Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Master Boot Record is infected


  • Please log in to reply
14 replies to this topic

#1 kingmob6

kingmob6

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 02 December 2010 - 06:26 PM

Picked it up somewhere, quite a hassle to remove so far as it appears to be solidly in place.

Combofix+malwarebytes, and anything else doesn't take.

Nothing earth shattering as far as infections go, but quite annoying. Experiencing considerable slowdowns with higher processor power being used than usual, browser hijacks during searches, and occasional crashes.

Here are the logs for Malwareb, DDS, Gmer:

DDS:

DDS (Ver_10-11-27.01) - NTFSx86
Run by sam davydov at 17:18:10.14 on Thu 12/02/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3582.2371 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
FW: Avira Firewall *disabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
c:\xampp\apache\bin\httpd.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\System32\svchost.exe -k ipripsvc
c:\xampp\mysql\bin\mysqld.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Softomotive\WinAutomation\WinAutomation.ServiceAgent.exe
C:\xampp\apache\bin\httpd.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\sam davydov\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [lxbkbmgr.exe] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: FilterAdministratorToken = 1 (0x1)
IE: Download with Mipony - file://c:\program files\mipony\browser\IEContext.htm
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: taobao.com
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: klogon - c:\windows\system32\klogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\samdav~1\appdata\roaming\mozilla\firefox\profiles\vvs7lwgy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://whatismyipaddress.com/
FF - component: c:\users\sam davydov\appdata\roaming\mozilla\firefox\profiles\vvs7lwgy.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: SwitchProxy Tool: {27A2FD41-CB23-4518-AB5C-C25BAFFDE531} - c:\users\samdav~1\appdata\roaming\mozilla\firefox\profiles\vvs7lwgy.default\extensions\{27A2FD41-CB23-4518-AB5C-C25BAFFDE531}
FF - Extension: RankChecker: rankchecker@seobook.com - c:\users\samdav~1\appdata\roaming\mozilla\firefox\profiles\vvs7lwgy.default\extensions\rankchecker@seobook.com
FF - Extension: Seo Toolbar: seotoolbar@seobook.com - c:\users\samdav~1\appdata\roaming\mozilla\firefox\profiles\vvs7lwgy.default\extensions\seotoolbar@seobook.com
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\samdav~1\appdata\roaming\mozilla\firefox\profiles\vvs7lwgy.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: TVU Web Player: firefox@tvunetworks.com - c:\users\samdav~1\appdata\roaming\mozilla\firefox\profiles\vvs7lwgy.default\extensions\firefox@tvunetworks.com
FF - Extension: AutoPager: autopager@mozilla.org - c:\users\samdav~1\appdata\roaming\mozilla\firefox\profiles\vvs7lwgy.default\extensions\autopager@mozilla.org
FF - Extension: TrackMeNot: trackmenot@mrl.nyu.edu - c:\users\samdav~1\appdata\roaming\mozilla\firefox\profiles\vvs7lwgy.default\extensions\trackmenot@mrl.nyu.edu
FF - Extension: Sothink Web Video Downloader for Firefox: {FCAB6FDD-5585-425b-95C1-5ED856F3FD08} - c:\users\samdav~1\appdata\roaming\mozilla\firefox\profiles\vvs7lwgy.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}
FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\users\samdav~1\appdata\roaming\mozilla\firefox\profiles\vvs7lwgy.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Extension: Proxy Tool: proxytool@proxylist.co - c:\users\samdav~1\appdata\roaming\mozilla\firefox\profiles\vvs7lwgy.default\extensions\proxytool@proxylist.co
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2010-2-1 97608]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-1 11608]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-10-8 18816]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2010-1-31 73728]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-2-1 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-1 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-1 185089]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-2-1 434945]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2008-12-9 24636]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-1 56816]
R2 iprip;RIP Listener;c:\windows\system32\svchost.exe -k ipripsvc [2009-7-13 20992]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-25 1153368]
R2 WinAutomation Service;WinAutomation Service;c:\program files\softomotive\winautomation\WinAutomation.ServiceAgent.exe [2008-3-8 69632]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2010-2-1 69632]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2010-10-13 46256]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-12-17 20952]
S1 KLIM6;KLIM6;c:\windows\system32\drivers\klim6.sys [2008-7-9 20496]
S2 AntiVirFirewallService;Avira Firewall;c:\program files\avira\antivir desktop\avfwsvc.exe [2010-2-1 388865]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-9-12 304464]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-11-4 27192]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
S4 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service --> c:\windows\system32\lxbkcoms.exe -service [?]
S4 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

