Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown MBR code in GMER log


  • Please log in to reply

#1
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts
Hello :)

As we all say here - when in doubt, always ask. So here's my question :)

When doing some research for my PL I found a GMER raport with some intereting entries. Curiosity is always strong in me, thus I decided to make a GMER scanning on my own netbook and check how would my output look like.
And curiosity killed the cat, of course :whistling:
Found an entry stating that MBR code on my machine is unknown.

Of course my next step was downloading mbr.exe just to be sure.
MBR said my mbr is ok :blink:

Frankly speaking, I just want to confirm this :)

Take a look at my GMER raport:


GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-08-04 18:08:52
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.ESBO 232,89GB
Running: u1rbbmow.exe; Driver: C:\Users\Na'athim\AppData\Local\Temp\fxrdqpow.sys


---- Kernel code sections - GMER 2.1 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 81E749F5 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81EAE1F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User code sections - GMER 2.1 ----

.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtCreateFile + 6 773D55CE 4 Bytes [28, 0C, 5C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtCreateFile + B 773D55D3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtMapViewOfSection + 6 773D5C2E 4 Bytes [28, 0F, 5C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtMapViewOfSection + B 773D5C33 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtOpenFile + 6 773D5CDE 4 Bytes [68, 0C, 5C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtOpenFile + B 773D5CE3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtOpenProcess + 6 773D5D8E 4 Bytes [A8, 0D, 5C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtOpenProcess + B 773D5D93 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtOpenProcessToken + B 773D5DA3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtOpenProcessTokenEx + 6 773D5DAE 4 Bytes [A8, 0E, 5C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtOpenProcessTokenEx + B 773D5DB3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtOpenThread + 6 773D5E0E 4 Bytes [68, 0D, 5C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtOpenThread + B 773D5E13 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtOpenThreadToken + 6 773D5E1E 4 Bytes [68, 0E, 5C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtOpenThreadToken + B 773D5E23 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtOpenThreadTokenEx + B 773D5E33 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtQueryAttributesFile + 6 773D5F3E 4 Bytes [A8, 0C, 5C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtQueryAttributesFile + B 773D5F43 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtQueryFullAttributesFile + B 773D5FF3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtSetInformationFile + 6 773D663E 4 Bytes [28, 0D, 5C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtSetInformationFile + B 773D6643 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtSetInformationThread + 6 773D669E 4 Bytes [28, 0E, 5C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtSetInformationThread + B 773D66A3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtUnmapViewOfSection + 6 773D69BE 4 Bytes [68, 0F, 5C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4744] ntdll.dll!NtUnmapViewOfSection + B 773D69C3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtCreateFile + 6 773D55CE 4 Bytes [28, E4, 73, 00] {SUB AH, AH; JAE 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtCreateFile + B 773D55D3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtMapViewOfSection + 6 773D5C2E 4 Bytes [28, E7, 73, 00] {SUB BH, AH; JAE 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtMapViewOfSection + B 773D5C33 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenFile + 6 773D5CDE 4 Bytes [68, E4, 73, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenFile + B 773D5CE3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenProcess + 6 773D5D8E 4 Bytes [A8, E5, 73, 00] {TEST AL, 0xe5; JAE 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenProcess + B 773D5D93 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenProcessToken + B 773D5DA3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenProcessTokenEx + 6 773D5DAE 4 Bytes [A8, E6, 73, 00] {TEST AL, 0xe6; JAE 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenProcessTokenEx + B 773D5DB3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenThread + 6 773D5E0E 4 Bytes [68, E5, 73, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenThread + B 773D5E13 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenThreadToken + 6 773D5E1E 4 Bytes [68, E6, 73, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenThreadToken + B 773D5E23 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtOpenThreadTokenEx + B 773D5E33 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtQueryAttributesFile + 6 773D5F3E 4 Bytes [A8, E4, 73, 00] {TEST AL, 0xe4; JAE 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtQueryAttributesFile + B 773D5F43 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtQueryFullAttributesFile + B 773D5FF3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtSetInformationFile + 6 773D663E 4 Bytes [28, E5, 73, 00] {SUB CH, AH; JAE 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtSetInformationFile + B 773D6643 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtSetInformationThread + 6 773D669E 4 Bytes [28, E6, 73, 00] {SUB DH, AH; JAE 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtSetInformationThread + B 773D66A3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtUnmapViewOfSection + 6 773D69BE 4 Bytes [68, E7, 73, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4760] ntdll.dll!NtUnmapViewOfSection + B 773D69C3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtCreateFile + 6 773D55CE 4 Bytes [28, 40, 40, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtCreateFile + B 773D55D3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtMapViewOfSection + 6 773D5C2E 4 Bytes [28, 43, 40, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtMapViewOfSection + B 773D5C33 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtOpenFile + 6 773D5CDE 4 Bytes [68, 40, 40, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtOpenFile + B 773D5CE3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtOpenProcess + 6 773D5D8E 4 Bytes [A8, 41, 40, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtOpenProcess + B 773D5D93 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtOpenProcessToken + B 773D5DA3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtOpenProcessTokenEx + 6 773D5DAE 4 Bytes [A8, 42, 40, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtOpenProcessTokenEx + B 773D5DB3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtOpenThread + 6 773D5E0E 4 Bytes [68, 41, 40, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtOpenThread + B 773D5E13 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtOpenThreadToken + 6 773D5E1E 4 Bytes [68, 42, 40, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtOpenThreadToken + B 773D5E23 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtOpenThreadTokenEx + B 773D5E33 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtQueryAttributesFile + 6 773D5F3E 4 Bytes [A8, 40, 40, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtQueryAttributesFile + B 773D5F43 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtQueryFullAttributesFile + B 773D5FF3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtSetInformationFile + 6 773D663E 4 Bytes [28, 41, 40, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtSetInformationFile + B 773D6643 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtSetInformationThread + 6 773D669E 4 Bytes [28, 42, 40, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtSetInformationThread + B 773D66A3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtUnmapViewOfSection + 6 773D69BE 4 Bytes [68, 43, 40, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5380] ntdll.dll!NtUnmapViewOfSection + B 773D69C3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtCreateFile + 6 773D55CE 4 Bytes [28, 2C, 8C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtCreateFile + B 773D55D3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtMapViewOfSection + 6 773D5C2E 4 Bytes [28, 2F, 8C, 00] {SUB [EDI], CH; MOV [EAX], ES}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtMapViewOfSection + B 773D5C33 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtOpenFile + 6 773D5CDE 4 Bytes [68, 2C, 8C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtOpenFile + B 773D5CE3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtOpenProcess + 6 773D5D8E 4 Bytes [A8, 2D, 8C, 00] {TEST AL, 0x2d; MOV [EAX], ES}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtOpenProcess + B 773D5D93 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtOpenProcessToken + B 773D5DA3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtOpenProcessTokenEx + 6 773D5DAE 4 Bytes [A8, 2E, 8C, 00] {TEST AL, 0x2e; MOV [EAX], ES}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtOpenProcessTokenEx + B 773D5DB3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtOpenThread + 6 773D5E0E 4 Bytes [68, 2D, 8C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtOpenThread + B 773D5E13 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtOpenThreadToken + 6 773D5E1E 4 Bytes [68, 2E, 8C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtOpenThreadToken + B 773D5E23 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtOpenThreadTokenEx + B 773D5E33 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtQueryAttributesFile + 6 773D5F3E 4 Bytes [A8, 2C, 8C, 00] {TEST AL, 0x2c; MOV [EAX], ES}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtQueryAttributesFile + B 773D5F43 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtQueryFullAttributesFile + B 773D5FF3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtSetInformationFile + 6 773D663E 4 Bytes [28, 2D, 8C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtSetInformationFile + B 773D6643 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtSetInformationThread + 6 773D669E 4 Bytes [28, 2E, 8C, 00] {SUB [ESI], CH; MOV [EAX], ES}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtSetInformationThread + B 773D66A3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtUnmapViewOfSection + 6 773D69BE 4 Bytes [68, 2F, 8C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5476] ntdll.dll!NtUnmapViewOfSection + B 773D69C3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtCreateFile + 6 773D55CE 4 Bytes [28, B0, 9C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtCreateFile + B 773D55D3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtMapViewOfSection + 6 773D5C2E 4 Bytes [28, B3, 9C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtMapViewOfSection + B 773D5C33 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtOpenFile + 6 773D5CDE 4 Bytes [68, B0, 9C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtOpenFile + B 773D5CE3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtOpenProcess + 6 773D5D8E 4 Bytes [A8, B1, 9C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtOpenProcess + B 773D5D93 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtOpenProcessToken + B 773D5DA3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtOpenProcessTokenEx + 6 773D5DAE 4 Bytes [A8, B2, 9C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtOpenProcessTokenEx + B 773D5DB3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtOpenThread + 6 773D5E0E 4 Bytes [68, B1, 9C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtOpenThread + B 773D5E13 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtOpenThreadToken + 6 773D5E1E 4 Bytes [68, B2, 9C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtOpenThreadToken + B 773D5E23 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtOpenThreadTokenEx + B 773D5E33 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtQueryAttributesFile + 6 773D5F3E 4 Bytes [A8, B0, 9C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtQueryAttributesFile + B 773D5F43 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtQueryFullAttributesFile + B 773D5FF3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtSetInformationFile + 6 773D663E 4 Bytes [28, B1, 9C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtSetInformationFile + B 773D6643 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtSetInformationThread + 6 773D669E 4 Bytes [28, B2, 9C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtSetInformationThread + B 773D66A3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtUnmapViewOfSection + 6 773D69BE 4 Bytes [68, B3, 9C, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5644] ntdll.dll!NtUnmapViewOfSection + B 773D69C3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtCreateFile + 6 773D55CE 4 Bytes [28, 3C, B6, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtCreateFile + B 773D55D3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtMapViewOfSection + 6 773D5C2E 4 Bytes [28, 3F, B6, 00] {SUB [EDI], BH; MOV DH, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtMapViewOfSection + B 773D5C33 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtOpenFile + 6 773D5CDE 4 Bytes [68, 3C, B6, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtOpenFile + B 773D5CE3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtOpenProcess + 6 773D5D8E 4 Bytes [A8, 3D, B6, 00] {TEST AL, 0x3d; MOV DH, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtOpenProcess + B 773D5D93 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtOpenProcessToken + B 773D5DA3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtOpenProcessTokenEx + 6 773D5DAE 4 Bytes [A8, 3E, B6, 00] {TEST AL, 0x3e; MOV DH, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtOpenProcessTokenEx + B 773D5DB3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtOpenThread + 6 773D5E0E 4 Bytes [68, 3D, B6, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtOpenThread + B 773D5E13 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtOpenThreadToken + 6 773D5E1E 4 Bytes [68, 3E, B6, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtOpenThreadToken + B 773D5E23 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtOpenThreadTokenEx + B 773D5E33 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtQueryAttributesFile + 6 773D5F3E 4 Bytes [A8, 3C, B6, 00] {TEST AL, 0x3c; MOV DH, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtQueryAttributesFile + B 773D5F43 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtQueryFullAttributesFile + B 773D5FF3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtSetInformationFile + 6 773D663E 4 Bytes [28, 3D, B6, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtSetInformationFile + B 773D6643 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtSetInformationThread + 6 773D669E 4 Bytes [28, 3E, B6, 00] {SUB [ESI], BH; MOV DH, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtSetInformationThread + B 773D66A3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtUnmapViewOfSection + 6 773D69BE 4 Bytes [68, 3F, B6, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[5712] ntdll.dll!NtUnmapViewOfSection + B 773D69C3 1 Byte [E2]

