As soon as there is a chance, my laptop/the virus types in "666666666.." - this happens when I open a browser, a document, want to rename a file etc.
(Now I'm using a friends laptop, I cannot access any website with my laptop)
Also, when I open "my computer", the cursor jumps to "6666666's documents" (which is "my documents" - after a system restore yesterday, the user name is "66666666666666". The system restore didn't help.) The cursor jumps right back to "66666666666 documents" whenever I try to open "C" or a different folder or device. Only if I'm really fast with clicking on "c" (or other) I can open a different folder/device. I also cannot delete the "66666666666 document" folder.
I did run "hijackThis" - nothing found. A booted from a USB stick with "Avira restore" on it - it found two things but everything stayed the same.
I do have the three required files - there might be "6" in the file - like I said before, as soon as there is a change, the "6666..." will be entered anywhere.
I couldn't save the third required file as .txt - therefore I cannot attach this file. I copied the content and paste it after the first file.
I really need help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thank you in advance!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 6.0.2900.2180
Run by 66666666666666666666 at 13:31:03 on 2014-08-04
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.702 [GMT -4:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\REALTEK\RTL8187 Wireless LAN Utility\RtWLan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://www.piriform.com/go/app_releasenotes?p=1&v=4.16.4763&l=1033&b=1&a=0
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek\rtl8187 wireless lan utility\RtWLan.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{8B48AE30-D099-438A-B92D-A6ED37D90394} : DHCPNameServer = 75.75.75.75 75.75.76.76
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
.
=============== Created Last 30 ================
.
2014-08-04 16:52:37 -------- d-----w- c:\windows\system32\appmgmt
2014-08-04 15:22:56 -------- d-sha-r- C:\cmdcons
2014-08-04 15:20:11 98816 ----a-w- c:\windows\sed.exe
2014-08-04 15:20:11 256000 ----a-w- c:\windows\PEV.exe
2014-08-04 15:20:11 208896 ----a-w- c:\windows\MBR.exe
2014-08-04 00:43:59 -------- d-----w- c:\documents and settings\66666666666666666666\local settings\application data\Mozilla
2014-08-04 00:39:04 -------- d-s---w- c:\documents and settings\66666666666666666666\Temporary Internet Files
2014-08-04 00:39:04 -------- d-s---w- c:\documents and settings\66666666666666666666\History
2014-08-04 00:31:58 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2014-08-04 00:31:57 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2014-08-04 00:31:57 5632 ----a-w- c:\windows\system32\kbdusa.dll
2014-08-04 00:31:57 10752 ----a-w- c:\windows\system32\c_iscii.dll
2014-08-03 23:01:11 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
.
==================== Find3M ====================
.
2010-02-11 00:52:14 27386256 ----a-w- c:\program files\AdbeRdr930_en_US.exe
2009-08-15 19:20:49 8050536 ----a-w- c:\program files\Firefox Setup 3.5.2.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
1 ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Harddisk0\DR0[0x86578AB8]
3 CLASSPNP[0xF761F05B] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\0000007b[0x86530A28]
5 ACPI[0xF7495620] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Ide\IAAStorageDevice-0[0x865C6030]
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
user != kernel MBR !!!
.
============= FINISH: 13:31:48.59 ===============
GMER 2.1.19357 - GMER - Rootkit Detector and Remover
Rootkit scan 2014-08-04 15:06:45
Windows 5.1.2600 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 rev. 0.00MB
Running: gmer.exe; Driver: C:\DOCUME~1\666666~1\LOCALS~1\Temp\fgndrkod.sys
---- Kernel code sections - GMER 2.1 ----
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xBA84FEBF]
? C:\DOCUME~1\666666~1\LOCALS~1\Temp\mbr.sys The filename, directory name, or volume label syntax is incorrect. !
---- Devices - GMER 2.1 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys
---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior
---- EOF - GMER 2.1 ----
(Now I'm using a friends laptop, I cannot access any website with my laptop)
Also, when I open "my computer", the cursor jumps to "6666666's documents" (which is "my documents" - after a system restore yesterday, the user name is "66666666666666". The system restore didn't help.) The cursor jumps right back to "66666666666 documents" whenever I try to open "C" or a different folder or device. Only if I'm really fast with clicking on "c" (or other) I can open a different folder/device. I also cannot delete the "66666666666 document" folder.
I did run "hijackThis" - nothing found. A booted from a USB stick with "Avira restore" on it - it found two things but everything stayed the same.
I do have the three required files - there might be "6" in the file - like I said before, as soon as there is a change, the "6666..." will be entered anywhere.
I couldn't save the third required file as .txt - therefore I cannot attach this file. I copied the content and paste it after the first file.
I really need help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thank you in advance!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 6.0.2900.2180
Run by 66666666666666666666 at 13:31:03 on 2014-08-04
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.702 [GMT -4:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\REALTEK\RTL8187 Wireless LAN Utility\RtWLan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://www.piriform.com/go/app_releasenotes?p=1&v=4.16.4763&l=1033&b=1&a=0
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek\rtl8187 wireless lan utility\RtWLan.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{8B48AE30-D099-438A-B92D-A6ED37D90394} : DHCPNameServer = 75.75.75.75 75.75.76.76
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
.
=============== Created Last 30 ================
.
2014-08-04 16:52:37 -------- d-----w- c:\windows\system32\appmgmt
2014-08-04 15:22:56 -------- d-sha-r- C:\cmdcons
2014-08-04 15:20:11 98816 ----a-w- c:\windows\sed.exe
2014-08-04 15:20:11 256000 ----a-w- c:\windows\PEV.exe
2014-08-04 15:20:11 208896 ----a-w- c:\windows\MBR.exe
2014-08-04 00:43:59 -------- d-----w- c:\documents and settings\66666666666666666666\local settings\application data\Mozilla
2014-08-04 00:39:04 -------- d-s---w- c:\documents and settings\66666666666666666666\Temporary Internet Files
2014-08-04 00:39:04 -------- d-s---w- c:\documents and settings\66666666666666666666\History
2014-08-04 00:31:58 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2014-08-04 00:31:57 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2014-08-04 00:31:57 5632 ----a-w- c:\windows\system32\kbdusa.dll
2014-08-04 00:31:57 10752 ----a-w- c:\windows\system32\c_iscii.dll
2014-08-03 23:01:11 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
.
==================== Find3M ====================
.
2010-02-11 00:52:14 27386256 ----a-w- c:\program files\AdbeRdr930_en_US.exe
2009-08-15 19:20:49 8050536 ----a-w- c:\program files\Firefox Setup 3.5.2.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
1 ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Harddisk0\DR0[0x86578AB8]
3 CLASSPNP[0xF761F05B] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\0000007b[0x86530A28]
5 ACPI[0xF7495620] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Ide\IAAStorageDevice-0[0x865C6030]
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
user != kernel MBR !!!
.
============= FINISH: 13:31:48.59 ===============
GMER 2.1.19357 - GMER - Rootkit Detector and Remover
Rootkit scan 2014-08-04 15:06:45
Windows 5.1.2600 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 rev. 0.00MB
Running: gmer.exe; Driver: C:\DOCUME~1\666666~1\LOCALS~1\Temp\fgndrkod.sys
---- Kernel code sections - GMER 2.1 ----
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xBA84FEBF]
? C:\DOCUME~1\666666~1\LOCALS~1\Temp\mbr.sys The filename, directory name, or volume label syntax is incorrect. !
---- Devices - GMER 2.1 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys
---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior
---- EOF - GMER 2.1 ----