1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Special circumstance for logs

Discussion in 'Malware and Virus Removal Archive' started by JuanP, 2011/04/28.

Thread Status:
Not open for further replies.
Page 3 of 3
  1. 2011/05/06
    JuanP

    JuanP Inactive Thread Starter

    Joined:
    2011/04/28
    Messages:
    35
    Likes Received:
    0
    And now the super China firewall has blocked windowsbbs, it's amazing what they concider 'sensitive' content. Ah and my ISP is giving me problems again so if I disapear for a few days, please keep the thread open...

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows Vista Home Basic Edition Service Pack 2 (build 600
    2), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`71100000
    Boot sector MD5 is: 26062c4eb9a0e14db5e0d0ba52a0aa93

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
    JuanP,
    #41
  2. 2011/05/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Try to re-run OTL from Safe Mode.
     
    broni,
    #42


  3. to hide this advert.

  4. 2011/05/06
    JuanP

    JuanP Inactive Thread Starter

    Joined:
    2011/04/28
    Messages:
    35
    Likes Received:
    0
    Freezes at firefox settings still.
     
    JuanP,
    #43
  5. 2011/05/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We'll skip it then...

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
    broni,
    #44
  6. 2011/05/06
    JuanP

    JuanP Inactive Thread Starter

    Joined:
    2011/04/28
    Messages:
    35
    Likes Received:
    0
    It wont re-open in normal mode again... Can I do everything from safemode?
     
    JuanP,
    #45
  7. 2011/05/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hmmm....
    There is something wrong there.

    Let's see, if resetting your MBR will help.

    If you have Vista/7 DVD...

    start with step 2

    If you don't have Vista/7 DVD...

    1. Create Vista/7 Recovery Disc.

    Option 1 :
    Vista: http://www.vistax64.com/tutorials/141820-create-recovery-disc.html (Option Two)
    Windows 7: http://www.guidingtech.com/3816/system-repair-recovery-disc-windows-7/

    Option 2:
    Download Vista Recovery Disc iso image: http://neosmart.net/blog/2008/windows-vista-recovery-disc-download/
    Download Windows 7 Recovery Disc iso image: http://neosmart.net/blog/2009/windows-7-system-repair-discs/
    Burn it to CD, or DVD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

    2. Boot from created disk.

    Vista users. At first screen click on Repair your computer:
    [​IMG]

    Windows 7 users. At first screen click on Install now:
    [​IMG]
    Select your language and click next:
    [​IMG]
    Click the button for "Use recovery tools ":
    [​IMG]

    The following applies to both, Vista and Windows 7 users.

    This will bring you to a new screen where the repair process will look for all Windows Vista/7 installations on your computer. When done you will be presented with the System Recovery Options dialog box:
    [​IMG]
    After this, it will present you with a list of options including startup repair, system restore and command prompt:
    [​IMG]
    Select Command Prompt

    Type in:
    bootrec /fixmbr (<--- there is a "space" after "bootrec ")
    and then press Enter

    Once completed then type Exit, press Enter and restart computer.

    Post fresh Bootkit Remover log.
     
    broni,
    #46
  8. 2011/05/06
    JuanP

    JuanP Inactive Thread Starter

    Joined:
    2011/04/28
    Messages:
    35
    Likes Received:
    0
    Also this weird thing is happening, I have word files on my desktop that are semi-transparent, I cant move them or do anything with them theyre just... there, and they wernt before. I recognise some of the titles but others I dont...
     
    JuanP,
    #47
  9. 2011/05/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We'll see what we can do.
    Go on with my previous instructions and hopefully we'll be able to run Combofix and OTL afterwards.
     
    broni,
    #48
  10. 2011/05/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Reopened...
     
    broni,
    #49
  11. 2011/05/12
    JuanP

    JuanP Inactive Thread Starter

    Joined:
    2011/04/28
    Messages:
    35
    Likes Received:
    0
    I burnt my own recovery DVD following your instructions. I get to the 'windows' that says Install or repair. I click on repair and I cant do anything, for some reason the computer stops seeing that the DVD is there. So I decided to check if it was a problem the DVD went ahead and clicked 'Install'. I didn't go farther than where they ask me for the windows security key, but I assume that means the DVD was properly burnt...
     