---- Devices - GMER 2.1 ----

Device \Driver\BTHUSB \Device\00000071 bthport.sys
Device \Driver\BTHUSB \Device\00000073 bthport.sys

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde6a7914
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b4749f8b0669
Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3EFA1E6C-4B24-4E21-87E5-353A1AAF3450}@LeaseObtainedTime 1375624234
Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3EFA1E6C-4B24-4E21-87E5-353A1AAF3450}@T1 1375626034
Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3EFA1E6C-4B24-4E21-87E5-353A1AAF3450}@T2 1375627384
Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3EFA1E6C-4B24-4E21-87E5-353A1AAF3450}@LeaseTerminatesTime 1375627834
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde6a7914 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b4749f8b0669 (not active ControlSet)

---- Disk sectors - GMER 2.1 ----

Disk \Device\Harddisk0\DR0 unknown MBR code

---- Files - GMER 2.1 ----

File C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Cache\f_003761 28037 bytes
File C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Cache\f_003762 0 bytes
File C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Cache\f_003763 0 bytes

---- EOF - GMER 2.1 ----

And my MBR.exe raport:


Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: Hitachi_ rev.ESBO -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Of course also OTL file:


OTL logfile created on: 8/4/2013 6:10:26 PM - Run 5
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Na'athim\Desktop
Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16635)
Locale: 00000409 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

1013.30 Mb Total Physical Memory | 56.53 Mb Available Physical Memory | 5.58% Memory free
2.19 Gb Paging File | 0.40 Gb Available in Paging File | 18.21% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 62.00 Gb Total Space | 32.87 Gb Free Space | 53.01% Space Free | Partition Type: NTFS
Drive D: | 153.76 Gb Total Space | 150.43 Gb Free Space | 97.84% Space Free | Partition Type: NTFS

Computer Name: NAATHIM | User Name: Na'athim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/07/25 02:49:49 | 000,846,288 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Chrome\Application\chrome.exe
PRC - [2013/07/18 16:16:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Na'athim\Desktop\OTL.exe
PRC - [2013/05/25 02:47:30 | 027,776,968 | ---- | M] (Dropbox, Inc.) -- C:\Users\Na'athim\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2013/05/10 09:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/11/23 04:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2012/10/04 16:57:58 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011/07/06 19:13:23 | 002,615,624 | ---- | M] (Immunet) -- C:\Program Files\Immunet Protect\2.0.17\iptray.exe
PRC - [2011/07/06 19:13:22 | 000,756,680 | ---- | M] (Immunet Corporation) -- C:\Program Files\Immunet Protect\2.0.17\agent.exe
PRC - [2011/05/18 08:22:53 | 000,099,896 | ---- | M] (HP) -- C:\Windows\System32\HPSIsvc.exe
PRC - [2011/02/07 11:55:24 | 001,757,264 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
PRC - [2011/01/04 15:06:42 | 007,060,560 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Easy Display Manager\WifiManager.exe
PRC - [2010/12/23 08:07:58 | 000,945,232 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2010/11/29 18:31:22 | 001,418,592 | ---- | M] (SRS Labs, Inc.) -- C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel.exe
PRC - [2010/11/29 07:42:38 | 000,775,848 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe
PRC - [2010/11/20 14:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/17 10:24:54 | 004,387,632 | ---- | M] (SEC) -- C:\Program Files\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
PRC - [2010/11/13 00:24:08 | 001,602,344 | ---- | M] (ELAN Microelectronics Corp.) -- C:\Program Files\Elantech\ETDCtrlHelper.exe
PRC - [2010/11/13 00:24:06 | 001,812,264 | ---- | M] (ELAN Microelectronics Corp.) -- C:\Program Files\Elantech\ETDCtrl.exe
PRC - [2010/11/10 01:03:52 | 000,136,488 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\YouCam\YCMMirage.exe
PRC - [2010/10/22 18:07:00 | 000,656,672 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
PRC - [2010/08/27 03:52:12 | 002,782,064 | ---- | M] (Samsung Electronics) -- C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe
PRC - [2010/08/05 07:16:04 | 002,208,624 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\SamsungFastStart\SmartRestarter.exe
PRC - [2010/05/11 15:58:04 | 000,247,352 | ---- | M] (HP) -- C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
PRC - [2010/02/10 16:29:52 | 000,719,360 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe


========== Modules (No Company Name) ==========

MOD - [2013/07/25 02:49:46 | 000,396,240 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\28.0.1500.95\ppgooglenaclpluginchrome.dll
MOD - [2013/07/25 02:49:44 | 004,052,944 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\28.0.1500.95\pdf.dll
MOD - [2013/07/25 02:48:54 | 000,601,552 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\28.0.1500.95\libglesv2.dll
MOD - [2013/07/25 02:48:53 | 000,123,344 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\28.0.1500.95\libegl.dll
MOD - [2013/07/25 02:48:51 | 001,597,392 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\28.0.1500.95\ffmpegsumo.dll
MOD - [2013/03/13 22:48:52 | 024,978,944 | ---- | M] () -- C:\Users\Na'athim\AppData\Roaming\Dropbox\bin\libcef.dll
MOD - [2012/11/14 01:32:50 | 003,558,400 | ---- | M] () -- C:\Users\Na'athim\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll
MOD - [2011/07/06 19:13:24 | 000,331,592 | ---- | M] () -- C:\Program Files\Immunet Protect\2.0.17\dhr.dll
MOD - [2011/07/06 19:13:23 | 000,183,624 | ---- | M] () -- C:\Program Files\Immunet Protect\2.0.17\dcf.dll
MOD - [2011/07/06 19:13:23 | 000,102,728 | ---- | M] () -- C:\Program Files\Immunet Protect\2.0.17\drs.dll
MOD - [2011/07/06 19:13:23 | 000,029,000 | ---- | M] () -- C:\Program Files\Immunet Protect\2.0.17\dut.dll
MOD - [2011/07/06 19:13:23 | 000,021,832 | ---- | M] () -- C:\Program Files\Immunet Protect\2.0.17\dxm.dll
MOD - [2010/07/05 12:42:58 | 000,203,776 | ---- | M] () -- C:\Program Files\Samsung\Movie Color Enhancer\WinCRT.dll
MOD - [2010/05/07 16:22:18 | 001,636,864 | ---- | M] () -- C:\Program Files\Samsung\Samsung Recovery Solution 5\Resdll.dll
MOD - [2006/08/12 05:48:40 | 000,049,152 | ---- | M] () -- C:\Program Files\Samsung\Easy Display Manager\HookDllPS2.dll


========== Services (SafeList) ==========

SRV - [2013/05/27 06:57:27 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2013/05/10 09:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013/01/08 12:55:20 | 000,161,536 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011/07/06 19:13:26 | 000,326,224 | ---- | M] (Immunet) [On_Demand | Stopped] -- C:\Program Files\Immunet Protect\tetra\scan.dll -- (scan)
SRV - [2011/07/06 19:13:22 | 000,756,680 | ---- | M] (Immunet Corporation) [Auto | Running] -- C:\Program Files\Immunet Protect\2.0.17\agent.exe -- (ImmunetProtect)
SRV - [2011/05/18 08:22:53 | 000,099,896 | ---- | M] (HP) [Auto | Running] -- C:\Windows\System32\HPSIsvc.exe -- (HPSIService)
SRV - [2010/10/22 18:07:00 | 000,656,672 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV - [2010/08/09 21:04:04 | 000,131,888 | ---- | M] (Samsung Electronics CO., LTD.) [On_Demand | Stopped] -- C:\Windows\System32\SUPDSvc.exe -- (Samsung UPD Service)
SRV - [2010/05/11 15:58:04 | 000,247,352 | ---- | M] (HP) [Auto | Running] -- C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe -- (HPM1210RcvFaxSrvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Na'athim\AppData\Local\Temp\mbr.sys -- (mbr)
DRV - [2013/08/04 16:10:52 | 000,103,680 | ---- | M] (GMER) [Kernel | On_Demand | Running] -- C:\fxrdqpow.sys -- (fxrdqpow)
DRV - [2011/07/06 19:13:28 | 000,041,424 | ---- | M] (Windows ® Codename Longhorn DDK provider) [File_System | System | Running] -- C:\Windows\System32\drivers\ImmunetProtect.sys -- (ImmunetProtectDriver)
DRV - [2011/07/06 19:13:28 | 000,031,184 | ---- | M] (Windows ® Codename Longhorn DDK provider) [File_System | System | Running] -- C:\Windows\System32\drivers\ImmunetSelfProtect.sys -- (ImmunetSelfProtectDriver)
DRV - [2011/05/05 09:00:02 | 000,015,656 | ---- | M] (Windows ® 2003 DDK 3790 provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rtport.sys -- (rtport)
DRV - [2011/02/11 10:16:42 | 000,050,176 | ---- | M] (Samsung) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\samsung_hspa_datacard_dc_enum.sys -- (samsung_hspa_datacard_dc_enum)
DRV - [2011/02/11 10:16:42 | 000,046,592 | ---- | M] (Samsung) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\samsung_hspa_datacard_cdc_ecm.sys -- (samsung_hspa_datacard_cdc_ecm)
DRV - [2011/02/11 10:16:42 | 000,042,496 | ---- | M] (Samsung) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\samsung_hspa_datacard_cdc_acm.sys -- (samsung_hspa_datacard_cdc_acm)
DRV - [2010/11/20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 11:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/10 01:04:14 | 000,027,632 | ---- | M] (CyberLink Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\clwvd.sys -- (clwvd)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2669151935-2958107513-993041615-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://samsung.msn.com
IE - HKU\S-1-5-21-2669151935-2958107513-993041615-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-2669151935-2958107513-993041615-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2669151935-2958107513-993041615-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
IE - HKU\S-1-5-21-2669151935-2958107513-993041615-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-2669151935-2958107513-993041615-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKU\S-1-5-21-2669151935-2958107513-993041615-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.4\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/07/06 19:16:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.4\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/05/23 20:59:50 | 000,000,000 | ---D | M]