=============== Created Last 30 ================

2010-12-01 19:12:40 -------- d-sh--w- C:\$RECYCLE.BIN
2010-12-01 19:11:04 -------- d-----w- c:\users\samdav~1\appdata\local\temp
2010-11-21 08:17:02 169320 ----a-w- c:\progra~2\microsoft\windows\sqm\manifest\Sqm10135.bin
2010-11-16 05:00:29 -------- d-----w- c:\windows\system32\aliedit
2010-11-16 05:00:23 -------- d-----w- c:\program files\trademanager
2010-11-12 23:59:34 -------- d-----w- c:\program files\common files\DivX Shared
2010-11-11 23:39:48 -------- d-----w- c:\program files\DivX
2010-11-09 14:27:44 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-11-08 23:10:40 -------- d-----w- c:\program files\ZHPDiag
2010-11-04 23:31:37 -------- d-----w- c:\users\samdav~1\appdata\local\Sports Interactive
2010-11-04 23:27:24 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2010-11-04 23:27:23 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2010-11-04 23:27:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2010-11-04 23:21:58 -------- d-----w- c:\program files\Sports Interactive
2010-11-04 23:13:42 -------- d-----w- c:\program files\MagicISO
2010-11-04 22:44:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-11-04 22:44:18 -------- d-----w- c:\program files\Revo Uninstaller Pro
2010-11-02 22:29:37 -------- d-----w- c:\users\samdav~1\appdata\local\RapidWare

==================== Find3M ====================

2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-11-07 19:46:35 65552 --sh--w- c:\progra~2\Desktop.lnk
2010-10-13 21:48:16 301568 ----a-w- c:\windows\system32\cmd.execf
2010-09-06 00:51:38 423656 ----a-w- c:\windows\system32\deployJava1.dll
2009-09-15 05:00:00 189440 ----a-w- c:\program files\pcgw32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: FUJITSU_ rev.0085 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87048446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8704e504]; MOV EAX, [0x8704e580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82A3F458] -> \Device\Harddisk0\DR0[0x87028460]
3 CLASSPNP[0x8CA6659E] -> ntkrnlpa!IofCallDriver[0x82A3F458] -> [0x87269788]
\Driver\iaStor[0x8702DB98] -> IRP_MJ_CREATE -> 0x87048446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MHZ2250BH_G2____________________00850009#4&371cd0ae&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
copy of MBR has been found in sector 9 !
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 17:18:52.84 ===============






GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-02 18:04:54
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\iaStor0 FUJITSU_ rev.0085
Running: gmer.exe; Driver: C:\Users\SAMDAV~1\AppData\Local\Temp\axtdipod.sys