    JuanP,
    #50
  12. 2011/05/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'd try another download and burning fresh DVD.
     
    broni,
    #51
  13. 2011/05/14
    JuanP

    JuanP Inactive Thread Starter

    Joined:
    2011/04/28
    Messages:
    35
    Likes Received:
    0
    I've retried 3 times, including making a flashdrive recovery, nothing works...
     
    JuanP,
    #52
  14. 2011/05/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run Bootkit Remover again and post its log.

    **Important note to Dell users - fixing the MBR may prevent access to the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.
     
    broni,
    #53
  15. 2011/05/19
    JuanP

    JuanP Inactive Thread Starter

    Joined:
    2011/04/28
    Messages:
    35
    Likes Received:
    0
    Done, still couldnt reboot in normal mode so I ran bootkit remover in safemode. I got a debug txt file that showed up on my desktop too so I posted both.

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows Vista Home Basic Edition Service Pack 2 (build 600
    2), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`71100000
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...




    -------------



    .\debug.cpp(238) : Debug log started at 19.05.2011 - 04:46:34
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.0
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows Vista Home Basic Edition Service Pack 2 (build 6002), 32-bit
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x82202000 0x003ba000 "\SystemRoot\system32\ntkrnlpa.exe "
    .\debug.cpp(256) : 0x825bc000 0x00033000 "\SystemRoot\system32\hal.dll "
    .\debug.cpp(256) : 0x8060b000 0x00007000 "\SystemRoot\system32\kdcom.dll "
    .\debug.cpp(256) : 0x80612000 0x00070000 "\SystemRoot\system32\mcupdate_GenuineIntel.dll "
    .\debug.cpp(256) : 0x80682000 0x00011000 "\SystemRoot\system32\PSHED.dll "
    .\debug.cpp(256) : 0x80693000 0x00008000 "\SystemRoot\system32\BOOTVID.dll "
    .\debug.cpp(256) : 0x8069b000 0x00041000 "\SystemRoot\system32\CLFS.SYS "
    .\debug.cpp(256) : 0x806dc000 0x000e0000 "\SystemRoot\system32\CI.dll "
    .\debug.cpp(256) : 0x87c06000 0x0007c000 "\SystemRoot\system32\drivers\Wdf01000.sys "
    .\debug.cpp(256) : 0x87c82000 0x0000d000 "\SystemRoot\system32\drivers\WDFLDR.SYS "
    .\debug.cpp(256) : 0x87c8f000 0x00046000 "\SystemRoot\system32\drivers\acpi.sys "
    .\debug.cpp(256) : 0x87cd5000 0x00009000 "\SystemRoot\system32\drivers\WMILIB.SYS "
    .\debug.cpp(256) : 0x87cde000 0x00008000 "\SystemRoot\system32\drivers\msisadrv.sys "
    .\debug.cpp(256) : 0x87ce6000 0x00027000 "\SystemRoot\system32\drivers\pci.sys "
    .\debug.cpp(256) : 0x87d0d000 0x0000f000 "\SystemRoot\System32\drivers\partmgr.sys "
    .\debug.cpp(256) : 0x87d1c000 0x00003000 "\SystemRoot\system32\DRIVERS\compbatt.sys "
    .\debug.cpp(256) : 0x87d1f000 0x0000a000 "\SystemRoot\system32\DRIVERS\BATTC.SYS "
    .\debug.cpp(256) : 0x87d29000 0x0000f000 "\SystemRoot\system32\drivers\volmgr.sys "
    .\debug.cpp(256) : 0x87d38000 0x0004a000 "\SystemRoot\System32\drivers\volmgrx.sys "
    .\debug.cpp(256) : 0x87d82000 0x00007000 "\SystemRoot\system32\drivers\intelide.sys "
    .\debug.cpp(256) : 0x87d89000 0x0000e000 "\SystemRoot\system32\drivers\PCIIDEX.SYS "
    .\debug.cpp(256) : 0x87d97000 0x00010000 "\SystemRoot\System32\drivers\mountmgr.sys "
    .\debug.cpp(256) : 0x87e09000 0x000c7000 "\SystemRoot\system32\DRIVERS\iaStor.sys "
    .\debug.cpp(256) : 0x87ed0000 0x00008000 "\SystemRoot\system32\drivers\atapi.sys "
    .\debug.cpp(256) : 0x87ed8000 0x0001e000 "\SystemRoot\system32\drivers\ataport.SYS "
    .\debug.cpp(256) : 0x87ef6000 0x00032000 "\SystemRoot\system32\drivers\fltmgr.sys "
    .\debug.cpp(256) : 0x87f28000 0x00010000 "\SystemRoot\system32\drivers\fileinfo.sys "
    .\debug.cpp(256) : 0x87f38000 0x00071000 "\SystemRoot\System32\Drivers\ksecdd.sys "
    .\debug.cpp(256) : 0x88008000 0x0010b000 "\SystemRoot\system32\drivers\ndis.sys "
    .\debug.cpp(256) : 0x88113000 0x0002b000 "\SystemRoot\system32\drivers\msrpc.sys "
    .\debug.cpp(256) : 0x8813e000 0x0003b000 "\SystemRoot\system32\drivers\NETIO.SYS "
    .\debug.cpp(256) : 0x88209000 0x000ea000 "\SystemRoot\System32\drivers\tcpip.sys "
    .\debug.cpp(256) : 0x882f3000 0x0001b000 "\SystemRoot\System32\drivers\fwpkclnt.sys "