[2012/10/24 21:33:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Na'athim\AppData\Roaming\mozilla\Extensions
[2012/10/24 21:33:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Na'athim\AppData\Roaming\mozilla\Firefox\Profiles\ixt07doi.default\extensions
[2011/07/06 19:16:20 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/12 02:54:19 | 000,002,767 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\allegro-pl.xml
[2010/06/12 02:54:19 | 000,001,406 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\fbc-pl.xml
[2010/06/12 02:54:19 | 000,000,917 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\merlin-pl.xml
[2010/06/12 02:54:19 | 000,000,858 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\pwn-pl.xml
[2010/06/12 02:54:19 | 000,001,183 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-pl.xml
[2010/06/12 02:54:19 | 000,001,683 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wp-pl.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\21.0.1180.89\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.95\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.95\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.95\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Users\Na'athim\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Users\Na'athim\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Updater (Enabled) = C:\Program Files\Google\Google Updater\2.4.2166.3772\npCIDetect14.dll
CHR - plugin: Picasa (Enabled) = C:\Program Files\Google\Picasa3\npPicasa3.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - Extension: Google Translate = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb\1.2.4_1\
CHR - Extension: Dysk Google = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: Turn Off the Lights = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbmjmiodbnnpllbbbfblcplfjjepjdn\2.2.0.12_1\
CHR - Extension: Turn Off the Lights = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbmjmiodbnnpllbbbfblcplfjjepjdn\2.2.0.20_0\
CHR - Extension: QRreader beta = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfdjglobiolninfgldchakgfldifphic\0.4_0\
CHR - Extension: WOT = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp\1.4.13_0\
CHR - Extension: Adblock Plus = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.5.3_0\
CHR - Extension: Mailto: for Gmail\u2122 = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgkkmcknielgdhebimdnfahpipajcpjn\2.4_1\
CHR - Extension: Google+ = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlppkpafhbajpcmmoheippocdidnckmm\1.2.0.418_0\
CHR - Extension: Gmail offline = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejidjjhkpiempkbhmpbfngldlkglhimk\1.19_0\
CHR - Extension: Kalendarz Google = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn\4.5.3_0\
CHR - Extension: PanicButton = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\faminaibgiklngmfpfbhmokfmnglamcm\0.14.2.2_1\
CHR - Extension: MagicScroll eBook Reader = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgnmgfdoiplfmhgghbmlphanpfmjble\3.0_0\
CHR - Extension: AdBlock = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.6.4_0\
CHR - Extension: FlashBlock = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\gofhjkjmkpinhpoiabjplobcaignabnl\0.9.31_1\
CHR - Extension: Calc SS3 = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\iicfbobganffbpdodmdcbcpblomkbeoa\0.9.98_0\
CHR - Extension: Dropbox = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\ioekoebejdcmnlefjiknokhhafglcjdl\3.0.6_0\
CHR - Extension: Trash Can = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbdjgdkojiakdhlhfcaohpfgjgemcegi\0.1_1\
CHR - Extension: Zoho Writer = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgaeidloagadfcohacebhbkkapgpiddj\1.3.1_1\
CHR - Extension: Malware Search = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgleioieeffejophokeklefchfglgmnk\0.1.2_0\
CHR - Extension: Brudnopis = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjebfhglflhjjjiceimfkgicifkhjlnm\4.0_1\
CHR - Extension: Mapy Google = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh\5.2.7_1\
CHR - Extension: Google Mail Multi-Account Checker = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcpnehokodklgijkcakcfmccgpanipfp\2.0.24_0\
CHR - Extension: Turkish Flag Theme = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\meepdekdobmlffgknnpdegfhgpgccnjc\0.2_0\
CHR - Extension: Sprawdzanie poczty Google = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff\4.4.0_1\
CHR - Extension: Rozszerzenie Subskrypcje RSS (od Google) = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbjncdgjeocebhnmkbbbdekmmmcbfjd\2.2.2_1\
CHR - Extension: Przegl\u0105darka dokument\u00F3w PDF/PowerPoint (od Google) = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnbmlagghjjcbdhgmkedmbmedengocbn\3.10_0\
CHR - Extension: Google Chrome to Phone Extension = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\oadboiipflhobonjjffjbfekfjcgkhco\2.3.2_1\
CHR - Extension: Send from Gmail (by Google) = C:\Users\Na'athim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgphcomnlaojlmmcjmiddhdapjpbgeoc\1.16_0\

O1 HOSTS File: ([2009/06/10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (W2PBrowser Class) - {AA609D72-8482-4076-8991-8CDAE5B93BCB} - C:\Program Files\Samsung AnyWeb Print\W2PBrowser.dll ()
O4 - HKLM..\Run: [Immunet Protect] C:\Program Files\Immunet Protect\2.0.17\iptray.exe (Immunet)
O4 - HKU\.DEFAULT..\RunOnce: [SPReview] C:\windows\System32\SPReview\SPReview.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [SPReview] C:\windows\System32\SPReview\SPReview.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Na'athim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Na'athim\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Funkcja Google Sidewiki - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Wyślij obraz do urządzenia &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Wyślij stronę do urządzenia &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Samsung AnyWeb Print - {328ECD19-C167-40eb-A0C7-16FE7634105E} - C:\Program Files\Samsung AnyWeb Print\W2PBrowser.dll ()
O9 - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 62.21.99.95
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3EFA1E6C-4B24-4E21-87E5-353A1AAF3450}: DhcpNameServer = 62.21.99.95
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EC1E8A60-A90F-4369-9D91-D1845470D9A6}: NameServer = 217.116.104.104 217.116.100.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FEB55669-9550-4ABD-8509-30E34EBD26D3}: DhcpNameServer = 192.168.1.1 62.179.1.62 62.179.1.63
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/08/04 16:10:52 | 000,103,680 | ---- | C] (GMER) -- C:\fxrdqpow.sys
[2013/07/29 11:40:00 | 000,000,000 | ---D | C] -- C:\Users\Na'athim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pawsoft
[2013/07/29 11:40:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pawsoft
[2013/07/29 11:39:59 | 000,000,000 | ---D | C] -- C:\Program Files\Pawsoft
[2013/07/29 11:39:23 | 000,000,000 | ---D | C] -- C:\Program Files\AzTools
[2013/07/29 09:31:08 | 000,000,000 | ---D | C] -- C:\MGADiagToolOutput
[2013/07/29 09:30:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Office Genuine Advantage
[2013/07/27 09:34:04 | 002,706,432 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\mshtml.tlb
[2013/07/27 09:33:59 | 002,877,440 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\jscript9.dll
[2013/07/27 09:33:57 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iesetup.dll
[2013/07/27 09:33:57 | 000,039,424 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\jsproxy.dll
[2013/07/27 09:33:55 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ieui.dll
[2013/07/27 09:33:52 | 000,493,056 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msfeeds.dll
[2013/07/27 09:33:52 | 000,042,496 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ie4uinit.exe
[2013/07/27 09:33:52 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iernonce.dll
[2013/07/27 09:33:51 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iesysprep.dll
[2013/07/27 09:33:51 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\RegisterIEPKEYs.exe
[2013/07/27 09:31:19 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
[2013/07/18 17:23:56 | 000,000,000 | ---D | C] -- C:\Users\Na'athim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\vanBasco's Karaoke Player
[2013/07/18 17:23:53 | 000,000,000 | ---D | C] -- C:\Program Files\vanBasco's Karaoke Player
[2013/07/18 16:29:56 | 001,247,744 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\DWrite.dll
[2013/07/18 16:29:52 | 001,620,480 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\WMVDECOD.DLL
[2013/07/18 16:29:50 | 000,509,440 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\qedit.dll
[2013/07/18 16:29:47 | 002,347,520 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\win32k.sys
[2013/07/18 16:16:07 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Na'athim\Desktop\OTL.exe

========== Files - Modified Within 30 Days ==========

[2013/08/04 17:45:04 | 000,001,040 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/08/04 16:45:05 | 000,001,036 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/08/04 16:35:15 | 000,089,088 | ---- | M] () -- C:\Users\Na'athim\Desktop\mbr.exe
[2013/08/04 16:10:52 | 000,103,680 | ---- | M] (GMER) -- C:\fxrdqpow.sys
[2013/08/04 16:09:14 | 000,377,856 | ---- | M] () -- C:\Users\Na'athim\Desktop\u1rbbmow.exe
[2013/08/04 14:22:14 | 000,016,752 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/08/04 14:22:14 | 000,016,752 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/08/04 14:20:05 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2013/08/03 10:02:09 | 1062,518,784 | -HS- | M] () -- C:\hiberfil.sys
[2013/08/02 14:38:49 | 000,015,828 | ---- | M] () -- C:\Users\Na'athim\Desktop\weekend_52397.gif
[2013/08/02 11:57:30 | 000,687,828 | ---- | M] () -- C:\windows\System32\perfh015.dat
[2013/08/02 11:57:30 | 000,607,190 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2013/08/02 11:57:30 | 000,131,382 | ---- | M] () -- C:\windows\System32\perfc015.dat
[2013/08/02 11:57:30 | 000,103,568 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2013/07/27 11:20:45 | 000,266,376 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[2013/07/18 16:16:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Na'athim\Desktop\OTL.exe

========== Files Created - No Company Name ==========

[2013/08/04 16:34:51 | 000,089,088 | ---- | C] () -- C:\Users\Na'athim\Desktop\mbr.exe
[2013/08/04 16:08:51 | 000,377,856 | ---- | C] () -- C:\Users\Na'athim\Desktop\u1rbbmow.exe
[2013/08/02 14:37:39 | 000,015,828 | ---- | C] () -- C:\Users\Na'athim\Desktop\weekend_52397.gif
[2012/10/03 10:48:45 | 001,167,360 | ---- | C] () -- C:\windows\System32\HPM1210SM.exe
[2012/10/03 10:48:43 | 000,167,936 | ---- | C] () -- C:\windows\System32\HPM1210LM.DLL
[2012/10/03 10:41:47 | 000,284,672 | ---- | C] () -- C:\windows\System32\mvhlewsi.DLL
[2012/10/03 10:39:10 | 000,167,936 | ---- | C] () -- C:\windows\System32\m1210wia.dll
[2012/10/03 10:39:05 | 000,176,128 | ---- | C] () -- C:\windows\System32\m1210nwia.dll
[2012/10/03 10:37:35 | 000,049,152 | ---- | C] () -- C:\windows\System32\HPM1210SMs.dll
[2012/09/25 18:50:00 | 000,000,000 | ---- | C] () -- C:\Users\Na'athim\AppData\Local\{96BA877B-4BD3-4F14-8EB3-E4369E6DA239}
[2012/08/28 10:04:34 | 000,081,920 | ---- | C] () -- C:\windows\System32\issacapi_bs-2.3.dll
[2012/08/28 10:04:34 | 000,065,536 | ---- | C] () -- C:\windows\System32\issacapi_pe-2.3.dll
[2012/08/28 10:04:34 | 000,057,344 | ---- | C] () -- C:\windows\System32\issacapi_se-2.3.dll
[2012/08/28 10:04:32 | 000,974,848 | ---- | C] () -- C:\windows\System32\cis-2.4.dll
[2011/07/06 18:57:37 | 000,131,368 | ---- | C] () -- C:\ProgramData\FullRemove.exe

========== ZeroAccess Check ==========

[2009/07/14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/02/27 06:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013/05/13 01:34:52 | 000,000,000 | ---D | M] -- C:\Users\Na'athim\AppData\Roaming\calibre
[2013/07/29 10:37:32 | 000,000,000 | ---D | M] -- C:\Users\Na'athim\AppData\Roaming\Dev-Cpp
[2013/08/04 14:20:02 | 000,000,000 | ---D | M] -- C:\Users\Na'athim\AppData\Roaming\Dropbox
[2013/07/27 10:24:30 | 000,000,000 | ---D | M] -- C:\Users\Na'athim\AppData\Roaming\Samsung
[2013/05/31 17:26:41 | 000,000,000 | ---D | M] -- C:\Users\Na'athim\AppData\Roaming\TeamViewer

