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Donkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-21]
CHR Extension: (Chrome Media Router) - C:\Users\Donkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-29]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
R2 KMS-R@1n; C:\Windows\KMS-R@1n.exe [26112 2016-07-17] () [File not signed]
S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [X]
U0 aswVmm; no ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-3602713331-3058630740-4036502352-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Donkey\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3602713331-3058630740-4036502352-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Donkey\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
Task: {4F3CD643-9FA6-449B-8D3B-29860B73AC8F} - no filepath
Task: {8D1C73E7-A33E-46BF-9AD6-D2AAD39F27F5} - \Microsoft\Office\Office 15 Subscription Heartbeat -> No File <==== ATTENTION
2016-07-17 21:25 - 2016-07-17 21:25 - 00026112 _____ () C:\Windows\KMS-R@1n.exe
2016-10-09 22:23 - 2016-06-20 13:51 - 01506304 _____ () C:\Program Files (x86)\Common Files\iSkysoft\iSkysoft Helper Compact\DAQExp.dll
2016-10-09 22:23 - 2014-05-19 16:19 - 00137728 _____ () C:\Program Files (x86)\Common Files\iSkysoft\iSkysoft Helper Compact\CBSCreateVC.dll
FirewallRules: [{2D1B7D23-0377-4BFC-AB9E-37DA381874CC}] => C:\Windows\KMS-R@1n.exe
FirewallRules: [{07110707-A1E2-4D7C-8872-7C8EBE330A62}] => C:\Windows\KMS-R@1n.exe
C:\Windows\KMS-R@1n.exe
C:\Program Files (x86)\Common Files\iSkysoft

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after these updates remove the old version(s) via the Control Panel > Programs > Programs and Features.
Java 8 Update 111 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)

Please let me know what problem persists with this computer.

#5 ExplodingMonkey

ExplodingMonkey
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 30 January 2017 - 09:06 PM

Here is the log file. I will let you know in a little bit if everything is back to normal.

Attached Files



#6 ExplodingMonkey

ExplodingMonkey
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 30 January 2017 - 11:21 PM

Thought things were clear, but still getting ads. Here's an example

 

http://i.imgur.com/hwa55AO.jpg



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 31 January 2017 - 09:25 AM


Please run this tool.

Download to your Desktop the Junkware Removal Tool Download from this link.
http://www.bleepingcomputer.com/download/junkware-removal-tool/

Shutdown your antivirus to avoid any conflicts.
Right click the icon - disable for say 20 mins.
Right-mouse click JRT.exe and select Run as administrator (If using XP just double click on the icon to run it.)
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
======

Keep me posted.

#8 ExplodingMonkey

ExplodingMonkey
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 31 January 2017 - 10:03 AM

Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 7 Ultimate x64 
Ran by Donkey (Administrator) on Tue 01/31/2017 at  9:01:12.34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 10 
 
Successfully deleted: C:\Users\Donkey\AppData\Local\Google\Chrome\User Data\Default\Extensions\dajedkncpodkggklbegccjpmnglmnflm (Folder) 
Successfully deleted: C:\Users\Donkey\AppData\Roaming\3909 (Folder) 
Successfully deleted: C:\Users\Donkey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1BKFNLGG (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Donkey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HLG286QE (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Donkey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L4P4C7IW (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Donkey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RA43CA2C (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1BKFNLGG (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HLG286QE (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L4P4C7IW (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RA43CA2C (Temporary Internet Files Folder) 
 
 
 
Registry: 2 
 
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 01/31/2017 at  9:03:18.63
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 31 January 2017 - 10:25 AM

Has the problem been solved?

#10 ExplodingMonkey

ExplodingMonkey
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 31 January 2017 - 10:37 AM

no sir, it has not. 



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 31 January 2017 - 11:24 AM

Sophos Virus Removal Tool

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Windows XP:
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===

P.S.
This may take an hour or 2. Do it when you will not need the computer.