---- System - GMER 1.0.15 ----

SSDT 978F367C ZwCreateThread
SSDT 978F3668 ZwOpenProcess
SSDT 978F366D ZwOpenThread
SSDT 978F3677 ZwTerminateProcess
SSDT 978F3672 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A46599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A6AF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 34C 82A7285C 4 Bytes [7C, 36, 8F, 97]
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82A729F8 4 Bytes [68, 36, 8F, 97]
.text ntkrnlpa.exe!RtlSidHashLookup + 508 82A72A18 4 Bytes [6D, 36, 8F, 97]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82A72CC8 4 Bytes [77, 36, 8F, 97]
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 82A72D3C 4 Bytes [72, 36, 8F, 97]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x9463D360, 0x35B8D2, 0xE8000020]
? C:\Users\SAMDAV~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[988] ntdll.dll!NtProtectVirtualMemory 76F15380 5 Bytes JMP 0030000A
.text C:\Windows\system32\svchost.exe[988] ntdll.dll!NtWriteVirtualMemory 76F15F00 5 Bytes JMP 0031000A
.text C:\Windows\system32\svchost.exe[988] ntdll.dll!KiUserExceptionDispatcher 76F16448 5 Bytes JMP 0010000A
.text C:\Windows\system32\svchost.exe[988] ole32.dll!CoCreateInstance 755157FC 5 Bytes JMP 00C8000A
.text C:\Windows\system32\svchost.exe[988] USER32.dll!GetCursorPos 76E0C198 5 Bytes JMP 00C9000A
.text C:\Windows\Explorer.EXE[1672] ntdll.dll!NtProtectVirtualMemory 76F15380 5 Bytes JMP 02FF000A
.text C:\Windows\Explorer.EXE[1672] ntdll.dll!NtWriteVirtualMemory 76F15F00 5 Bytes JMP 0300000A
.text C:\Windows\Explorer.EXE[1672] ntdll.dll!KiUserExceptionDispatcher 76F16448 5 Bytes JMP 02FE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] ntdll.dll!NtProtectVirtualMemory 76F15380 5 Bytes JMP 0045000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] ntdll.dll!NtWriteVirtualMemory 76F15F00 5 Bytes JMP 0046000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] ntdll.dll!KiUserExceptionDispatcher 76F16448 5 Bytes JMP 0044000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!CreateWindowExW 76E10E51 5 Bytes JMP 6AF88157 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!DialogBoxIndirectParamW 76E34AA7 5 Bytes JMP 6B0AF970 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!DialogBoxParamW 76E3564A 5 Bytes JMP 6AEA4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!DialogBoxParamA 76E4CF6A 5 Bytes JMP 6B0AF90D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!DialogBoxIndirectParamA 76E4D29C 5 Bytes JMP 6B0AF9D3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!MessageBoxIndirectA 76E5E8C9 5 Bytes JMP 6B0AF8A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!MessageBoxIndirectW 76E5E9C3 5 Bytes JMP 6B0AF837 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!MessageBoxExA 76E5EA29 5 Bytes JMP 6B0AF7D5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!MessageBoxExW 76E5EA4D 5 Bytes JMP 6B0AF773 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] ntdll.dll!NtProtectVirtualMemory 76F15380 5 Bytes JMP 01E3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] ntdll.dll!NtWriteVirtualMemory 76F15F00 5 Bytes JMP 01EA000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] ntdll.dll!KiUserExceptionDispatcher 76F16448 5 Bytes JMP 01E1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] USER32.dll!UnhookWindowsHookEx 76E0CC7B 5 Bytes JMP 6AF9835E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] USER32.dll!CallNextHookEx 76E0CC8F 5 Bytes JMP 6AF79D5C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] USER32.dll!CreateWindowExW 76E10E51 5 Bytes JMP 6AF88157 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] USER32.dll!SetWindowsHookExW 76E1210A 5 Bytes JMP 6AF34633 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] USER32.dll!DialogBoxIndirectParamW 76E34AA7 5 Bytes JMP 6B0AF970 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] USER32.dll!DialogBoxParamW 76E3564A 5 Bytes JMP 6AEA4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] USER32.dll!DialogBoxParamA 76E4CF6A 5 Bytes JMP 6B0AF90D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] USER32.dll!DialogBoxIndirectParamA 76E4D29C 5 Bytes JMP 6B0AF9D3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] USER32.dll!MessageBoxIndirectA 76E5E8C9 5 Bytes JMP 