========== Purity Check ==========



< End of report >

Extras.txt


OTL Extras logfile created on: 8/4/2013 6:10:26 PM - Run 5
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Na'athim\Desktop
Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16635)
Locale: 00000409 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

1013.30 Mb Total Physical Memory | 56.53 Mb Available Physical Memory | 5.58% Memory free
2.19 Gb Paging File | 0.40 Gb Available in Paging File | 18.21% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 62.00 Gb Total Space | 32.87 Gb Free Space | 53.01% Space Free | Partition Type: NTFS
Drive D: | 153.76 Gb Total Space | 150.43 Gb Free Space | 97.84% Space Free | Partition Type: NTFS

Computer Name: NAATHIM | User Name: Na'athim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2669151935-2958107513-993041615-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0B0AA014-F293-42F4-A25E-AD3E2101B72C}" = lport=161 | protocol=6 | dir=in | name=advanced tcp/ip snmp port |
"{8BFFD20C-1CD9-4C0D-8C24-0C5255281E98}" = lport=427 | protocol=6 | dir=in | name=advanced tcp/ip slp port |
"{921C38D7-7CBC-435F-B853-8A37703DA1EF}" = lport=9100 | protocol=6 | dir=in | name=advanced tcp/ip printer port |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03B7DC78-CD4C-468E-89B3-5F4690EB66C4}" = protocol=17 | dir=in | app=c:\users\na'athim\appdata\local\temp\7zs7c81\easyinst.exe |
"{21075678-FCB4-45D7-BBC3-ADAD00B1305D}" = protocol=6 | dir=in | app=c:\users\na'athim\appdata\local\temp\7zs7c81\easyinst.exe |
"{33AB8F53-EBEE-4B85-A8F7-0025BE43E748}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung universal scan driver\usdagent.exe |
"{3BC2CE60-E098-4AB6-8307-2CF7EAEBED68}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung universal scan driver\iccupdater.exe |
"{40BEDBA0-FFA0-494C-A95E-D4ABC0665DC6}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung universal scan driver\usdagent.exe |
"{40EDF650-2260-483D-99D0-9DB3ADBD6075}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung universal scan driver\iccupdater.exe |
"{45DB51CC-C1CB-4D69-BA49-B113C061A10C}" = protocol=6 | dir=in | app=c:\windows\system32\muzapp.exe |
"{60B5E17E-0DAD-45A6-87AB-FADCC91E0A78}" = protocol=6 | dir=in | app=c:\users\na'athim\appdata\roaming\dropbox\bin\dropbox.exe |
"{7A37EE2F-BB93-427F-AB1D-9CF271874C41}" = protocol=17 | dir=in | app=c:\users\na'athim\appdata\roaming\dropbox\bin\dropbox.exe |
"{861DB1FE-F546-4FBB-93C9-69E4376B4AEA}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{9435507A-7DB2-4DCA-82F4-E4191521B981}" = protocol=17 | dir=in | app=c:\windows\system32\muzapp.exe |
"{BAD23220-24DB-474B-A782-1E84F4C1D413}" = protocol=17 | dir=in | app=c:\windows\system32\supdsvc.exe |
"{BB518998-8696-48AF-8D14-98031BC29901}" = protocol=6 | dir=in | app=c:\windows\system32\supdsvc.exe |
"TCP Query User{B36563B0-974F-4ADF-845F-69DC3A79D006}C:\users\na'athim\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\na'athim\appdata\roaming\dropbox\bin\dropbox.exe |
"UDP Query User{264E87D4-3C34-4B86-836D-5E12E64741A6}C:\users\na'athim\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\na'athim\appdata\roaming\dropbox\bin\dropbox.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{142D8CA7-2C6F-45A7-83E3-099AAFD99133}" = Samsung Update Plus
"{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}" = Samsung Recovery Solution 5
"{16880765-677F-440B-B16A-BFD9B9C00012}" = EasyFileShare
"{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program
"{2998191E-A35E-47E2-BE38-7702C731D722}" = SRS Premium Sound Control Panel
"{2DDC70C1-C77A-4D08-89D2-9AB648504533}" = Easy Content Share
"{318DBE01-1E6B-4243-84B0-210391FE789A}" = Samsung AnyWeb Print
"{436E0B79-2CFB-4E5F-9380-E17C1B25D0C5}" = WIDCOMM Bluetooth Software
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype 6.1
"{5D409C50-57A2-4EEF-846B-11B66E3E7B56}" = Samsung HSPA DataCard CD and SS 5.36.9704
"{607DA1C8-34EC-4D7A-AD83-F8E5C70736DF}" = EasyBatteryManager
"{6C016AC4-0282-4C82-B12F-3D5910DA7319}" = Samsung AnyWeb Print
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{77F45ECD-FAFC-45A8-8896-CFFB139DAAA3}" = Fast Start
"{7F6F62F0-7884-4CFB-B86C-597A4A6D9C4D}" = Movie Color Enhancer
"{8732818E-CA78-4ACB-B077-22311BF4C0E4}" = Easy Network Manager
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
"{92BF2245-BE42-486E-A1CF-DBABCD4F0C43}" = Connection Manager
"{92D50865-FC60-4EA8-BA7A-5581B0D13EFB}" = ChargeableUSB
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A8DDD59F-1413-40BD-B61C-77A0BDB2B22B}" = Easy Resolution Manager
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1045-7B44-AA1000000001}" = Adobe Reader X (10.1.7) - Polish
"{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}" = User Guide
"{D88C3E7C-1DA6-4AD7-97FC-75BC8705B266}" = runtime
"{D9A3B393-72E7-44FD-B4B4-A463A0C2CC0F}" = calibre
"{E8A34AC8-0137-4515-A94B-0A0946DDC251}" = Scan To
"{EF367AA4-070B-493C-9575-85BE59D789C9}" = Easy SpeedUp Manager
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F687E657-F636-44DF-8125-9FEEA2C362F5}" = Samsung Support Center
"{FA3AFC80-05A5-45A6-BD6E-92641BF93129}" = HP LaserJet Professional M1210 MFP Series Fax Installer
"{FFB768E4-E427-4553-BC36-A11F5E62A94D}" = Adobe Flash Player 10 ActiveX
"{FFD0E594-823B-4E2B-B680-720B3C852588}" = BatteryLifeExtender
"Blueline_is1" = Blueline 1.1.1
"Broadcom 802.11 Network Adapter" = Broadcom 802.11 Network Adapter
"Elantech" = ETDWare PS/2-X86 8.0.7.2_WHQL
"Fass" = Pawsoft Fass
"Google Chrome" = Google Chrome
"GPL Ghostscript 9.06" = GPL Ghostscript
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP LaserJet Professional M1130-M1210 MFP Series" = HP LaserJet Professional M1130-M1210 MFP Series
"Immunet Protect" = Immunet Protect
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{92BF2245-BE42-486E-A1CF-DBABCD4F0C43}" = Connection Manager
"Mozilla Firefox (3.6.4)" = Mozilla Firefox (3.6.4)
"R for Windows 2.15.2_is1" = R for Windows 2.15.2
"Samsung Universal Print Driver" = Samsung Universal Print Driver
"Samsung Universal Scan Driver" = Samsung Universal Scan Driver
"VMidi" = vanBasco's Karaoke Player

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2669151935-2958107513-993041615-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 3/13/2013 5:30:08 PM | Computer Name = Naathim | Source = SideBySide | ID = 16842785
Description = Nie można wygenerować kontekstu aktywacji dla "c:\program files\Samsung\chargeableusb\vista_xp_driver\x64\KStartMem.exe.Manifest".
Nie
można odnaleźć zestawu zależnego Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0".
Użyj
narzędzia sxstrace.exe, aby uzyskać szczegłową diagnozę.

Error - 3/26/2013 5:05:07 AM | Computer Name = Naathim | Source = ESENT | ID = 215
Description = WinMail (4012) WindowsMail0: Tworzenie kopii zapasowej zostało zatrzymane,
ponieważ zostało przerwane przez klienta lub nie można nawiązać połączenia z klientem.

Error - 3/29/2013 3:17:18 AM | Computer Name = Naathim | Source = Application Error | ID = 1000
Description = Nazwa aplikacji powodującej błąd: googledrivesync.exe, wersja: 1.8.4357.4863,
sygnatura czasowa: 0x509418e4 Nazwa modułu powodującego błąd: pyexpat.pyd, wersja:
0.0.0.0, sygnatura czasowa: 0x511a6733 Kod wyjątku: 0xc0000005 Przesunięcie błędu:
0x00011140 Identyfikator procesu powodującego błąd: 0x1338 Godzina uruchomienia aplikacji
powodującej błąd: 0x01ce2a014e66524a Ścieżka aplikacji powodującej błąd: C:\Program
Files\Google\Drive\googledrivesync.exe Ścieżka modułu powodującego błąd: C:\Users\Na'athim\AppData\Local\Temp\_MEI34242\pyexpat.pyd
Identyfikator
raportu: aff63742-9840-11e2-8c51-b4749f8b0669

Error - 4/3/2013 12:32:22 PM | Computer Name = Naathim | Source = SideBySide | ID = 16842785
Description = Nie można wygenerować kontekstu aktywacji dla "C:\Program Files\2XL
Games\2XL Trophylite Rally\data\geo\UIElementID.exe". Nie można odnaleźć zestawu
zależnego Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8".
Użyj
narzędzia sxstrace.exe, aby uzyskać szczegłową diagnozę.

Error - 4/3/2013 12:34:15 PM | Computer Name = Naathim | Source = SideBySide | ID = 16842785
Description = Nie można wygenerować kontekstu aktywacji dla "C:\Program Files\Samsung\Samsung
Support Center\Drv\drv2x64\KStartMem.exe.Manifest". Nie można odnaleźć zestawu zależnego
Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0".
Użyj
narzędzia sxstrace.exe, aby uzyskać szczegłową diagnozę.

Error - 4/3/2013 12:34:18 PM | Computer Name = Naathim | Source = SideBySide | ID = 16842785
Description = Nie można wygenerować kontekstu aktywacji dla "C:\Program Files\Samsung\EasyFileShare\Drv\SABI2x64\KStartMem.exe.Manifest".
Nie
można odnaleźć zestawu zależnego Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0".
Użyj
narzędzia sxstrace.exe, aby uzyskać szczegłową diagnozę.

Error - 4/3/2013 12:36:20 PM | Computer Name = Naathim | Source = SideBySide | ID = 16842785
Description = Nie można wygenerować kontekstu aktywacji dla "C:\Program Files\Samsung\BatteryLifeExtender\Drv\SABI2x64\KStartMem.exe.Manifest".
Nie
można odnaleźć zestawu zależnego Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0".
Użyj
narzędzia sxstrace.exe, aby uzyskać szczegłową diagnozę.

Error - 4/3/2013 12:44:08 PM | Computer Name = Naathim | Source = SideBySide | ID = 16842785
Description = Nie można wygenerować kontekstu aktywacji dla "c:\program files\Samsung\easy
display manager\RunGfxUI64.exe". Nie można odnaleźć zestawu zależnego Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0".
Użyj
narzędzia sxstrace.exe, aby uzyskać szczegłową diagnozę.