#12 ExplodingMonkey

ExplodingMonkey
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 31 January 2017 - 01:51 PM

I will do this again tonight,

 

2017-01-31 18:03:07.316 Sophos Virus Removal Tool version 2.5.6
2017-01-31 18:03:07.316 Copyright © 2009-2016 Sophos Limited. All rights reserved.
 
2017-01-31 18:03:07.316 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.
 
2017-01-31 18:03:07.316 Windows version 6.1 SP 1.0 Service Pack 1 build 7601 SM=0x100 PT=0x1 WOW64
2017-01-31 18:03:07.316 Checking for updates...
2017-01-31 18:03:07.356 Update progress: proxy server not available
2017-01-31 18:03:15.648 Option all = no
2017-01-31 18:03:15.648 Option recurse = yes
2017-01-31 18:03:15.648 Option archive = no
2017-01-31 18:03:15.648 Option service = yes
2017-01-31 18:03:15.648 Option confirm = yes
2017-01-31 18:03:15.648 Option sxl = yes
2017-01-31 18:03:15.648 Option max-data-age = 35
2017-01-31 18:03:15.648 Option vdl-logging = yes
2017-01-31 18:03:15.658 Customer ID: 094260ca9b3af99f9d4a3909fc47a743
2017-01-31 18:03:15.658 Machine ID: 353ed0fbb7e54a118d6d37688b288bf2
2017-01-31 18:03:15.658 Component SVRTcli.exe version 2.5.6
2017-01-31 18:03:15.658 Component control.dll version 2.5.6
2017-01-31 18:03:15.658 Component SVRTservice.exe version 2.5.6
2017-01-31 18:03:15.658 Component engine\osdp.dll version 1.44.1.2270
2017-01-31 18:03:15.658 Component engine\veex.dll version 3.67.0.2270
2017-01-31 18:03:15.658 Component engine\savi.dll version 9.0.5.2270
2017-01-31 18:03:15.658 Component rkdisk.dll version 1.5.31.1
2017-01-31 18:03:15.658 Version info: Product version 2.5.6
2017-01-31 18:03:15.658 Version info: Detection engine 3.67.0
2017-01-31 18:03:15.658 Version info: Detection data 5.32
2017-01-31 18:03:15.658 Version info: Build date 10/4/2016
2017-01-31 18:03:15.658 Version info: Data files added 736
2017-01-31 18:03:15.658 Version info: Last successful update (not yet updated)
2017-01-31 18:03:27.552 Downloading updates...
2017-01-31 18:03:27.552 Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1
2017-01-31 18:03:27.552 Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-01-31 18:03:27.552 Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-01-31 18:03:27.552 Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=]
2017-01-31 18:03:27.552 Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path=
2017-01-31 18:03:27.552 Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path=
2017-01-31 18:03:27.552 Update progress: [I49502] sdds.data0910.xml: found supplement IDE536 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=]