6B0AF8A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] USER32.dll!MessageBoxIndirectW 76E5E9C3 5 Bytes JMP 6B0AF837 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] USER32.dll!MessageBoxExA 76E5EA29 5 Bytes JMP 6B0AF7D5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] USER32.dll!MessageBoxExW 76E5EA4D 5 Bytes JMP 6B0AF773 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] ole32.dll!OleLoadFromStream 754C5B88 5 Bytes JMP 6B0AFCCE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4960] ole32.dll!CoCreateInstance 755157FC 5 Bytes JMP 6AF88C45 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!UnhookWindowsHookEx 76E0CC7B 5 Bytes JMP 6AF9835E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!CallNextHookEx 76E0CC8F 5 Bytes JMP 6AF79D5C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!CreateWindowExW 76E10E51 5 Bytes JMP 6AF88157 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!SetWindowsHookExW 76E1210A 5 Bytes JMP 6AF34633 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!DialogBoxIndirectParamW 76E34AA7 5 Bytes JMP 6B0AF970 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!DialogBoxParamW 76E3564A 5 Bytes JMP 6AEA4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!DialogBoxParamA 76E4CF6A 5 Bytes JMP 6B0AF90D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!DialogBoxIndirectParamA 76E4D29C 5 Bytes JMP 6B0AF9D3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!MessageBoxIndirectA 76E5E8C9 5 Bytes JMP 6B0AF8A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!MessageBoxIndirectW 76E5E9C3 5 Bytes JMP 6B0AF837 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!MessageBoxExA 76E5EA29 5 Bytes JMP 6B0AF7D5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] USER32.dll!MessageBoxExW 76E5EA4D 5 Bytes JMP 6B0AF773 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] ole32.dll!OleLoadFromStream 754C5B88 5 Bytes JMP 6B0AFCCE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5164] ole32.dll!CoCreateInstance 755157FC 5 Bytes JMP 6AF88C45 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] ntdll.dll!NtProtectVirtualMemory 76F15380 5 Bytes JMP 0183000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] ntdll.dll!NtWriteVirtualMemory 76F15F00 5 Bytes JMP 0184000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] ntdll.dll!KiUserExceptionDispatcher 76F16448 5 Bytes JMP 0181000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] USER32.dll!UnhookWindowsHookEx 76E0CC7B 5 Bytes JMP 6AF9835E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] USER32.dll!CallNextHookEx 76E0CC8F 5 Bytes JMP 6AF79D5C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] USER32.dll!CreateWindowExW 76E10E51 5 Bytes JMP 6AF88157 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] USER32.dll!SetWindowsHookExW 76E1210A 5 Bytes JMP 6AF34633 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] USER32.dll!DialogBoxIndirectParamW 76E34AA7 5 Bytes JMP 6B0AF970 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] USER32.dll!DialogBoxParamW 76E3564A 5 Bytes JMP 6AEA4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] USER32.dll!DialogBoxParamA 76E4CF6A 5 Bytes JMP 6B0AF90D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] USER32.dll!DialogBoxIndirectParamA 76E4D29C 5 Bytes JMP 6B0AF9D3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] USER32.dll!MessageBoxIndirectA 76E5E8C9 5 Bytes JMP 6B0AF8A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] USER32.dll!MessageBoxIndirectW 76E5E9C3 5 Bytes JMP 6B0AF837 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] USER32.dll!MessageBoxExA 76E5EA29 5 Bytes JMP 6B0AF7D5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] USER32.dll!MessageBoxExW 76E5EA4D 5 Bytes JMP 6B0AF773 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] ole32.dll!OleLoadFromStream 754C5B88 5 Bytes JMP 6B0AFCCE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5704] ole32.dll!CoCreateInstance 755157FC 5 Bytes JMP 6AF88C45 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Windows\system32\wuauclt.exe[6000] ntdll.dll!NtProtectVirtualMemory 76F15380 5 Bytes JMP 0022000A
.text C:\Windows\system32\wuauclt.exe[6000] ntdll.dll!NtWriteVirtualMemory 76F15F00 5 Bytes JMP 0031000A
.text C:\Windows\system32\wuauclt.exe[6000] ntdll.dll!KiUserExceptionDispatcher 76F16448 5 Bytes JMP 0020000A