Error - 4/3/2013 12:45:57 PM | Computer Name = Naathim | Source = SideBySide | ID = 16842785
Description = Nie można wygenerować kontekstu aktywacji dla "c:\program files\Samsung\chargeableusb\ChargeableUSB_64.exe".
Nie
można odnaleźć zestawu zależnego Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0".
Użyj
narzędzia sxstrace.exe, aby uzyskać szczegłową diagnozę.

Error - 4/3/2013 12:45:59 PM | Computer Name = Naathim | Source = SideBySide | ID = 16842785
Description = Nie można wygenerować kontekstu aktywacji dla "c:\program files\Samsung\chargeableusb\vista_xp_driver\x64\KStartMem.exe.Manifest".
Nie
można odnaleźć zestawu zależnego Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0".
Użyj
narzędzia sxstrace.exe, aby uzyskać szczegłową diagnozę.

[ System Events ]
Error - 5/23/2013 2:40:17 PM | Computer Name = Naathim | Source = Service Control Manager | ID = 7026
Description = Nie można załadować następujących sterownikw startu rozruchowego
lub systemowego: cdrom

Error - 5/23/2013 4:05:32 PM | Computer Name = Naathim | Source = DCOM | ID = 10010
Description =

Error - 5/24/2013 1:43:24 AM | Computer Name = Naathim | Source = Service Control Manager | ID = 7026
Description = Nie można załadować następujących sterownikw startu rozruchowego
lub systemowego: cdrom

Error - 5/27/2013 9:56:10 AM | Computer Name = Naathim | Source = Service Control Manager | ID = 7011
Description = Upłynął limit czasu (30000 ms) podczas oczekiwania na odpowiedź transakcji
z usługi ShellHWDetection.

Error - 5/31/2013 1:49:53 AM | Computer Name = Naathim | Source = Service Control Manager | ID = 7011
Description = Upłynął limit czasu (30000 ms) podczas oczekiwania na odpowiedź transakcji
z usługi ShellHWDetection.

Error - 5/31/2013 1:52:18 AM | Computer Name = Naathim | Source = DCOM | ID = 10010
Description =

Error - 5/31/2013 1:53:54 AM | Computer Name = Naathim | Source = Service Control Manager | ID = 7026
Description = Nie można załadować następujących sterownikw startu rozruchowego
lub systemowego: cdrom

Error - 5/31/2013 9:16:29 AM | Computer Name = Naathim | Source = Service Control Manager | ID = 7011
Description = Upłynął limit czasu (30000 ms) podczas oczekiwania na odpowiedź transakcji
z usługi ShellHWDetection.

Error - 5/31/2013 9:44:55 AM | Computer Name = Naathim | Source = NetBT | ID = 4307
Description = Zainicjowanie nie powiodło się, ponieważ transport odmwił otwarcia
adresw początkowych.

Error - 6/4/2013 1:52:00 AM | Computer Name = Naathim | Source = Service Control Manager | ID = 7011
Description = Upłynął limit czasu (30000 ms) podczas oczekiwania na odpowiedź transakcji
z usługi ShellHWDetection.


< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,012 posts
  • MVP
Probably OK then. Don't see anything obvious.


Download aswMBR.exe to your desktop.
Right click aswMBR.exe and Run as Administrator
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
then just click save log, save it to your desktop and post in your next reply

aswMBR will also put a file on your desktop which is a copy of your MBR. You can submit that file to virustotal.com and they will tell you if there is anything to worry about.
  • 0

#3
Naathim

Naathim

    GeekU Minion

  • Topic Starter
  • Expert
  • 4,568 posts
Hi Ron :)

Thanks for your answer. Here is aswMBR log, which also confirmes bad mbr code.

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-08-05 07:59:00
-----------------------------
07:59:00.881 OS Version: Windows 6.1.7601 Service Pack 1
07:59:00.881 Number of processors: 2 586 0x1C0A
07:59:01.022 ComputerName: NAATHIM UserName:
07:59:07.589 Initialize success
08:01:40.732 AVAST engine defs: 13080401
08:01:52.167 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
08:01:52.167 Disk 0 Vendor: Hitachi_ ESBO Size: 238475MB BusType: 3
08:01:53.071 Disk 0 MBR read successfully
08:01:53.087 Disk 0 MBR scan
08:01:53.337 Disk 0 unknown MBR code
08:01:53.461 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
08:01:53.773 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 63488 MB offset 206848
08:01:53.820 Disk 0 Partition - 00 0F Extended LBA 157447 MB offset 130230272
08:01:53.851 Disk 0 Partition 3 00 27 Hidden NTFS WinRE NTFS 17437 MB offset 452681728
08:01:54.163 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 157446 MB offset 130232320
08:01:54.257 Disk 0 scanning sectors +488392704
08:01:55.318 Disk 0 scanning C:\windows\system32\drivers
08:05:01.364 Service scanning
08:07:51.467 Modules scanning
08:11:49.164 AVAST engine scan C:\windows
08:12:53.530 AVAST engine scan C:\windows\system32
08:31:24.392 AVAST engine scan C:\windows\system32\drivers
08:33:18.350 AVAST engine scan C:\Users\Na'athim
08:36:23.679 File: C:\Users\Na'athim\AppData\Local\Temp\ab24aa87afee2f4da080db94881b3941\preinstaller.exe **INFECTED** Win32:Adware-gen [Adw]
09:04:08.623 File: C:\Users\Na'athim\AppData\Local\Temp\av4FC7.tmp **HIDDEN**
09:04:09.138 File: C:\Users\Na'athim\AppData\Local\Temp\av4FCA.tmp **HIDDEN**
09:04:09.637 File: C:\Users\Na'athim\AppData\Local\Temp\av4FD7.tmp **HIDDEN**
09:04:10.042 File: C:\Users\Na'athim\AppData\Local\Temp\av4FD8.tmp **HIDDEN**
09:04:10.526 File: C:\Users\Na'athim\AppData\Local\Temp\av4FDE.tmp **HIDDEN**
09:04:11.056 File: C:\Users\Na'athim\AppData\Local\Temp\av4FE2.tmp **HIDDEN**
09:04:11.493 File: C:\Users\Na'athim\AppData\Local\Temp\av4FE6.tmp **HIDDEN**
09:04:12.070 AVAST engine scan C:\ProgramData
09:05:14.767 Scan finished successfully
09:13:33.593 Disk 0 MBR has been saved successfully to "C:\Users\Na'athim\Desktop\MBR.dat"
09:13:33.609 The log file has been saved successfully to "C:\Users\Na'athim\Desktop\aswMBR.txt"

Any other advice?
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,012 posts
  • MVP
You can submit C:\Users\Na'athim\Desktop\MBR.dat to virustotal and see what they say. You can also run mbrcheck

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

I'm more concerned with the other stuff that aswMBR flagged:

08:36:23.679 File: C:\Users\Na'athim\AppData\Local\Temp\ab24aa87afee2f4da080db94881b3941\preinstaller.exe **INFECTED** Win32:Adware-gen [Adw]
09:04:08.623 File: C:\Users\Na'athim\AppData\Local\Temp\av4FC7.tmp **HIDDEN**
09:04:09.138 File: C:\Users\Na'athim\AppData\Local\Temp\av4FCA.tmp **HIDDEN**
09:04:09.637 File: C:\Users\Na'athim\AppData\Local\Temp\av4FD7.tmp **HIDDEN**
09:04:10.042 File: C:\Users\Na'athim\AppData\Local\Temp\av4FD8.tmp **HIDDEN**
09:04:10.526 File: C:\Users\Na'athim\AppData\Local\Temp\av4FDE.tmp **HIDDEN**
09:04:11.056 File: C:\Users\Na'athim\AppData\Local\Temp\av4FE2.tmp **HIDDEN**
09:04:11.493 File: C:\Users\Na'athim\AppData\Local\Temp\av4FE6.tmp **HIDDEN**

These are all TEMP files so if you clean your Temp files they should go away.

We can let OTL do it if you want:

Copy the text in the code box by highlighting and Ctrl + c

:Commands
[EMPTYTEMP]
[purity]
[Reboot]


then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply.
It appears that Old Timer is now hiding the log in c:\_OTL\MovedFiles\08052013-some number.log so look there if you don't see it.

You might want to run aswMBR again but this time change the AV-Scan from Quickscan to C:\. This will run a full scan of the the c:\ drive and will take a while to finish.
  • 0

#5
Naathim

Naathim

    GeekU Minion

  • Topic Starter
  • Expert
  • 4,568 posts
Ron,

MBRCheck below. Also doesn't look good.
I'll clean temporary files with TFC in a couple of minutes. Should I proceed with C:\ scan in aswMBR next?