2017-01-31 18:03:27.552 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE536 LATEST path=
2017-01-31 18:03:27.552 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE536 LATEST path=
2017-01-31 18:03:27.552 Update progress: [I49502] sdds.data0910.xml: found supplement IDE537 LATEST path= baseVersion= [included from product IDE536 LATEST path=]
2017-01-31 18:03:27.552 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE537 LATEST path=
2017-01-31 18:03:27.552 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE537 LATEST path=
2017-01-31 18:03:27.552 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-01-31 18:03:27.647 Update progress: [I19463] Syncing product SAVIW32 LATEST path=
2017-01-31 18:03:27.647 Update progress: [I19463] Product download size 156130248 bytes
2017-01-31 18:04:08.137 Update progress: [I19463] Syncing product IDE536 LATEST path=
2017-01-31 18:04:08.137 Update progress: [I19463] Product download size 3527452 bytes
2017-01-31 18:04:08.427 Update progress: [I19463] Syncing product IDE537 LATEST path=
2017-01-31 18:04:08.427 Update progress: [I19463] Product download size 1782241 bytes
2017-01-31 18:04:08.527 Installing updates...
2017-01-31 18:04:09.129 Error level 1
2017-01-31 18:04:11.426 Update successful
2017-01-31 18:04:19.436 Option all = no
2017-01-31 18:04:19.436 Option recurse = yes
2017-01-31 18:04:19.436 Option archive = no
2017-01-31 18:04:19.436 Option service = yes
2017-01-31 18:04:19.436 Option confirm = yes
2017-01-31 18:04:19.436 Option sxl = yes
2017-01-31 18:04:19.437 Option max-data-age = 35
2017-01-31 18:04:19.437 Option vdl-logging = yes
2017-01-31 18:04:19.440 Customer ID: 094260ca9b3af99f9d4a3909fc47a743
2017-01-31 18:04:19.440 Machine ID: 353ed0fbb7e54a118d6d37688b288bf2
2017-01-31 18:04:19.441 Component SVRTcli.exe version 2.5.6
2017-01-31 18:04:19.441 Component control.dll version 2.5.6
2017-01-31 18:04:19.441 Component SVRTservice.exe version 2.5.6
2017-01-31 18:04:19.441 Component engine\osdp.dll version 1.44.1.2280
2017-01-31 18:04:19.441 Component engine\veex.dll version 3.68.0.2280
2017-01-31 18:04:19.441 Component engine\savi.dll version 9.0.7.2280
2017-01-31 18:04:19.442 Component rkdisk.dll version 1.5.31.1
2017-01-31 18:04:19.442 Version info: Product version 2.5.6
2017-01-31 18:04:19.442 Version info: Detection engine 3.68.0
2017-01-31 18:04:19.442 Version info: Detection data 5.35
2017-01-31 18:04:19.442 Version info: Build date 1/10/2017
2017-01-31 18:04:19.442 Version info: Data files added 314
2017-01-31 18:04:19.442 Version info: Last successful update 1/31/2017 12:04:11 PM
 
2017-01-31 18:09:18.329 Could not open C:\hiberfil.sys
2017-01-31 18:09:57.662 Could not open C:\pagefile.sys
2017-01-31 18:13:33.310 Could not open C:\System Volume Information\{0330f393-e753-11e6-8bc5-c1e34f325903}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-01-31 18:13:33.310 Could not open C:\System Volume Information\{0330f39a-e753-11e6-8bc5-c1e34f325903}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-01-31 18:13:33.311 Could not open C:\System Volume Information\{0330f3a4-e753-11e6-8bc5-c1e34f325903}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-01-31 18:13:33.311 Could not open C:\System Volume Information\{298a3457-e697-11e6-ad98-dd5c07d17600}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-01-31 18:13:33.311 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-01-31 18:13:33.311 Could not open C:\System Volume Information\{b22b2b3c-e656-11e6-861b-bd9647137903}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-01-31 18:13:33.311 Could not open C:\System Volume Information\{d0948cb6-e5d7-11e6-bfac-b9ed2594d101}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-01-31 18:13:39.823 Could not open C:\Users\Donkey\AppData\Local\Google\Chrome\User Data\Default\Current Session
2017-01-31 18:13:39.823 Could not open C:\Users\Donkey\AppData\Local\Google\Chrome\User Data\Default\Current Tabs
2017-01-31 18:14:20.457 Could not open C:\Users\Donkey\AppData\Roaming\Opera Software\Opera Stable\Current Session
2017-01-31 18:18:04.088 Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2017-01-31 18:18:04.088 Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2017-01-31 18:18:04.900 Could not open C:\Windows\System32\config\RegBack\DEFAULT
2017-01-31 18:18:04.900 Could not open C:\Windows\System32\config\RegBack\SAM
2017-01-31 18:18:04.900 Could not open C:\Windows\System32\config\RegBack\SECURITY
2017-01-31 18:18:04.900 Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2017-01-31 18:18:04.910 Could not open C:\Windows\System32\config\RegBack\SYSTEM
2017-01-31 18:33:57.533 >>> Virus 'Mal/VMProtBad-A' found in file D:\Games\Civ5\Civilization V\steam_api.dll
2017-01-31 18:33:57.534 >>> Virus 'Mal/VMProtBad-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
2017-01-31 18:33:57.534 >>> Virus 'Mal/VMProtBad-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
2017-01-31 18:33:57.534 >>> Virus 'Mal/VMProtBad-A' found in file HKU\S-1-5-21-3602713331-3058630740-4036502352-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2017-01-31 18:33:57.534 >>> Virus 'Mal/VMProtBad-A' found in file HKU\S-1-5-21-3602713331-3058630740-4036502352-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2017-01-31 18:33:57.534 >>> Virus 'Mal/VMProtBad-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2017-01-31 18:46:35.376 Could not open LOGICAL:0005:00000000
2017-01-31 18:46:35.384 Could not open F:\
2017-01-31 18:46:35.384 Could not open LOGICAL:0006:00000000
2017-01-31 18:46:35.384 Could not open G:\
2017-01-31 18:46:35.445 The following items will be cleaned up:
2017-01-31 18:46:35.445 Mal/VMProtBad-A
2017-01-31 18:47:46.949 Threat 'Mal/VMProtBad-A' has been cleaned up.
2017-01-31 18:47:46.949 File "D:\Games\Civ5\Civilization V\steam_api.dll" belongs to malware 'Mal/VMProtBad-A'.
2017-01-31 18:47:46.949 File "D:\Games\Civ5\Civilization V\steam_api.dll" has been cleaned up.
2017-01-31 18:47:46.949 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin" belongs to malware 'Mal/VMProtBad-A'.
2017-01-31 18:47:46.949 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin" has been cleaned up.
2017-01-31 18:47:46.949 Registry value "HKU\S-1-5-21-3602713331-3058630740-4036502352-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect" belongs to malware 'Mal/VMProtBad-A'.
2017-01-31 18:47:46.949 Registry value "HKU\S-1-5-21-3602713331-3058630740-4036502352-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect" has been cleaned up.
2017-01-31 18:47:46.950 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect" belongs to malware 'Mal/VMProtBad-A'.
2017-01-31 18:47:46.950 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect" has been cleaned up.
2017-01-31 18:47:46.950 Removal successful
2017-01-31 18:47:47.456 Error level 0
 