    .\debug.cpp(256) : 0x88404000 0x00110000 "\SystemRoot\System32\Drivers\Ntfs.sys "
    .\debug.cpp(256) : 0x88514000 0x00039000 "\SystemRoot\system32\drivers\volsnap.sys "
    .\debug.cpp(256) : 0x88555000 0x0000f000 "\SystemRoot\System32\Drivers\mup.sys "
    .\debug.cpp(256) : 0x88564000 0x00027000 "\SystemRoot\System32\drivers\ecache.sys "
    .\debug.cpp(256) : 0x8858b000 0x00011000 "\SystemRoot\system32\drivers\disk.sys "
    .\debug.cpp(256) : 0x8859c000 0x00021000 "\SystemRoot\system32\drivers\CLASSPNP.SYS "
    .\debug.cpp(256) : 0x885bd000 0x00009000 "\SystemRoot\system32\drivers\crcdisk.sys "
    .\debug.cpp(256) : 0x885e6000 0x00009000 "\SystemRoot\system32\DRIVERS\wmiacpi.sys "
    .\debug.cpp(256) : 0x885ef000 0x0000b000 "\SystemRoot\system32\DRIVERS\usbuhci.sys "
    .\debug.cpp(256) : 0x8830e000 0x0003e000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS "
    .\debug.cpp(256) : 0x8834c000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbehci.sys "
    .\debug.cpp(256) : 0x8835b000 0x0008d000 "\SystemRoot\system32\DRIVERS\HDAudBus.sys "
    .\debug.cpp(256) : 0x883e8000 0x00013000 "\SystemRoot\system32\DRIVERS\i8042prt.sys "
    .\debug.cpp(256) : 0x88179000 0x0000a000 "\SystemRoot\system32\DRIVERS\DKbFltr.sys "
    .\debug.cpp(256) : 0x88183000 0x0000b000 "\SystemRoot\system32\DRIVERS\kbdclass.sys "
    .\debug.cpp(256) : 0x8854d000 0x00008000 "\SystemRoot\System32\Drivers\Alidevice.SYS "
    .\debug.cpp(256) : 0x8818e000 0x0002e000 "\SystemRoot\system32\DRIVERS\SynTP.sys "
    .\debug.cpp(256) : 0x885fa000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS "
    .\debug.cpp(256) : 0x881bc000 0x0000b000 "\SystemRoot\system32\DRIVERS\mouclass.sys "
    .\debug.cpp(256) : 0x881c7000 0x00018000 "\SystemRoot\system32\DRIVERS\cdrom.sys "
    .\debug.cpp(256) : 0x885fc000 0x00002000 "\SystemRoot\system32\DRIVERS\NTIDrvr.sys "
    .\debug.cpp(256) : 0x88200000 0x00006000 "\SystemRoot\System32\Drivers\GEARAspiWDM.sys "
    .\debug.cpp(256) : 0x87fa9000 0x0002f000 "\SystemRoot\system32\DRIVERS\msiscsi.sys "
    .\debug.cpp(256) : 0x87da7000 0x00041000 "\SystemRoot\system32\DRIVERS\storport.sys "
    .\debug.cpp(256) : 0x881df000 0x0000b000 "\SystemRoot\system32\DRIVERS\TDI.SYS "
    .\debug.cpp(256) : 0x881ea000 0x00010000 "\SystemRoot\system32\DRIVERS\termdd.sys "
    .\debug.cpp(256) : 0x885fe000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys "
    .\debug.cpp(256) : 0x807bc000 0x0002a000 "\SystemRoot\system32\DRIVERS\ks.sys "
    .\debug.cpp(256) : 0x87fd8000 0x0000a000 "\SystemRoot\system32\DRIVERS\mssmbios.sys "
    .\debug.cpp(256) : 0x87fe2000 0x0000d000 "\SystemRoot\system32\DRIVERS\umbus.sys "
    .\debug.cpp(256) : 0x8be01000 0x00035000 "\SystemRoot\system32\DRIVERS\usbhub.sys "
    .\debug.cpp(256) : 0x8be36000 0x00009000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS "
    .\debug.cpp(256) : 0x8be3f000 0x00007000 "\SystemRoot\System32\Drivers\Null.SYS "
    .\debug.cpp(256) : 0x8be46000 0x00007000 "\SystemRoot\System32\Drivers\Beep.SYS "
    .\debug.cpp(256) : 0x8be4d000 0x0000c000 "\SystemRoot\System32\drivers\vga.sys "
    .\debug.cpp(256) : 0x8be59000 0x00021000 "\SystemRoot\System32\drivers\VIDEOPRT.SYS "
    .\debug.cpp(256) : 0x8be7a000 0x0000c000 "\SystemRoot\System32\drivers\watchdog.sys "
    .\debug.cpp(256) : 0x8be86000 0x0000b000 "\SystemRoot\System32\Drivers\Msfs.SYS "
    .\debug.cpp(256) : 0x8be91000 0x0000e000 "\SystemRoot\System32\Drivers\Npfs.SYS "
    .\debug.cpp(256) : 0x8be9f000 0x00028000 "\SystemRoot\System32\Drivers\fastfat.SYS "
    .\debug.cpp(256) : 0x8bec7000 0x0000d000 "\SystemRoot\System32\Drivers\crashdmp.sys "
    .\debug.cpp(256) : 0x8bed4000 0x0000b000 "\SystemRoot\System32\Drivers\dump_dumpata.sys "
    .\debug.cpp(256) : 0x8bedf000 0x00008000 "\SystemRoot\System32\Drivers\dump_atapi.sys "
    .\debug.cpp(256) : 0x816a0000 0x00204000 "\SystemRoot\System32\win32k.sys "
    .\debug.cpp(256) : 0x8bee7000 0x0000a000 "\SystemRoot\System32\drivers\Dxapi.sys "
    .\debug.cpp(256) : 0x818b0000 0x00017000 "\SystemRoot\System32\drivers\dxg.sys "
    .\debug.cpp(256) : 0x818e0000 0x00009000 "\SystemRoot\System32\TSDDD.dll "
    .\debug.cpp(256) : 0x81960000 0x00008000 "\SystemRoot\System32\framebuf.dll "
    .\debug.cpp(256) : 0x8bef1000 0x00016000 "\SystemRoot\system32\DRIVERS\cdfs.sys "