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000055 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 87048292

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice \Driver\tdx \Device\RawIp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MHZ2250BH_G2____________________00850009#4&371cd0ae&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 19: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 20: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 21: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 22: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 23: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 24: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 25: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 26: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 27: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 28: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 31: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 35: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 36: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 38: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 58: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 488396912 (+255): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Users\sam davydov\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MDN1WE8X\like[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\95AHDTWJ\ros[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\95AHDTWJ\getAds[1].jsp 10328 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HMG4VL6O\pixel[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HMG4VL6O\styles[1].css 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HMG4VL6O\breakingNews[1].js 650 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KDC9HGYF\ddc[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KDC9HGYF\crossdomain[8].xml 258 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\net[1].htm 365 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\onair[1].txt 180456 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\b[1].gif 504 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\5190088730_6af5cb63da_s[1].jpg 4328 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\a[4].aspx 156 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\ads[1].js 4851 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\ads[1].txt 11103 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\ads[4] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\KonaReport[1].js 2 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\KonaReport[2].js 2 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\KonaSend[1].js 16 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\5116986137_b06676b753_s[1].jpg 4328 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\5189490669_75c6e0077d_s[1].jpg 5403 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\visit[1].jpg 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\vp[1] 1025 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\vp[2] 3124 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\vp[3] 700 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\fullwidthline_470x5[1].gif 98 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\policy[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\685458587[1].js 823 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\69819;spotx;87126130573655004ee7e076c15c9014;1741787;f44c8fde69d81b643391afca1f6a7926[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\search[1].txt 47488 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\search[2] 3946 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\search[2].txt 61133 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\jKEcVPZFk-2[1].gif 1900 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\Slate_250HP.swf.0[1].swf 322828 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\2554[1].htm 200 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\2554[2].htm 198 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\pixel[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\play_list[1].xml 4396 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\p_22111_184_220[1].jpg 2826 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\crossdomain[9].xml 198 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\6003224_176x88[1].jpg 6591 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\6003230_176x88[1].jpg 4747 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\a[10].aspx 1148 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\a[1].aspx 156 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\a[2].aspx 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\a[3].aspx 841 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\aclk[1].htm 5085 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\ako[1] 541 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\yellowpages_whowhere_com[1].txt 14148 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\zHoliday_Denim_V1_300x250_a[1].swf 40288 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\__ptq[1].gif 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\__ptq[2].gif 43 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\meld[1].js 319 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\meter[1].gif 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\meter[2].gif 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\default[1].jpg 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\logo1w[1].png 7330 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\log[1] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\log[4] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\log[5] 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\a[5].aspx 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\a[6].aspx 1148 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\a[7].aspx 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\a[8].aspx 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\a[9].aspx 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\banners[1].js 5942 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\3800f659-1be4-430b-bf5b-c01e03912639[1].swf 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\3beebfd3f769b6b92c532670ceb4172a23f223d6[1].jpg 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\vquant[1].js 2563 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4G45ZO7\script208[1].js 3787 bytes
File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@CABG7OGJ.txt 114 bytes
File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@babelgum[8].txt 607 bytes

---- EOF - GMER 1.0.15 ----



Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5214

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/2/2010 18:25:57
mbam-log-2010-12-02 (18-25-57).txt

Scan type: Quick scan
Objects scanned: 146578
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:22 AM

Posted 09 December 2010 - 09:51 PM

Welcome to BC :)

  • Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, ensure Cure is selected (it should be by default)
  • Click Continue then click Reboot now
  • Once complete, a log will be produced at the root drive which is typically C:\

    For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.

Microsoft MVP Consumer Security--2007-2010

#3 kingmob6

kingmob6
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 14 December 2010 - 05:51 PM

Welcome to BC :)

  • Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, ensure Cure is selected (it should be by default)
  • Click Continue then click Reboot now
  • Once complete, a log will be produced at the root drive which is typically C:\

    For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.



Unfortunately, all of this is not possible anymore. A few days ago, my laptop has gone caput, and I got the BSOD with Stop: 0x0000007B message at boot up. Usually this is related to either a driver issue, or a virus, and I'm pretty sure that a virus in my Master boot record or something additional to it has contributed to this. Just looking for remedy at this point to get past this point and back to my desktop. The obvious solutions are of no use, since nothing gets past the BSOD so far.

#4 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:22 AM

Posted 14 December 2010 - 06:46 PM

We can try some fixes. Did you create a system repair disc? Do you have a Win7 install disc? We can try some other tools to try and fix it. Let me know what you want to do.
Microsoft MVP Consumer Security--2007-2010

#5 kingmob6

kingmob6
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 14 December 2010 - 07:03 PM

We can try some fixes. Did you create a system repair disc? Do you have a Win7 install disc? We can try some other tools to try and fix it. Let me know what you want to do.


I have a windows 7 disk, don't have a system repair disk and can't really do any system restores, since I've deleted all of them to try to clean any trojans that could have been sitting there and replicating.

I have a suspicion that I'm dealing with an atapi.sys modification/rootkit, and need to replace it in order to boot up into windows. Any good tutorials out there on how to copy and replace this file in Windows 7 from command prompt?

#6 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:22 AM

Posted 14 December 2010 - 07:17 PM

looks like fixing the mbr will probably do the trick. Just to warn you, you might loose your recovery partition.

1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type bootrec /FixMbr and press Enter
8. Type exit to reboot computer and let me know if you can access windows.
Microsoft MVP Consumer Security--2007-2010

#7 kingmob6

kingmob6
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 15 December 2010 - 04:35 PM

looks like fixing the mbr will probably do the trick. Just to warn you, you might loose your recovery partition.

1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type bootrec /FixMbr and press Enter
8. Type exit to reboot computer and let me know if you can access windows.



I've already tried all that, and unfortunately it doesn't do the trick...I've run all te bootrec.exe commands, and none of them get me past the BSOD. I need to replace the atapi.sys file I think in order to get past it.

#8 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:22 AM

Posted 15 December 2010 - 08:19 PM

That's not the infection that was present. TDL4 is different and not related to atapi.sys. The infection that i see from your logs is an mbr infection. I wish you wouldn't of cleared all your system restore points because we could try that. Did you try running Startup Repair from the Win7 Disc?
Microsoft MVP Consumer Security--2007-2010

#9 kingmob6

kingmob6
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 15 December 2010 - 08:41 PM

That's not the infection that was present. TDL4 is different and not related to atapi.sys. The infection that i see from your logs is an mbr infection. I wish you wouldn't of cleared all your system restore points because we could try that. Did you try running Startup Repair from the Win7 Disc?



None of the start up repair tools that are at my disposal are of any value, including running Startup repair from Win7 disc, as this was the obvious things that I've tried from the get go. I will have to wait to access a computer from which I could make a bootable ubuntu disk or something, so I could boot up and clean windows from there. Working from the library computer is just not doing it. Anything else that might be suggested?

What's the procedures of removing TDL4?

Edited by kingmob6, 15 December 2010 - 08:50 PM.


#10 kingmob6

kingmob6
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 16 December 2010 - 01:24 PM

I have loaded up a Hiren's boot cd and will start some work on it. Will try TSDD and see what happens.

#11 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:22 AM

Posted 19 December 2010 - 09:17 PM

Do me a favor and do a search for other copies of atapi.sys. Usually there is a copy in C:\windows\system32\dllcache, but not always. We can try replacing it and see if that fixes it. I discussed your problem with another expert and its possible that its atapi.sys.
Microsoft MVP Consumer Security--2007-2010

#12 kingmob6

kingmob6
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 22 December 2010 - 02:48 AM

Do me a favor and do a search for other copies of atapi.sys. Usually there is a copy in C:\windows\system32\dllcache, but not always. We can try replacing it and see if that fixes it. I discussed your problem with another expert and its possible that its atapi.sys.


Oh well, that failed too. I guess its not atapi. I'm back to drawing board..

#13 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:22 AM

Posted 22 December 2010 - 08:29 PM

what did you do? I didn't give instructions on replacing the file. I just wanted you to search for atapi.sys. What did you do exactly?
Microsoft MVP Consumer Security--2007-2010

#14 kingmob6

kingmob6
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 22 December 2010 - 11:44 PM

I found a newest atapi.sys file in a different Windows folder with the same version #(somewhere in the depository), and replaced it with the one in Win7/System32/drivers folder. I've looked up what others have done with the virus, and just followed the procedure that was suggested.

#15 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:22 AM

Posted 24 December 2010 - 10:14 AM

did you rename the old file first before copying the new file over?
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users