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Starter Edition
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
BIOS Manufacturer: Phoenix Technologies Ltd.
System Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
System Product Name: NC210/NC110
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 188):
0x81E37000 \SystemRoot\system32\ntkrnlpa.exe
0x81E00000 \SystemRoot\system32\halmacpi.dll
0x81BDA000 \SystemRoot\system32\kdcom.dll
0x8643A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x864BF000 \SystemRoot\system32\PSHED.dll
0x864D0000 \SystemRoot\system32\BOOTVID.dll
0x864D8000 \SystemRoot\system32\CLFS.SYS
0x8651A000 \SystemRoot\system32\CI.dll
0x8662A000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8669B000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x866A9000 \SystemRoot\system32\drivers\ACPI.sys
0x866F1000 \SystemRoot\system32\drivers\WMILIB.SYS
0x866FA000 \SystemRoot\system32\drivers\msisadrv.sys
0x86702000 \SystemRoot\system32\drivers\pci.sys
0x8672C000 \SystemRoot\system32\drivers\vdrvroot.sys
0x86737000 \SystemRoot\System32\drivers\partmgr.sys
0x86748000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x86750000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8675B000 \SystemRoot\system32\drivers\volmgr.sys
0x8676B000 \SystemRoot\System32\drivers\volmgrx.sys
0x867B6000 \SystemRoot\System32\drivers\mountmgr.sys
0x86805000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x868DF000 \SystemRoot\system32\drivers\atapi.sys
0x868E8000 \SystemRoot\system32\drivers\ataport.SYS
0x8690B000 \SystemRoot\system32\drivers\msahci.sys
0x86915000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x86923000 \SystemRoot\system32\drivers\amdxata.sys
0x8692C000 \SystemRoot\system32\drivers\fltmgr.sys
0x86960000 \SystemRoot\system32\drivers\fileinfo.sys
0x86A06000 \SystemRoot\System32\Drivers\Ntfs.sys
0x86B35000 \SystemRoot\System32\Drivers\msrpc.sys
0x86B60000 \SystemRoot\System32\Drivers\ksecdd.sys
0x86B73000 \SystemRoot\System32\Drivers\cng.sys
0x86BD0000 \SystemRoot\System32\drivers\pcw.sys
0x86BDE000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x86C29000 \SystemRoot\system32\drivers\ndis.sys
0x86CE0000 \SystemRoot\system32\drivers\NETIO.SYS
0x86D1E000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x86E34000 \SystemRoot\System32\drivers\tcpip.sys
0x86F80000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x86FB1000 \SystemRoot\system32\drivers\volsnap.sys
0x86FF0000 \SystemRoot\System32\Drivers\spldr.sys
0x86E00000 \SystemRoot\System32\drivers\rdyboost.sys
0x86D43000 \SystemRoot\System32\Drivers\mup.sys
0x86FF8000 \SystemRoot\System32\drivers\hwpolicy.sys
0x86D53000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x86D85000 \SystemRoot\system32\DRIVERS\disk.sys
0x86D96000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8A139000 \SystemRoot\system32\DRIVERS\ImmunetProtect.sys
0x8A142000 \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys
0x8A148000 \SystemRoot\System32\Drivers\Null.SYS
0x8A14F000 \SystemRoot\System32\Drivers\Beep.SYS
0x8A156000 \SystemRoot\System32\drivers\vga.sys
0x8A162000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8A183000 \SystemRoot\System32\drivers\watchdog.sys
0x8A190000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8A198000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8A1A0000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8A1A8000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8A1B3000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8A1C1000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8A1D8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x86971000 \SystemRoot\system32\drivers\afd.sys
0x86DC8000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8A1E4000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8A000000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8A11A000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x8A12B000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8A1EB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x86C00000 \SystemRoot\system32\drivers\termdd.sys
0x8A01F000 \??\C:\windows\system32\Drivers\SABI.sys
0x8A810000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8A851000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8A85B000 \SystemRoot\system32\drivers\mssmbios.sys
0x8A865000 \SystemRoot\System32\drivers\discache.sys
0x8A871000 \SystemRoot\System32\Drivers\dfsc.sys
0x8A889000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8A897000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A8B8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8B620000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8BB28000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8A8CA000 \SystemRoot\System32\drivers\dxgmms1.sys
0x8BBDF000 \SystemRoot\system32\drivers\HDAudBus.sys
0x8BC35000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
0x8BED0000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x8BEDA000 \SystemRoot\system32\DRIVERS\Rt86win7.sys
0x8BF2B000 \SystemRoot\system32\drivers\usbuhci.sys
0x8BF36000 \SystemRoot\system32\drivers\USBPORT.SYS
0x8BF81000 \SystemRoot\system32\drivers\usbehci.sys
0x8BF90000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8BF94000 \SystemRoot\system32\drivers\i8042prt.sys
0x8BFAC000 \SystemRoot\system32\drivers\kbdclass.sys
0x8BFB9000 \SystemRoot\system32\DRIVERS\ETD.sys
0x8BFD7000 \SystemRoot\system32\drivers\mouclass.sys
0x8BFE4000 \SystemRoot\system32\drivers\CompositeBus.sys
0x8BFF1000 \SystemRoot\system32\DRIVERS\serscan.sys
0x8BFF9000 \SystemRoot\system32\DRIVERS\clwvd.sys
0x8BC00000 \SystemRoot\system32\DRIVERS\ks.sys
0x8B600000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x8A903000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8B612000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8A91B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8A93D000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8A955000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8A96C000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8B61D000 \SystemRoot\system32\drivers\swenum.sys
0x8A983000 \SystemRoot\system32\drivers\umbus.sys
0x8A991000 \SystemRoot\system32\DRIVERS\samsung_hspa_datacard_dc_enum.sys
0x8A99E000 \SystemRoot\system32\drivers\usbhub.sys
0x8A9E2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8CE10000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8D139000 \SystemRoot\system32\drivers\portcls.sys
0x8D168000 \SystemRoot\system32\drivers\drmk.sys
0x8D181000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8A027000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x8D18E000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x8DD10000 \SystemRoot\System32\win32k.sys
0x8D19F000 \SystemRoot\System32\drivers\Dxapi.sys
0x8EA22000 \SystemRoot\system32\DRIVERS\btwampfl.sys
0x8EC4E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8EC50000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x8EC62000 \SystemRoot\System32\Drivers\bthport.sys
0x8ECC6000 \SystemRoot\system32\DRIVERS\monitor.sys
0x8ECD1000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8ECE8000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x8ED0C000 \SystemRoot\system32\drivers\BthEnum.sys
0x8ED19000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x8ED5C000 \SystemRoot\system32\DRIVERS\btwavdt.sys
0xA322E000 \SystemRoot\system32\drivers\btwaudio.sys
0xA32B2000 \SystemRoot\system32\DRIVERS\btwl2cap.sys
0xA32BE000 \SystemRoot\system32\DRIVERS\btwrchid.sys
0xA32C1000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA32D4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8DF80000 \SystemRoot\System32\TSDDD.dll
0xA32DB000 \SystemRoot\System32\Drivers\usbvideo.sys
0x8DFB0000 \SystemRoot\System32\cdd.dll
0xA32FF000 \SystemRoot\system32\drivers\luafv.sys
0xA331A000 \SystemRoot\system32\drivers\WudfPf.sys
0xA3334000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xA3344000 \SystemRoot\system32\DRIVERS\nwifi.sys
0xA338A000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA339A000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xA5A35000 \SystemRoot\system32\drivers\HTTP.sys
0xA5ABA000 \SystemRoot\system32\DRIVERS\bowser.sys
0xA5AD3000 \SystemRoot\System32\drivers\mpsdrv.sys
0xA5AE5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA5B08000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xA5B43000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA5B5E000 \SystemRoot\system32\drivers\peauth.sys
0xA5BF5000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA5A00000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA5A21000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA33AD000 \SystemRoot\System32\DRIVERS\srv2.sys
0x8D1A9000 \SystemRoot\System32\DRIVERS\srv.sys
0x83D90000 \SystemRoot\system32\drivers\hidusb.sys
0x83D9B000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x83DA6000 \SystemRoot\system32\DRIVERS\samsung_hspa_datacard_cdc_acm.sys
0x83DB1000 \SystemRoot\system32\drivers\modem.sys
0x83DBE000 \SystemRoot\system32\DRIVERS\samsung_hspa_datacard_cdc_ecm.sys
0x83DCE000 \??\C:\Users\Na'athim\AppData\Local\Temp\fxrdqpow.sys
0x8DC00000 \SystemRoot\System32\ATMFD.DLL
0x83C1A000 \??\C:\Users\Na'athim\AppData\Local\Temp\mbr.sys
0x83D0C000 \??\C:\Users\Na'athim\AppData\Local\Temp\aswMBR.sys
0x77390000 \Windows\System32\ntdll.dll
0x47770000 \Windows\System32\smss.exe
0x775D0000 \Windows\System32\apisetschema.dll
0x007C0000 \Windows\System32\autochk.exe
0x775A0000 \Windows\System32\imm32.dll
0x774F0000 \Windows\System32\msvcrt.dll
0x76740000 \Windows\System32\shell32.dll
0x774E0000 \Windows\System32\nsi.dll
0x766C0000 \Windows\System32\comdlg32.dll
0x765F0000 \Windows\System32\msctf.dll
0x765D0000 \Windows\System32\sechost.dll
0x76540000 \Windows\System32\clbcatq.dll
0x76490000 \Windows\System32\rpcrt4.dll
0x76440000 \Windows\System32\gdi32.dll
0x763B0000 \Windows\System32\oleaut32.dll
0x76280000 \Windows\System32\urlmon.dll
0x76230000 \Windows\System32\Wldap32.dll
0x774D0000 \Windows\System32\psapi.dll
0x76160000 \Windows\System32\user32.dll
0x76120000 \Windows\System32\ws2_32.dll
0x760F0000 \Windows\System32\imagehlp.dll
0x75EF0000 \Windows\System32\iertutil.dll
0x75D90000 \Windows\System32\ole32.dll
0x75CF0000 \Windows\System32\advapi32.dll
0x75CE0000 \Windows\System32\lpk.dll

Processes (total 69):
0 System Idle Process
4 System
292 C:\Windows\System32\smss.exe
428 csrss.exe
484 csrss.exe
492 C:\Windows\System32\wininit.exe
544 C:\Windows\System32\services.exe
568 C:\Windows\System32\winlogon.exe
580 C:\Windows\System32\lsass.exe
604 C:\Windows\System32\lsm.exe
696 C:\Windows\System32\svchost.exe
772 C:\Windows\System32\svchost.exe
864 C:\Windows\System32\svchost.exe
920 C:\Windows\System32\svchost.exe
964 C:\Windows\System32\svchost.exe
988 C:\Windows\System32\svchost.exe
1232 C:\Windows\System32\svchost.exe
1340 C:\Windows\System32\svchost.exe
1416 C:\Windows\System32\wlanext.exe
1456 C:\Windows\System32\conhost.exe
1560 C:\Windows\System32\spoolsv.exe
1704 C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
1736 C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
1792 C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
1828 C:\Windows\System32\HPSIsvc.exe
1876 C:\Program Files\Immunet Protect\2.0.17\agent.exe
2004 C:\Windows\System32\svchost.exe
2160 C:\Windows\System32\svchost.exe
2300 C:\Windows\System32\taskhost.exe
2488 C:\Windows\System32\dwm.exe
2508 C:\Windows\explorer.exe
2680 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
2704 C:\Program Files\Immunet Protect\2.0.17\iptray.exe
2824 C:\Users\Na'athim\AppData\Roaming\Dropbox\bin\Dropbox.exe
3040 C:\Windows\System32\SearchIndexer.exe
3160 C:\Windows\System32\taskeng.exe
3244 C:\Program Files\CyberLink\YouCam\YCMMirage.exe
3252 C:\Windows\System32\taskeng.exe
3260 C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel.exe
3364 C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
3372 C:\Program Files\Samsung\Easy Display Manager\WifiManager.exe
3660 C:\Windows\System32\igfxext.exe
3688 C:\Windows\System32\igfxsrvc.exe
3732 WmiPrvSE.exe
3888 C:\Program Files\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe
2124 C:\Windows\System32\svchost.exe
1668 C:\Windows\System32\svchost.exe
3004 C:\Program Files\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
1212 C:\Program Files\Samsung\SamsungFastStart\SmartRestarter.exe
3532 C:\Program Files\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe
3612 C:\Windows\System32\wuauclt.exe
3156 C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
1752 C:\Windows\System32\svchost.exe
3928 C:\Program Files\Windows Media Player\wmpnetwk.exe
1116 C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe
5992 C:\Program Files\Elantech\ETDCtrl.exe
4004 C:\Program Files\Elantech\ETDCtrlHelper.exe
1196 C:\Windows\System32\igfxsrvc.exe
692 C:\Windows\System32\taskhost.exe
5112 C:\Program Files\Mozilla Firefox\firefox.exe
4928 C:\Windows\explorer.exe
5584 C:\Windows\System32\SearchProtocolHost.exe
3916 C:\Windows\System32\SearchFilterHost.exe
3676 C:\Windows\explorer.exe
4872 C:\Windows\System32\audiodg.exe
5496 dllhost.exe
5748 dllhost.exe
4344 C:\Users\Na'athim\Desktop\MBRCheck.exe
5720 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000f`86600000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543225A7A384, Rev: ESBOA60W

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F5C09ACABD4A5370BDD907E8EDFE0C1DA0F9D3F5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,012 posts
  • MVP
Yes. Also submit the C:\Users\Na'athim\Desktop\MBR.dat file to virustotal. If you want to you can zip up the file and attach it and I will look at it. It's possible that the PC maker did a good job and changed the text in the mbr to Polish which most of our checks would not see as a standard mbr.
  • 0

#7
Naathim

Naathim

    GeekU Minion

  • Topic Starter
  • Expert
  • 4,568 posts
Hi Ron :)