    .\debug.cpp(256) : 0x776b0000 0x00128000 "\Windows\System32\ntdll.dll "
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D: "
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume3 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS "
    .\debug.cpp(400) : Destination "\Device\Ndis "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi3: "
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort3 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1 "
    .\debug.cpp(400) : Destination "\Device\Video0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0E#2&daba3ff&2#{4afa3d53-74a7-11d0-be5e-00a0c9062857} "
    .\debug.cpp(400) : Destination "\Device\00000060 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomPIONEER_DVD-RW_DVRKD08RS________________1.02____#5&11d3172a&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} "
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e} "
    .\debug.cpp(400) : Destination "\Device\00000055 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f2df7cb8-2a24-11dd-a1c2-806e6f6e6963} "
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2830&SUBSYS_01331025&REV_03#3&21436425&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27} "
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E: "
    .\debug.cpp(400) : Destination "\Device\CdRom0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIAdminDevice "
    .\debug.cpp(400) : Destination "\Device\WMIAdminDevice "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi4: "
    .\debug.cpp(400) : Destination "\Device\RaidPort0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\VolMgrControl "
    .\debug.cpp(400) : Destination "\Device\VolMgrControl "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f2df7cb7-2a24-11dd-a1c2-806e6f6e6963} "
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#SYN0302#4&6c0995a&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd} "
    .\debug.cpp(400) : Destination "\Device\00000066 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196} "
    .\debug.cpp(400) : Destination "\Device\00000055 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CompositeBattery "
    .\debug.cpp(400) : Destination "\Device\CompositeBattery "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice "
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE "
    .\debug.cpp(400) : Destination "\Device\NamedPipe "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomPIONEER_DVD-RW_DVRKD08RS________________1.02____#5&11d3172a&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} "
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000} "
    .\debug.cpp(400) : Destination "\Device\00000055 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC "
    .\debug.cpp(400) : Destination "\Device\Mup "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000} "
    .\debug.cpp(400) : Destination "\Device\00000055 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GEARAspiWDMDevice "
    .\debug.cpp(400) : Destination "\Device\GEARAspiWDMDevice "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0 "
    .\debug.cpp(400) : Destination "\Device\USBFDO-0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196} "
    .\debug.cpp(400) : Destination "\Device\00000055 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg "
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCIIDE#IDEChannel#4&238581a7&0&1#{2accfe60-c130-11d2-b082-00a0c91efb8b} "
    .\debug.cpp(400) : Destination "\Device\Ide\PciIde0Channel1 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&2#{4afa3d53-74a7-11d0-be5e-00a0c9062857} "
    .\debug.cpp(400) : Destination "\Device\00000062 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1 "
    .\debug.cpp(400) : Destination "\Device\USBFDO-1 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN "
    .\debug.cpp(400) : Destination "\DosDevices\LPT1 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0 "
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&138b5fae&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8} "
    .\debug.cpp(400) : Destination "\Device\USBPDO-5 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196} "
    .\debug.cpp(400) : Destination "\Device\00000055 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000} "
    .\debug.cpp(400) : Destination "\Device\00000055 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2 "