2017-01-31 18:47:55.510 Scan completed.
2017-01-31 18:47:55.510
 
------------------------------------------------------------
 
2017-01-31 18:48:59.300 Sophos Virus Removal Tool version 2.5.6
2017-01-31 18:48:59.300 Copyright © 2009-2016 Sophos Limited. All rights reserved.
 
2017-01-31 18:48:59.300 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.
 
2017-01-31 18:48:59.300 Windows version 6.1 SP 1.0 Service Pack 1 build 7601 SM=0x100 PT=0x1 WOW64
2017-01-31 18:48:59.300 Checking for updates...
2017-01-31 18:48:59.342 Update progress: proxy server not available
2017-01-31 18:49:02.231 Downloading updates...
2017-01-31 18:49:02.231 Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1
2017-01-31 18:49:02.231 Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-01-31 18:49:02.231 Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-01-31 18:49:02.231 Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=]
2017-01-31 18:49:02.231 Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path=
2017-01-31 18:49:02.231 Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path=
2017-01-31 18:49:02.231 Update progress: [I49502] sdds.data0910.xml: found supplement IDE536 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=]
2017-01-31 18:49:02.231 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE536 LATEST path=
2017-01-31 18:49:02.231 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE536 LATEST path=
2017-01-31 18:49:02.231 Update progress: [I49502] sdds.data0910.xml: found supplement IDE537 LATEST path= baseVersion= [included from product IDE536 LATEST path=]
2017-01-31 18:49:02.231 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE537 LATEST path=
2017-01-31 18:49:02.231 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE537 LATEST path=
2017-01-31 18:49:02.231 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-01-31 18:49:02.271 Update progress: [I19463] Syncing product SAVIW32 LATEST path=
2017-01-31 18:49:02.311 Update progress: [I19463] Syncing product IDE536 LATEST path=
2017-01-31 18:49:02.331 Update progress: [I19463] Syncing product IDE537 LATEST path=
2017-01-31 18:49:02.351 Installing updates...
2017-01-31 18:49:07.648 Option all = no
2017-01-31 18:49:08.260 Option recurse = yes
2017-01-31 18:49:08.260 Option archive = no
2017-01-31 18:49:08.260 Option service = yes
2017-01-31 18:49:08.260 Option confirm = yes
2017-01-31 18:49:08.260 Option sxl = yes
2017-01-31 18:49:08.260 Option max-data-age = 35
2017-01-31 18:49:08.260 Option vdl-logging = yes
2017-01-31 18:49:08.260 Customer ID: 094260ca9b3af99f9d4a3909fc47a743
2017-01-31 18:49:08.260 Machine ID: 353ed0fbb7e54a118d6d37688b288bf2
2017-01-31 18:49:08.260 Component SVRTcli.exe version 2.5.6
2017-01-31 18:49:08.260 Component control.dll version 2.5.6
2017-01-31 18:49:08.260 Component SVRTservice.exe version 2.5.6
2017-01-31 18:49:08.260 Component engine\osdp.dll version 1.44.1.2280
2017-01-31 18:49:08.260 Component engine\veex.dll version 3.68.0.2280
2017-01-31 18:49:08.260 Component engine\savi.dll version 9.0.7.2280
2017-01-31 18:49:08.260 Component rkdisk.dll version 1.5.31.1
2017-01-31 18:49:08.260 Version info: Product version 2.5.6
2017-01-31 18:49:08.260 Version info: Detection engine 3.68.0
2017-01-31 18:49:08.260 Version info: Detection data 5.35
2017-01-31 18:49:08.260 Version info: Build date 1/10/2017
2017-01-31 18:49:08.260 Version info: Data files added 314
2017-01-31 18:49:08.260 Version info: Last successful update 1/31/2017 12:04:11 PM
2017-01-31 18:49:08.260 Error level 1
2017-01-31 18:49:08.530 Update successful
2017-01-31 18:49:15.745 Option all = no
2017-01-31 18:49:15.745 Option recurse = yes
2017-01-31 18:49:15.745 Option archive = no
2017-01-31 18:49:15.745 Option service = yes
2017-01-31 18:49:15.745 Option confirm = yes
2017-01-31 18:49:15.745 Option sxl = yes
2017-01-31 18:49:15.745 Option max-data-age = 35
2017-01-31 18:49:15.745 Option vdl-logging = yes
2017-01-31 18:49:15.745 Customer ID: 094260ca9b3af99f9d4a3909fc47a743
2017-01-31 18:49:15.745 Machine ID: 353ed0fbb7e54a118d6d37688b288bf2
2017-01-31 18:49:15.755 Component SVRTcli.exe version 2.5.6
2017-01-31 18:49:15.755 Component control.dll version 2.5.6
2017-01-31 18:49:15.755 Component SVRTservice.exe version 2.5.6
2017-01-31 18:49:15.755 Component engine\osdp.dll version 1.44.1.2280
2017-01-31 18:49:15.755 Component engine\veex.dll version 3.68.0.2280
2017-01-31 18:49:15.755 Component engine\savi.dll version 9.0.7.2280
2017-01-31 18:49:15.755 Component rkdisk.dll version 1.5.31.1
2017-01-31 18:49:15.755 Version info: Product version 2.5.6
2017-01-31 18:49:15.755 Version info: Detection engine 3.68.0
2017-01-31 18:49:15.755 Version info: Detection data 5.35
2017-01-31 18:49:15.755 Version info: Build date 1/10/2017
2017-01-31 18:49:15.755 Version info: Data files added 314
2017-01-31 18:49:15.755 Version info: Last successful update 1/31/2017 12:49:08 PM
2017-01-31 18:49:25.220 Error level 1
 
2017-01-31 18:49:25.220 Scan completed.
2017-01-31 18:49:25.220
 
------------------------------------------------------------


#13 ExplodingMonkey

ExplodingMonkey
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 31 January 2017 - 08:05 PM

I dont understand. I really don't. I'm still experiencing these ads. I don't know what the hell my nephew was downloading, but he had 8 hours of access to my laptop, and now I'm being bombarded with these ads. 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:32 AM

Posted 01 February 2017 - 08:21 AM


Run these cleaning tools.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here
Lets see what else we can clean.

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===



--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Also, please provide an update on how the computer is behaving after running the above script.
===

#15 ExplodingMonkey

ExplodingMonkey
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 02 February 2017 - 05:46 PM

Hi Nasdaq. So it seems like I am caught in some kind of vicious vortex of ads. I tried going back to an earlier restore point, but W7 tells me something is corrupted or something. 
I am VERY grateful for everything you have suggested for me. 
The program Zoek you suggested, ran and ran and ran and ran, but nothing really happened, I had to restart my laptop before it could finish.
 
I am including my roguekiller log. 
 
------------------------------------------  ----------------------------------  -------------------------------
 
 
RogueKiller V12.9.6.0 (x64) [Jan 30 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Donkey [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/01/2017 14:08:35 (Duration : 00:18:38)
 
¤¤¤ Processes : 2 ¤¤¤
[VT.Unknown] Monitor.exe(6188) -- C:\Program Files (x86)\EM01A\Monitor.exe[-] -> Found
[VT.Trojan.Win32.Generic!BT] zoek.exe(9280) -- C:\Users\Donkey\Desktop\zoek.exe[-] -> Found
 
¤¤¤ Registry : 2 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 7 ¤¤¤
[PUP.Gen2][Firefox:Addon] ypz587h8.default : ?????@Mail.Ru [search@mail.ru] -> Found
[PUP.Gen2][Firefox:Addon] ypz587h8.default : ???????? ???????? Mail.Ru [homepage@mail.ru] -> Found
[PUP.Gen2][Firefox:Addon] ypz587h8.default : ?????????? ???????? @Mail.Ru [{a38384b3-2d1d-4f36-bc22-0f7ae402bcd7}] -> Found
[PUP.Gen0][Chrome:Addon] Default : reddit companion [algjnflpgoopkdijmkalfcifomdhmcbe] -> Found
[PUP.Gen0][Chrome:Addon] Default : Home - New Tab Page [ehhkfhegcenpfoanmgfpfhnmdmflkbgk] -> Found
[PUP.Gen0][Chrome:Addon] Default : Awesome New Tab Page [mgmiemnjjchgkmgbeljfocdjjnpjnmcg] -> Found
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [https://www.google.com/|http://mail.ru/cnt/10445?gp=811009] -> Found
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: FM-25S2S-120GBP2 ATA Device +++++
--- User ---
[MBR] 300386f03dcde24ae7275b37ce4ad1ff
[BSP] c7039818c8e56f9a50206178f47f75a2 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows XP Bootstrap | Windows XP Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 114371 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: WDC WD7500BPKT-80PK4T0 ATA Device +++++
--- User ---
[MBR] 07dbbb4d181c04e5737807bcc036c4a5
[BSP] 2ee18edf56eb573bfe8fc4993312b762 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 666392 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1364979712 | Size: 48909 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users