Here you have results from virscan.org:

VirSCAN.org Scanned Report :
Scanned time : 2013/08/05 09:55:42 (CEST)
Scanner results: 5% skanerw(237) znalazło szkodliwe oprogramowanie!
File Name : MBR.dat
File Size : 512 byte
File Type : x86 boot sector; partition 1
MD5 : c9aef39ee26a3ac58b1fa731bc1896bc
SHA1 : 0d66393b8ec766939b4c4cacff32ce2d20ddce4f
Online report : http://r.virscan.org...759cc4435b3b457

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 00050000000000 0005-00-00 5.81 -
AhnLab V3 2013.04.23.00 2013.04.23 2013-04-23 3.04 -
AntiVir 8.2.10.202 7.11.50.58 2012-11-16 9.66 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.39 -
Arcavir 2011 201306071432 2013-06-07 5.05 -
Authentium 5.1.1 201304181923 2013-04-18 0.97 -
AVAST! 4.7.4 130730-0 2013-07-30 0.38 -
AVG 10.0.1405 2109/5981 2013-07-10 0.43 -
BitDefender 7.90123.9342626 7.49076 2013-08-02 12.24 -
ClamAV 0.97.5 17484 2013-07-11 0.37 -
Comodo 5.1 16708 2013-08-05 2.87 -
CP Secure 1.3.0.5 2013.08.03 2013-08-03 0.41 -
Dr.Web 5.0.2.3300 2013.08.05 2013-08-05 37.79 -
F-Prot 4.6.2.117 20130727 2013-07-27 0.95 -
F-Secure 7.02.73807 2013.07.10.09 2013-07-10 2.96 -
Fortinet 4.3.392 16.549 2013-08-05 0.32 -
GData 22.11518 20130805 2013-08-05 8.92 -
ViRobot 20130510 2013.05.10 2013-05-10 0.49 -
Ikarus T3.1.32.15.0 2013.07.09.84599 2013-07-09 16.67 -
JiangMin 16.0.100 2013.02.09 2013-02-09 19.89 -
Kaspersky 5.5.10 2013.07.09 2013-07-09 0.00 -
KingSoft 2009.2.5.15 2013.8.5.9 2013-08-05 0.88 -
McAfee 5400.1158 7150 2013-07-28 23.05 -
Microsoft 1.9700 2013.08.05 2013-08-05 11.89 -
NOD32 3.0.21 8647 2013-08-04 0.42 -
Norman 6.8.3 201208311030 2012-08-31 0.00 -
Panda 9.05.01 2013.08.04 2013-08-04 2.68 -
Trend Micro 9.500-1005 9.674.06 2013-01-22 0.00 -
Quick Heal 11.00 2013.08.05 2013-08-05 1.56 -
Rising 20.0 24.73.06.04 2013-08-04 0.38 -
Sophos 3.45.0 4.91 2013-08-05 0.00 Scan_Timeout!
Sunbelt 3.9.2570.2 20162 2013-08-04 1.05 -
Symantec 1.3.0.24 20130701.001 2013-07-01 0.97 -
nProtect 20130805.01 14673686 2013-08-05 2.21 -
The Hacker 6.8.0.0 v00296 2013-08-04 0.91 -
VBA32 3.12.22.2 20130727.0518 2013-07-27 8.56 Unknown.BootVirus (suspicious)
VirusBuster 5.5.2.13 15.0.414.0/113609872013-04-18 0.67 -


And that's the fresh log from full aswMBR scanning:

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-08-05 07:59:00
-----------------------------
07:59:00.881 OS Version: Windows 6.1.7601 Service Pack 1
07:59:00.881 Number of processors: 2 586 0x1C0A
07:59:01.022 ComputerName: NAATHIM UserName:
07:59:07.589 Initialize success
08:01:40.732 AVAST engine defs: 13080401
08:01:52.167 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
08:01:52.167 Disk 0 Vendor: Hitachi_ ESBO Size: 238475MB BusType: 3
08:01:53.071 Disk 0 MBR read successfully
08:01:53.087 Disk 0 MBR scan
08:01:53.337 Disk 0 unknown MBR code
08:01:53.461 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
08:01:53.773 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 63488 MB offset 206848
08:01:53.820 Disk 0 Partition - 00 0F Extended LBA 157447 MB offset 130230272
08:01:53.851 Disk 0 Partition 3 00 27 Hidden NTFS WinRE NTFS 17437 MB offset 452681728
08:01:54.163 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 157446 MB offset 130232320
08:01:54.257 Disk 0 scanning sectors +488392704
08:01:55.318 Disk 0 scanning C:\windows\system32\drivers
08:05:01.364 Service scanning
08:07:51.467 Modules scanning
08:11:49.164 AVAST engine scan C:\windows
08:12:53.530 AVAST engine scan C:\windows\system32
08:31:24.392 AVAST engine scan C:\windows\system32\drivers
08:33:18.350 AVAST engine scan C:\Users\Na'athim
08:36:23.679 File: C:\Users\Na'athim\AppData\Local\Temp\ab24aa87afee2f4da080db94881b3941\preinstaller.exe **INFECTED** Win32:Adware-gen [Adw]
09:04:08.623 File: C:\Users\Na'athim\AppData\Local\Temp\av4FC7.tmp **HIDDEN**
09:04:09.138 File: C:\Users\Na'athim\AppData\Local\Temp\av4FCA.tmp **HIDDEN**
09:04:09.637 File: C:\Users\Na'athim\AppData\Local\Temp\av4FD7.tmp **HIDDEN**
09:04:10.042 File: C:\Users\Na'athim\AppData\Local\Temp\av4FD8.tmp **HIDDEN**
09:04:10.526 File: C:\Users\Na'athim\AppData\Local\Temp\av4FDE.tmp **HIDDEN**
09:04:11.056 File: C:\Users\Na'athim\AppData\Local\Temp\av4FE2.tmp **HIDDEN**
09:04:11.493 File: C:\Users\Na'athim\AppData\Local\Temp\av4FE6.tmp **HIDDEN**
09:04:12.070 AVAST engine scan C:\ProgramData
09:05:14.767 Scan finished successfully
09:13:33.593 Disk 0 MBR has been saved successfully to "C:\Users\Na'athim\Desktop\MBR.dat"
09:13:33.609 The log file has been saved successfully to "C:\Users\Na'athim\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-08-05 10:05:35
-----------------------------
10:05:35.420 OS Version: Windows 6.1.7601 Service Pack 1
10:05:35.420 Number of processors: 2 586 0x1C0A
10:05:35.420 ComputerName: NAATHIM UserName:
10:05:36.720 Initialize success
10:07:40.723 AVAST engine defs: 13080401
10:07:50.923 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
10:07:50.943 Disk 0 Vendor: Hitachi_ ESBO Size: 238475MB BusType: 3
10:07:51.483 Disk 0 MBR read successfully
10:07:51.523 Disk 0 MBR scan
10:07:51.773 Disk 0 unknown MBR code
10:07:51.803 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
10:07:51.873 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 63488 MB offset 206848
10:07:51.893 Disk 0 Partition - 00 0F Extended LBA 157447 MB offset 130230272
10:07:52.043 Disk 0 Partition 3 00 27 Hidden NTFS WinRE NTFS 17437 MB offset 452681728
10:07:52.123 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 157446 MB offset 130232320
10:07:52.163 Disk 0 scanning sectors +488392704
10:07:53.253 Disk 0 scanning C:\windows\system32\drivers
10:10:37.856 Service scanning
10:12:53.564 Modules scanning
10:15:41.699 AVAST engine scan C:\
14:44:05.909 Scan finished successfully
18:17:32.471 Disk 0 MBR has been saved successfully to "C:\Users\Na'athim\Desktop\MBR.dat"
18:17:32.830 The log file has been saved successfully to "C:\Users\Na'athim\Desktop\aswMBR.txt"

And one more thing:
Report from MbrScan app:

MBRScan v1.1.1

OS             : Windows 7 Service Pack 1 (32 bit)
PROCESSOR      : x86 Family 6 Model 28 Stepping 10, GenuineIntel
BOOT           : Normal Boot
DATE           : 2013/08/05 (ISO 8601) at 18:28:07
________________________________________________________________________________

DISK           : Device\Harddisk0\DR0 __Hitachi HTS543225A7A (ESBO)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : NO
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

Device\Harddisk0\DR0	232.9 Go  [Fixed] ==> Mebratix.B MBR Code

MBR_MD5   : C9AEF39EE26A3AC58B1FA731BC1896BC
MBR_SHA1  : 0D66393B8EC766939B4C4CACFF32CE2D20DDCE4F

Device\Harddisk0\Partition1	100.0 Mo  	0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2	62.00 Go  	0x07 NTFS / HPFS
Device\Harddisk0\Partition3	17.03 Go  	0x27 RE Hidden partition 
Device\Harddisk0\Partition4	153.8 Go  	0x07 NTFS / HPFS
________________________________________________________________________________

############################### Additional scan ################################

DRIVER  : C:\windows\System32\Drivers\dump_iaStor.sys => Invisible on the disk
ADDRESS : 0x8A027000
SIZE    : 872.0 Ko

DRIVER  : C:\windows\System32\Drivers\dump_dumpfve.sys => Invisible on the disk
ADDRESS : 0x8D18E000
SIZE    : 68.0 Ko

DRIVER  : C:\Users\Na'athim\AppData\Local\Temp\fxrdqpow.sys => Invisible on the disk
ADDRESS : 0x83DCE000
SIZE    : 104.0 Ko

DRIVER  : C:\Users\Na'athim\AppData\Local\Temp\mbr.sys => Invisible on the disk
ADDRESS : 0x83C1A000
SIZE    : 28.0 Ko

DRIVER  : C:\Users\Na'athim\AppData\Local\Temp\aswMBR.sys => Invisible on the disk
ADDRESS : 0x83D0C000
SIZE    : 48.0 Ko

BCD EmsSettings {0CE4991B-E6B3-4B16-B23C-5E0D9250E5D9} => BcdLibraryBoolean_EmsEnabled (16000020)