    .\debug.cpp(400) : Destination "\Device\USBFDO-2 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCIIDE#IDEChannel#4&238581a7&0&0#{2accfe60-c130-11d2-b082-00a0c91efb8b} "
    .\debug.cpp(400) : Destination "\Device\Ide\PciIde0Channel0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#UMBUS#0000#{65a9a6cf-64cd-480b-843e-32c86e1ba19f} "
    .\debug.cpp(400) : Destination "\Device\00000057 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196} "
    .\debug.cpp(400) : Destination "\Device\00000055 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3 "
    .\debug.cpp(400) : Destination "\Device\USBFDO-3 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0 "
    .\debug.cpp(400) : Destination "\Device\CdRom0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD4 "
    .\debug.cpp(400) : Destination "\Device\USBFDO-4 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_283A&SUBSYS_01331025&REV_03#3&21436425&0&D7#{3abf6f2d-71c4-462a-8a92-1e6861e6af27} "
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#volmgr#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b} "
    .\debug.cpp(400) : Destination "\Device\00000058 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&6964c99&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8} "
    .\debug.cpp(400) : Destination "\Device\USBPDO-2 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ISCSIPRT#0000#{2accfe60-c130-11d2-b082-00a0c91efb8b} "
    .\debug.cpp(400) : Destination "\Device\0000001c "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD5 "
    .\debug.cpp(400) : Destination "\Device\USBFDO-5 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#TZS1#{4afa3d51-74a7-11d0-be5e-00a0c9062857} "
    .\debug.cpp(400) : Destination "\Device\0000005d "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global "
    .\debug.cpp(400) : Destination "\GLOBAL?? "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LOG: "
    .\debug.cpp(400) : Destination "\clfs "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD6 "
    .\debug.cpp(400) : Destination "\Device\USBFDO-6 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2831&SUBSYS_01331025&REV_03#3&21436425&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27} "
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2834&SUBSYS_01331025&REV_03#3&21436425&0&D0#{3abf6f2d-71c4-462a-8a92-1e6861e6af27} "
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#TZS0#{4afa3d51-74a7-11d0-be5e-00a0c9062857} "
    .\debug.cpp(400) : Destination "\Device\0000005c "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2836&SUBSYS_01331025&REV_03#3&21436425&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27} "
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0013 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2832&SUBSYS_01331025&REV_03#3&21436425&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27} "
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0012 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&19f7e59c&0&Signature58E7061DOffsetF31F00000LengthCC0900000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} "
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume3 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&328bb01f&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8} "
    .\debug.cpp(400) : Destination "\Device\USBPDO-3 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&6c0995a&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd} "
    .\debug.cpp(400) : Destination "\Device\00000065 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCIIDE#IDEChannel#4&18b1524f&0&1#{2accfe60-c130-11d2-b082-00a0c91efb8b} "
    .\debug.cpp(400) : Destination "\Device\Ide\PciIde1Channel1 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager "
    .\debug.cpp(400) : Destination "\Device\MountPointManager "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&19f7e59c&0&Signature58E7061DOffset100000Length271000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} "
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PartmgrControl "
    .\debug.cpp(400) : Destination "\Device\PartmgrControl "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\alidevice "
    .\debug.cpp(400) : Destination "\Device\alidevice "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NXTIPSECDevice "
    .\debug.cpp(400) : Destination "\Device\NXTIPSEC "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f2df7cb9-2a24-11dd-a1c2-806e6f6e6963} "
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume3 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1d1c67ac&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8} "
    .\debug.cpp(400) : Destination "\Device\USBPDO-4 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c} "
    .\debug.cpp(400) : Destination "\Device\00000055 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Dritek_KB_Filter "
    .\debug.cpp(400) : Destination "\Device\Dritek_KB_Filter "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WFPDev "
    .\debug.cpp(400) : Destination "\Device\WFP "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCIIDE#IDEChannel#4&18b1524f&0&0#{2accfe60-c130-11d2-b082-00a0c91efb8b} "
    .\debug.cpp(400) : Destination "\Device\Ide\PciIde1Channel0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0: "
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&1db79072&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8} "
    .\debug.cpp(400) : Destination "\Device\USBPDO-6 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000} "
    .\debug.cpp(400) : Destination "\Device\00000055 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1: "
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&7ce8428&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8} "
    .\debug.cpp(400) : Destination "\Device\USBPDO-1 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NTIDrvr "
    .\debug.cpp(400) : Destination "\Device\NTIDrvr "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskHitachi_HTS542512K9SA00_________________BB2OC31P#5&2c39b59&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} "
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP2T0L0-4 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr "
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl "
    .\debug.cpp(400) : Destination "\Device\VolMgrControl "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C: "
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT "
    .\debug.cpp(400) : Destination "\Device\MailSlot "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX "
    .\debug.cpp(400) : Destination "\DosDevices\COM1 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd} "
    .\debug.cpp(400) : Destination "\Device\00000054 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2: "
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort2 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL "
    .\debug.cpp(400) : Destination "\Device\Null "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&2ff1d550&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8} "
    .\debug.cpp(400) : Destination "\Device\USBPDO-0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT "
    .\debug.cpp(400) : Destination " "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f2df7cbc-2a24-11dd-a1c2-806e6f6e6963} "
    .\debug.cpp(400) : Destination "\Device\CdRom0 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd} "
    .\debug.cpp(400) : Destination "\Device\00000053 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2835&SUBSYS_01331025&REV_03#3&21436425&0&D1#{3abf6f2d-71c4-462a-8a92-1e6861e6af27} "
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SYNTP "
    .\debug.cpp(400) : Destination "\Device\SynTP "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WfpAle "
    .\debug.cpp(400) : Destination "\Device\WfpAle "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&19f7e59c&0&Signature58E7061DOffset271100000LengthCC0E00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} "
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2 "
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0D#2&daba3ff&2#{4afa3d53-74a7-11d0-be5e-00a0c9062857} "
    .\debug.cpp(400) : Destination "\Device\0000005f "
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`71100000
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
    .\boot_cleaner.cpp(1060) :
    .\boot_cleaner.cpp(1061) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1062) : --------------------------------------------
    .\boot_cleaner.cpp(1106) : 111 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1112) :
    .\boot_cleaner.cpp(1151) : Done;
     
    JuanP,
    #54
  16. 2011/05/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It looks good now.

    See, if you can run Combofix now.
     
    broni,
    #55
  17. 2011/05/19
    JuanP

    JuanP Inactive Thread Starter

    Joined:
    2011/04/28
    Messages:
    35
    Likes Received:
    0
    I tried twice, got the same reaction twice.
    Open, am told I didnt disable AVAST (which it is) but I can continue anyways. Then I'm told combofix isnt up to date, so I must run in reduced functionality mode, I click yes, combofix starts for a few seconds then completely disapears from my computer (unfindable anywhere) and not text file. Should I run app remover and try again or is this somethng not related to my anti-virus?
     
    JuanP,
    #56
  18. 2011/05/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Delete your Combofix file.
    Download fresh one from here: http://www.filedropper.com/broni
    I renamed the file for a reason.
    Run rKill first, then broni.com.
    If Combofix warns you about Avast (even after you disabled it), but it let you proceed, do it.
    If still a problem, try rKill+Combofix from safe mode.
     
    broni,
    #57
  19. 2011/06/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Reopened.
     
    broni,
    #58
  20. 2011/06/02
    JuanP

    JuanP Inactive Thread Starter

    Joined:
    2011/04/28
    Messages:
    35
    Likes Received:
    0
    So, I still couldnt run a full term Combofix so I decided to completed delete AVAST to try combofix again (I was disabling it before), funny enough, now that I dont have an anti-virus I can reopen windows normally, but I still cant run a full combofix.
     
    JuanP,
    #59
  21. 2011/06/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Interesting....

    We won't worry about Combofix since you're able to start Windows normally.
    That's the most important.
    Keep Avast off for now.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #60
Page 3 of 3
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...