SystemStartOptions :  NOEXECUTE=OPTIN

________________________________________________________________________________

_______MBR   \Device\Harddisk0\DR0  

0x00000000   33 C0 8E D8 8E C0 8E D0 BC 00 7C 8B F4 BF 00 06   3...м.|...
0x00000010   B9 00 01 FC F3 A5 EA 1B 00 60 00 0E 1F 06 E8 95   ....`.....
0x00000020   00 07 80 3E 97 01 01 74 75 80 3E 97 01 02 74 00   ...>...tu.>...t.
0x00000030   C6 06 94 01 00 E8 04 01 BE BE 01 B3 04 F6 04 80   ..........
0x00000040   75 0F 83 C6 10 FE CB 75 F4 CD 18 BE 5D 01 E8 FC   u...u.].
0x00000050   00 BB 00 7C 06 53 50 55 8B EC C7 46 02 00 00 5D   ..|.SPU.F...]
0x00000060   50 55 8B EC C7 46 02 00 00 5D FF 74 0A FF 74 08   PU.F...].t..t.
0x00000070   06 53 50 55 8B EC C7 46 02 01 00 5D 50 55 8B EC   .SPU.F...]PU.
0x00000080   C7 46 02 10 00 5D 16 1F 8B F4 B4 42 CD 13 83 C4   F...]...B..
0x00000090   10 EB 00 CB C6 06 95 01 00 E8 A0 00 EB 00 BB 00   ..........
0x000000A0   7C 06 53 B8 01 02 B5 00 B1 05 B6 00 B2 80 CD 13   |.S.......
0x000000B0   C6 06 94 01 01 CB B8 00 F0 8E C0 33 C0 8B F0 BB   ....˸..3.
0x000000C0   FF FF 26 81 3C 53 77 74 08 83 C6 01 4B 75 F3 EB   ..&.<Swt...Ku
0x000000D0   1A 26 81 7C 02 53 6D 74 02 EB EE 26 81 7C 04 69   .&.|.Smt.&.|.i
0x000000E0   40 74 02 EB E4 83 C6 06 E8 01 00 C3 1E 57 26 8B   @t......W&.
0x000000F0   14 26 8A 44 03 EE 26 8B 44 07 8E D8 26 8B 44 05   .&.D.&.D..&.D.
0x00000100   8B F8 C7 05 43 58 C7 45 02 5C 00 26 8A 44 02 EE   ..CXE.\.&.D.
0x00000110   B1 02 8A 65 05 80 FC FF 74 13 80 FC 80 76 0E C7   ..e...t...v.
0x00000120   45 02 5D 00 80 EC 80 88 65 05 EE B1 01 26 8B 14   E.]....e..&..
0x00000130   26 8A 44 04 EE 5F 1F 88 0E 97 01 C3 BB 00 06 B8   &.D._.....û..
0x00000140   01 03 B5 00 B1 01 B6 00 B2 80 CD 13 C3 AC 3C 00   .......ì<.
0x00000150   74 0A B4 0E B7 00 B3 07 CD 10 EB F1 C3 4D 69 73   t.....Mis
0x00000160   73 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73   sing operating s
0x00000170   79 73 74 65 6D 00 00 00 00 00 00 00 00 00 00 00   ystem...........
0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000190   46 44 53 54 00 00 3E 02 00 27 00 00 BC 0A 8D 7E   FDST..>..'....~
0x000001A0   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74   g operating syst
0x000001B0   65 6D 00 00 00 63 7B 9A 58 DE 68 81 00 00 80 20   em...c{.Xh.... 
0x000001C0   21 00 07 DF 13 0C 00 08 00 00 00 20 03 00 00 DF   !......... ...
0x000001D0   14 0C 07 FE FF FF 00 28 03 00 00 00 C0 07 00 FE   ......(......
0x000001E0   FF FF 0F FE FF FF 00 28 C3 07 00 38 38 13 00 FE   ......(..88..
0x000001F0   FF FF 27 FE FF FF 00 60 FB 1A 00 E8 20 02 55 AA   ..'...`.. .U

  • 0

#8
Naathim

Naathim

    GeekU Minion

  • Topic Starter
  • Expert
  • 4,568 posts
And here is attached my mbr, dumped by aswMBR. No password required.

Attached Files

  • Attached File  MBR.zip   537bytes   30 downloads

  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,012 posts
  • MVP
Your MbrScan seems to think you have

Mebratix.B MBR Code (I don't see it myself but I suppose it's possible. My info was that: Only Windows XP is affected btw, because it only contains the signatures for Windows XP startup files.)

There is a tool from BitDefender to remove it:

http://forum.bitdefe...showtopic=31476

But any time you mess with the MBR it's a good idea to have a CD or USB drive that you can boot from in case you can't boot afterward and a backup copy of the mbr so you can put it back if things go badly.

I like the free Hiren's boot CD: http://www.hirensbootcd.org/download/
This a BIG! Zip File so save it. Then right click on it and Extract all. Put a blank CD in the drive and then double click on BurnToCD.cmd. When it finishes you boot off it and run the MiniXP program. This will give you a fake XP desktop. Hiren's has lots of MBR programs. I like mbrfix. Instructions here:

http://www.sysint.no...ting/mbrfix.htm
  • 0

#10
Naathim

Naathim

    GeekU Minion

  • Topic Starter
  • Expert
  • 4,568 posts
It's a netbook, doesn't have a CD tray. Can you provide instructions how to make a bootable USB? I have another machine nearby to make necessary operations, which shouldn't be made on compromised one.
  • 0

Advertisements


#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,012 posts
  • MVP
http://www.hiren.inf...tcd-on-usb-disk
  • 0

#12
Naathim

Naathim

    GeekU Minion

  • Topic Starter
  • Expert
  • 4,568 posts
Tried this BitDefender tool you mentioned earlier - no effect.
Picture after it's scanning is attached.
Bootkit.jpg
  • 0

#13
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,012 posts
  • MVP
Probably a false positive then. Seems to me if only one anti-virus company and one I've never heard up thinks something is bad it probably isn't but if you want to be sure, back up the MBR with MBRFix and (after testing that your boot USB works), try replacing it with a standard Win 7 MBR and see what happens.
  • 0

#14
Naathim

Naathim

    GeekU Minion

  • Topic Starter
  • Expert
  • 4,568 posts
Should I replace it with "fixboot" command?
  • 0

#15
Naathim

Naathim

    GeekU Minion

  • Topic Starter
  • Expert
  • 4,568 posts
Tried to rewrite MBR code using MBRcheck, but after it results are the same: MBRscan still says that it is Mebratix.B code.

Here is new MBRScan report:

MBRScan v1.1.1

OS             : Windows 7 Service Pack 1 (32 bit)
PROCESSOR      : x86 Family 6 Model 28 Stepping 10, GenuineIntel
BOOT           : Normal Boot
DATE           : 2013/08/06 (ISO 8601) at 14:12:51
________________________________________________________________________________

DISK           : Device\Harddisk0\DR0 __Hitachi HTS543225A7A (ESBO)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : NO
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

Device\Harddisk0\DR0	232.9 Go  [Fixed] ==> Mebratix.B MBR Code

MBR_MD5   : C9AEF39EE26A3AC58B1FA731BC1896BC
MBR_SHA1  : 0D66393B8EC766939B4C4CACFF32CE2D20DDCE4F

Device\Harddisk0\Partition1	100.0 Mo  	0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2	62.00 Go  	0x07 NTFS / HPFS
Device\Harddisk0\Partition3	17.03 Go  	0x27 RE Hidden partition 
Device\Harddisk0\Partition4	153.8 Go  	0x07 NTFS / HPFS
________________________________________________________________________________

############################### Additional scan ################################

DRIVER  : C:\windows\System32\Drivers\dump_iaStor.sys => Invisible on the disk
ADDRESS : 0x8F487000
SIZE    : 872.0 Ko

DRIVER  : C:\windows\System32\Drivers\dump_dumpfve.sys => Invisible on the disk
ADDRESS : 0x8E1B5000
SIZE    : 68.0 Ko

BCD EmsSettings {0CE4991B-E6B3-4B16-B23C-5E0D9250E5D9} => BcdLibraryBoolean_EmsEnabled (16000020)

SystemStartOptions :  NOEXECUTE=OPTIN

________________________________________________________________________________

_______MBR   \Device\Harddisk0\DR0  

0x00000000   33 C0 8E D8 8E C0 8E D0 BC 00 7C 8B F4 BF 00 06   3...м.|...
0x00000010   B9 00 01 FC F3 A5 EA 1B 00 60 00 0E 1F 06 E8 95   ....`.....
0x00000020   00 07 80 3E 97 01 01 74 75 80 3E 97 01 02 74 00   ...>...tu.>...t.
0x00000030   C6 06 94 01 00 E8 04 01 BE BE 01 B3 04 F6 04 80   ..........
0x00000040   75 0F 83 C6 10 FE CB 75 F4 CD 18 BE 5D 01 E8 FC   u...u.].
0x00000050   00 BB 00 7C 06 53 50 55 8B EC C7 46 02 00 00 5D   ..|.SPU.F...]
0x00000060   50 55 8B EC C7 46 02 00 00 5D FF 74 0A FF 74 08   PU.F...].t..t.
0x00000070   06 53 50 55 8B EC C7 46 02 01 00 5D 50 55 8B EC   .SPU.F...]PU.
0x00000080   C7 46 02 10 00 5D 16 1F 8B F4 B4 42 CD 13 83 C4   F...]...B..
0x00000090   10 EB 00 CB C6 06 95 01 00 E8 A0 00 EB 00 BB 00   ..........
0x000000A0   7C 06 53 B8 01 02 B5 00 B1 05 B6 00 B2 80 CD 13   |.S.......
0x000000B0   C6 06 94 01 01 CB B8 00 F0 8E C0 33 C0 8B F0 BB   ....˸..3.
0x000000C0   FF FF 26 81 3C 53 77 74 08 83 C6 01 4B 75 F3 EB   ..&.<Swt...Ku
0x000000D0   1A 26 81 7C 02 53 6D 74 02 EB EE 26 81 7C 04 69   .&.|.Smt.&.|.i
0x000000E0   40 74 02 EB E4 83 C6 06 E8 01 00 C3 1E 57 26 8B   @t......W&.
0x000000F0   14 26 8A 44 03 EE 26 8B 44 07 8E D8 26 8B 44 05   .&.D.&.D..&.D.
0x00000100   8B F8 C7 05 43 58 C7 45 02 5C 00 26 8A 44 02 EE   ..CXE.\.&.D.
0x00000110   B1 02 8A 65 05 80 FC FF 74 13 80 FC 80 76 0E C7   ..e...t...v.
0x00000120   45 02 5D 00 80 EC 80 88 65 05 EE B1 01 26 8B 14   E.]....e..&..
0x00000130   26 8A 44 04 EE 5F 1F 88 0E 97 01 C3 BB 00 06 B8   &.D._.....û..
0x00000140   01 03 B5 00 B1 01 B6 00 B2 80 CD 13 C3 AC 3C 00   .......ì<.
0x00000150   74 0A B4 0E B7 00 B3 07 CD 10 EB F1 C3 4D 69 73   t.....Mis
0x00000160   73 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73   sing operating s
0x00000170   79 73 74 65 6D 00 00 00 00 00 00 00 00 00 00 00   ystem...........
0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000190   46 44 53 54 00 00 3E 02 00 27 00 00 BC 0A 8D 7E   FDST..>..'....~
0x000001A0   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74   g operating syst
0x000001B0   65 6D 00 00 00 63 7B 9A 58 DE 68 81 00 00 80 20   em...c{.Xh.... 
0x000001C0   21 00 07 DF 13 0C 00 08 00 00 00 20 03 00 00 DF   !......... ...
0x000001D0   14 0C 07 FE FF FF 00 28 03 00 00 00 C0 07 00 FE   ......(......
0x000001E0   FF FF 0F FE FF FF 00 28 C3 07 00 38 38 13 00 FE   ......(..88..
0x000001F0   FF FF 27 FE FF FF 00 60 FB 1A 00 E8 20 02 55 AA   ..'...`.. .U

And attached you'll find zipped mbr after the fix. Any changes?
Attached File  MBRCheck_MBR_Backup_08-06-13_14-09-04.zip   605bytes   29 downloads

Are we taking any other steps, or should we leave it just like it is?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP