[ nikitaGradov @ 25.12.2013. 09:39 ] @
Postovani forumasi,
jedan (od dva) moj racunar je izlozen napadu rootkit-a (poruku iz naslova javlja ComboFix program).

Da pokusam da opisem sta se sve desavalo.
Godinama sam, kao antivirus zastitu, koristio samo free Avast i uredno ga azurirao i to je bilo sve. Nikakvih problema u radu nisam imao.

Prije, recimo, mjesec dana, primijetio sam da shutdown traje duze nego sto bi trebalo i to je bio razlog da pokrenem skeniranje i trazenje uzroka.

Da skratim pricu, pomocu programa: TDSSKiller-a (Kaspersky), ComboFix i mbam-chameleon, uspio sam (barem sam ja mislio) da 'ocistim' racunar: pronadjeno je nekoliko trojanaca, a ComboFix je prijavio 'rootkit activity' i nabrojao inficirane dll i sys fajlove, koje je i uklonio. Uslijedio je period od nekih 10-ak dana u kome je sve (na racunaru) funkcionisalo normalno.

E sad, malo vas gnjavim, jedne noci, u toku mog odsustva, moja djeca su koristila racunar i epilog je da je sjutrasnjeg dana, za pocetak, bilo nemoguce otvoriti ijednu sliku (mislim na, recimo, jpg format), iz programa tipa mspaint (i slicnih), samo se dobije messagebox sa porukom: 'mspaint.exe Application error The application failed to initialize properly (0xc0000022). Click on OK to terminate the application'. Brzo sam ustanovio da vecinu aplikacija ne mogu da pokrenem. U stvari, nijednu MS aplikaciju ne mogu da pokrenem. Mogu da pokrenem mozzilu firefox, notepad, ... Napominjem da nema opterecenja procesora, usporenja u radu, browser radi normalno ...
Dalje, pomenuo sam , recimo, da sam koristio program TDSSKiller. Verziju , koju sam instalirao prije pomenute noci, kada su moja djeca koristila racunar, mogu da pokrenem i dalje. Ali, ako instaliram novu verziju tog istog programa, nije je moguce pokrenuti (javlja se messagebox koji sam naveo gore).

Trenutna situacija:
1. U safe rezimu radi sve: svi programi i svi antivirus alati. Moguce je, dakle, pokrenuti sve antivirus alate - oni ne prijavljuju nikakvu prijetnju, infekciju, virus, rootkit itd. Svaki alat regularno prijavi log fajl, koji je moguce otvoriti,
2. u normalnom rezimu TDSSKiller scan ne javlja nikakvu infekciju,
3. U normalnom rezimu ComboFix prijavljuje da je VOLSNAP.SYS infected, uradi restart i po podizanju racunara zavrsi posao, bez ikakvih poruka o logu ili slicno. Log fajl se 'vidi' u safe rezimu i moguce ga je otvoriti (to je txt fajl), ali u normalnom rezimu se taj fajl ne vidi, odnosno, sistem prijavljuje ikonicu sa tim imenom, kada kliknem na nju, ne desava se nista. Primijetio sam da se u safe rezimu podize VOLSNAP.SYS, ali nijedan alat ne pronalazi nikakvu prijetnju (u safe rezimu),
4. ponavljam da TDSSKiller, instaliran prije, da ga nazovem, 'poslednjeg napada', radi, ali ako, recimo, u isti folder iskopiram opet taj isti program, ne mogu da ga pokrenem,
5. dva puta sam radio fixmbr sa instalacionog diska, ali, sto bi rekli englezi, 'without success',
6. pretrazio sam registry da makar uklonim startup podizanje 'rootkit'-a i nigdje nisam nasao nista sumnjivo. Inace sam, komandom msconfig, uklonio sve stavke iz startup-a,
7. isao sam nekom logikom da pokusam da pronadjem koji proces je vezan za koji dll, ne bih li tako pronasao 'sumnjivi' dll i uklonio ga. Nasao sam program procexp, ali kao sto rekoh, nijednu apliakciju ne mogu da ga pokrenem u normalnom rezimu. U safe rezimu radi i poredio sam rezultate procexp na dva racunara i u safe rezimu nema razlika. Pokusao sam , u normalnom rezimu, da preimenujem procexp, ali i dalje dobijam poruku da ne mogu da pokrenem apliakciju ...

Ima li lijeka mom problemu ? Znam da me, u krajnjoj liniji. ceka format i reinstalacija, ali pokusavam da uradim sve sto je do mene.

Racunar za 4 ipo godine rada nije imao niti jedan ovakav (ili slican) problem.

I za kraj: da li ima (ili nema) neke veze to sto se pocetak ovih mojih problema pojavio sa promjenom provajdera (sa Orion-a sam presao na Ikom) ? Mada, na drugom racunaru, sa koga saljem ovaj post, nema nikakvih problema, a istog dana je prikljucen na Ikom kablovski internet kada i 'zarazeni' racunar.

Zahvalan za svaki odgovor ...
[ mld @ 25.12.2013. 09:53 ] @
Pogledaj na:
https://community.norton.com/t...d-file-volsnap-sys/td-p/488746
[ nikitaGradov @ 25.12.2013. 18:38 ] @
Hvala na odgovoru.
Citao sam drugi link - Volsnap.sys se ne smije brisati, jer Windows (kod mene XP) ne moze da se butuje.

Moj problem je sto ja ne mogu, u normalnom rezimu, da pokrenem nijedan exe, a time nijedan antivirus ili slican anti rootkit alat. Kao sto sam napisao, u safe rezimu sve radi, ali nijedan antivirus, anti rootkit alat ne prijavljuje nikakvu prijetnju. Ocigledno se rootkit, prilikom normalnog podizanja Windows-a, podigne kroz neki proces.
U tom smislu pokusavam da nadjem, ako postoji, neki alat, program, kojim bih mogao da pratim, da tako kazem 'sta se desava prilikom butovanja Windows-a', to jest (da li dobro razmisljam) da pronadjem kroz koji proces se podize ovaj rootkit i da pronadjem dll u kome je sam rootkit (opet kazem, da li dobro razmisljam) ...
[ Aleksandar Maletic @ 25.12.2013. 21:35 ] @
Preuzmi neki LiveCD, nareži ga i skeniraj kompletan sistem. Dr.Web veoma efikasno leči zaražene fajlove, pokušaj.

Kaspersky Rescue Disk
Dr.Web LiveCD
[ mld @ 26.12.2013. 07:54 ] @
Najnovija verzija free Avasta ima mogućnost narezivanja Rescue diska koji je butabilan i sa najsvežijim antivirusnim podacima, tako da ti to može pomoći da pregledaš sistem prilikom butovanja.
[ nikitaGradov @ 30.12.2013. 13:21 ] @
Ja sam uspio da pokrenem anti rootkit alat 'GMER' u normalnom rezimu.

GMER prijavljuje rootkit u procesima svchost.exe i winlogon.exe. Takodje, u log-u, koji se kreira po zavrsetku programa, prijavljuje desetine dll i drv fajlova, pored kojih pise 'rootkit'.

E sad, ja ne znam sta je uzrok, a sta je posledica (da li je rootkit nesto 'zapakovano' u dll fajlu ili rootkit egzistira negdje drugdje, a dll i drv fajlovi su samo posledica) ?

Posto imam dva racunara, jedan cist i jedan 'inficiran' rootkit-om isao sam sledecom logikom: GMER je prijavio, konkretno za procese svchost.exe i winlogon.exe, koji dll fajlovi su rootkit. Sa 'cistog' racunara sam, u safe rezimu sa command prompt-om, iskopirao te dll fajlove (prethodno sam ove, da ih nazovem, zarazene obrisao). Kad sam restartovao racunar, GMER je i dalje prijavljivao da je rootkit u procesu svchost.exe, ali ne i u winlogon.exe. Ali, poslije, recimo, 10-15 minuta, ponovo je prijavio rootkit i u procesu winlogon. Ponovno pokretanje GMER programa opet daje, u log fajlu, isti rezultat: na desetine drv i dll fajlova, pored kojih pise 'rootkit'.

Poslao sam log fajlove na GMER email adresu, ali za sada nisam dobio nikakav odgovor.

Kako radi rootkit - gdje se fizicki nalazi (mislim na njegov kod)?

Dva puta sam radio fiksiranje mbr (master boot record-a). Kao sto sam napisao, sve dll fajlove, na zarazenom racunaru, sam obrisao, iskopirao 'ciste' (kao sto rekoh: imam dva racunara -> na oba je radjena instalacija sa istog instalacionog CD-a) i rootkit se ponovo javlja ...

Ako neko znanja i vremena da pregleda GMER log, mogu ih postaviti na forum.
[ kristi1 @ 30.12.2013. 20:56 ] @
Koji Windows imas, vidim da je XP x86 ili x64?
[ nikitaGradov @ 31.12.2013. 08:41 ] @
Windows XP SP3 x86 ...
[ kristi1 @ 31.12.2013. 08:59 ] @
Preuzmi FRST - (Farbar Recovery Scan Tool) i sacuvaj ga na Desktop

Napomena: Potrebno je preuzeti onu verziju koja je kompatibilna sa tvojim sistemom.
[/color]

[list][*]Dvoklikom pokreni FRST;
[*] Kada se alat startuje, klikni Yes na disclaimer.
[*]Klikni na dugme Scan;
[*]Alat ce kreirati izvestaj (FRST.txt) u isti direktorijum gde je i FRST.exe sacuvan.
[*] Iskopiraj sadrzaj tog loga u poruku.
[*]Alat bi takodje pri prvom pokretanju trebao da kreira i dodatni izvestaj (Addition.txt). Taj izvestaj okaci u poruku koristeci opciju "Prikaci file".
[ nikitaGradov @ 02.01.2014. 17:57 ] @
Citat:
kristi1: Preuzmi FRST - (Farbar Recovery Scan Tool) i sacuvaj ga na Desktop

Napomena: Potrebno je preuzeti onu verziju koja je kompatibilna sa tvojim sistemom.
[/color]

[list][*]Dvoklikom pokreni FRST;
[*] Kada se alat startuje, klikni Yes na disclaimer.
[*]Klikni na dugme Scan;
[*]Alat ce kreirati izvestaj (FRST.txt) u isti direktorijum gde je i FRST.exe sacuvan.
[*] Iskopiraj sadrzaj tog loga u poruku.
[*]Alat bi takodje pri prvom pokretanju trebao da kreira i dodatni izvestaj (Addition.txt). Taj izvestaj okaci u poruku koristeci opciju "Prikaci file".


Na zalost (moju), ovaj program ne mogu da pokrenem u normalnom rezimu (preuzeo sam 32-bitnu verziju programa).
Pokrenuo sam ga u safe rezimu. Ako nesto znaci, evo kako izgleda sadrzaj log fajla (FRST.txt):

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-12-2013
Ran by Milovan (administrator) on IVING1 on 31-12-2013 15:04:11
Running from C:\Documents and Settings\Milovan\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 6
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) ===================

(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Malware Defender] - C:\Program Files\Malware Defender\MalwareDefender.exe [2436952 2012-01-10] (360.cn)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi...mp;pver={SUB_PVER}&ar=home
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/Resu...rchSource=4&ctid=CT2560206
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/Resu...rchSource=4&ctid=CT2560206
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Norton Identity Protection - {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\CoIEPlg.dll (Symantec Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\CoIEPlg.dll (Symantec Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/...-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft...t/wuweb_site.cab?1368734887046
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/mi...t/muweb_site.cab?1383217740062
DPF: {73848533-39E1-49F1-9363-28054268C094} https://rol.raiffeisenbank.rs/RetailDLL/FSINT9.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7...tall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/p.../jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.7...tall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7...tall-1_7_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com...ockwave/cabs/flash/swflash.cab
DPF: {F6FFAC18-CAD4-4054-9D49-D610286CE323} https://rol.raiffeisenbank.rs/RetailDLL/EBCSCC2a.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Milovan\Application Data\Mozilla\Firefox\Profiles\7fgsg3zr.default
FF DefaultSearchEngine: Search Results
FF SearchEngineOrder.1: Search Results
FF SelectedSearchEngine: Search Results
FF Homepage: hxxp://www.google.rs/
FF Keyword.URL: hxxp://dts.search-results.com/sr?src=ffb&appid=101&systemid=406&sr=0&q=
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin: @java.com/DTPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF SearchPlugin: C:\Documents and Settings\Milovan\Application Data\Mozilla\Firefox\Profiles\7fgsg3zr.default\searchplugins\conduit.xml
FF SearchPlugin: C:\Documents and Settings\Milovan\Application Data\Mozilla\Firefox\Profiles\7fgsg3zr.default\searchplugins\Search_Results.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\Search_Results.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\amazon-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\eBay-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\pogodakyu.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\vokabular.xml
FF Extension: LogMeIn, Inc. Remote Access Plugin - C:\Documents and Settings\Milovan\Application Data\Mozilla\Firefox\Profiles\7fgsg3zr.default\Extensions\LogMeInClient@logmein.com
FF Extension: Adblock Plus - C:\Documents and Settings\Milovan\Application Data\Mozilla\Firefox\Profiles\7fgsg3zr.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [{F04D2D30-776C-4d02-8627-8E4385ECA58D}] - C:\Documents and Settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.6.0.27\coFFPlgn\
FF Extension: Norton Identity Safe Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.6.0.27\coFFPlgn\

Chrome:
=======
CHR DefaultSearchURL: {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\8.0.552.237\pdf.dll No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files\Google\Chrome\Application\8.0.552.237\gears.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\8.0.552.237\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.220.4) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java(TM) Platform SE 6 U22) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll No File
CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll No File
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll No File
CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) ) - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll No File
CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll No File
CHR Plugin: (Google Updater) - C:\Program Files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll No File
CHR Plugin: (Windows Presentation Foundation) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Documents and Settings\Milovan\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.1_0
CHR HKLM\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\Exts\Chrome.crx

========================== Services (Whitelisted) =================

S2 gupdate1ca227b4401f542; C:\Program Files\Google\Update\GoogleUpdate.exe [133104 2009-08-21] (Google Inc.)
S4 hasplms; C:\WINDOWS\system32\hasplms.exe [535807 2007-03-15] (Aladdin Knowledge Systems Ltd.)
S2 MalwareDefenderService; c:\program files\malware defender\mdservice.exe [90968 2012-01-10] (360.cn)
S2 MSSQL$SQLEXPRESS_2008; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS_2008\MSSQL\Binn\sqlservr.exe [40999448 2008-07-10] (Microsoft Corporation)
S2 NCO; C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\diMaster.dll [567600 2013-10-03] (Symantec Corporation)
S4 OpcEnum; C:\WINDOWS\system32\opcenum.exe [135168 2007-04-17] (OPC Foundation)
S4 POSPerformanceCounters; C:\Program Files\Microsoft Point Of Service\Microsoft.PointOfService.Service.exe [42056 2008-02-29] (Microsoft Corporation)
S4 Printer Control; C:\WINDOWS\system32\PrintCtrl.exe [65536 2009-10-28] (ActMask Co.,Ltd - HTTP://WWW.ALL2PDF.COM)
S3 SophosVirusRemovalTool; C:\Documents and Settings\Milovan\My Documents\Downloads\Sophos Virus Removal Tool\SVRTservice.exe [151848 2013-10-15] (Sophos Limited)
S4 SQLAgent$SQLEXPRESS_2008; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS_2008\MSSQL\Binn\SQLAGENT.EXE [369688 2008-07-10] (Microsoft Corporation)
S4 CCFLIC0; C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe [x]
S2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [x]
S2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"
S4 Proficy Driver Runtime; C:\Program Files\GE Fanuc\Proficy Machine Edition\fxView\Runtime\ProficyDrivers\Win32\GefPdfOpc.exe [x]
S2 SMTPSVC; C:\WINDOWS\system32\inetsrv\inetinfo.exe [x]
S2 W3SVC; %SystemRoot%\system32\inetsrv\inetinfo.exe [x]

==================== Drivers (Whitelisted) ====================

S2 aksfridge; C:\WINDOWS\system32\drivers\aksfridge.sys [351744 2007-03-12] (Aladdin Knowledge Systems Ltd.)
S3 btaudio; C:\Windows\System32\drivers\btaudio.sys [530861 2007-02-14] (Broadcom Corporation.)
S3 BTDriver; C:\Windows\System32\DRIVERS\btport.sys [30459 2007-02-14] (Broadcom Corporation.)
S3 BTKRNL; C:\Windows\System32\DRIVERS\btkrnl.sys [868298 2007-02-14] (Broadcom Corporation.)
S3 BTWDNDIS; C:\Windows\System32\DRIVERS\btwdndis.sys [149123 2007-02-14] (Broadcom Corporation.)
S3 BTWUSB; C:\Windows\System32\Drivers\btwusb.sys [67960 2007-02-14] (Broadcom Corporation.)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S1 ccSet_NST; C:\Windows\system32\drivers\NST\7DE06000.01B\ccSetx86.sys [127064 2013-09-27] (Symantec Corporation)
S1 dlhpnmlg; c:\windows\system32\drivers\dlhpnmlg.sys [258392 2012-01-10] (360.cn)
S3 EIO; C:\WINDOWS\system32\drivers\EIO.sys [8703 2003-01-29] (ASUSTeK Computer Inc.)
R0 FixTDSS; C:\Windows\System32\drivers\FixTDSS.sys [26872 2014-12-25] (Symantec Corporation)
S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [24209 2004-04-20] (FTDI Ltd.)
S2 Hardlock; C:\WINDOWS\system32\drivers\hardlock.sys [694272 2007-03-06] (Aladdin Knowledge Systems Ltd.)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 NETw5x32; C:\Windows\System32\DRIVERS\NETw5x32.sys [3636864 2008-11-17] (Intel Corporation)
S3 qcusbser; C:\Windows\System32\DRIVERS\qcusbser.sys [103552 2010-06-17] (TCT International Mobile Ltd)
S4 RsFx0102; C:\Windows\System32\DRIVERS\RsFx0102.sys [242712 2008-07-10] (Microsoft Corporation)
S3 TMUSB; C:\Windows\System32\DRIVERS\TMUSBXP.SYS [46336 2007-10-19] (SEIKO EPSON Corp.)
S3 ajugfk; \??\C:\WINDOWS\system32\051.tmp [x]
S3 catchme; \??\C:\DOCUME~1\Milovan\LOCALS~1\Temp\catchme.sys [x]
S3 elyhlr; \??\C:\WINDOWS\system32\02D.tmp [x]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
S3 hxzbyrtx; \??\C:\WINDOWS\system32\0E.tmp [x]
S4 IntelIde; No ImagePath
S3 lbacps; \??\C:\WINDOWS\system32\01A.tmp [x]
S3 mbncm; \??\C:\WINDOWS\system32\0A.tmp [x]
S2 SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys [x]
S3 tlgvmb; \??\C:\WINDOWS\system32\054.tmp [x]
S3 uituqghb; \??\C:\WINDOWS\system32\0F.tmp [x]
S3 xlbvjtv; \??\C:\WINDOWS\system32\06.tmp [x]
S3 ykndj; \??\C:\WINDOWS\system32\09.tmp [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: cjibrsitz -> No Registry Path.
NETSVC: kefwcrr -> No Registry Path.
NETSVC: emxtcu -> No Registry Path.
NETSVC: uicwczrk -> No Registry Path.
NETSVC: kcbkkxo -> No Registry Path.
NETSVC: czoxyxyal -> No Registry Path.
NETSVC: vhjqgzyy -> No Registry Path.

==================== One Month Created Files and Folders ========

2014-12-25 12:06 - 2014-12-25 13:05 - 00026872 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\FixTDSS.sys
2014-12-25 12:06 - 2014-12-25 12:06 - 00000000 ____D C:\Documents and Settings\Milovan\Application Data\FixTDSS
2014-12-25 11:55 - 2014-12-25 11:57 - 00000178 ___SH C:\Documents and Settings\NoviAdmin\ntuser.ini
2014-12-25 11:55 - 2014-12-25 11:55 - 00000695 _____ C:\Documents and Settings\NoviAdmin\Start Menu\Programs\Windows Media Player.lnk
2014-12-25 11:55 - 2014-12-25 11:55 - 00000649 _____ C:\Documents and Settings\NoviAdmin\Start Menu\Programs\Outlook Express.lnk
2014-12-25 11:55 - 2014-12-25 11:55 - 00000000 ____D C:\Documents and Settings\NoviAdmin
2014-12-25 11:55 - 2013-12-10 21:34 - 00001599 _____ C:\Documents and Settings\NoviAdmin\Start Menu\Programs\Remote Assistance.lnk
2014-12-25 11:55 - 2010-04-22 22:28 - 00000000 ____D C:\Documents and Settings\NoviAdmin\Application Data\Macromedia
2014-12-25 11:55 - 2009-08-01 03:49 - 00000000 ___RD C:\Documents and Settings\NoviAdmin\Start Menu\Programs\Accessories
2013-12-31 15:03 - 2013-12-31 15:03 - 01064333 _____ (Farbar) C:\Documents and Settings\Milovan\Desktop\FRST.exe
2013-12-31 14:59 - 2013-12-31 14:59 - 00019044 _____ C:\Documents and Settings\Milovan\Desktop\Addition.txt
2013-12-31 14:58 - 2013-12-31 15:04 - 00014315 _____ C:\Documents and Settings\Milovan\Desktop\FRST.txt
2013-12-31 14:58 - 2013-12-31 15:03 - 00000000 ____D C:\FRST
2013-12-26 20:57 - 2013-12-26 20:57 - 00395820 _____ C:\Documents and Settings\Milovan\Desktop\3rdpartyscan_26122013.txt
2013-12-26 20:17 - 2013-12-26 20:17 - 00183772 _____ C:\Documents and Settings\Milovan\Desktop\rootkitscan_26122013.txt
2013-12-26 18:45 - 2013-12-26 18:50 - 00000000 ___SD C:\ComboFix
2013-12-26 17:21 - 2013-12-26 17:21 - 02972548 _____ C:\Documents and Settings\Milovan\Desktop\26122013_3rd.txt
2013-12-26 14:42 - 2013-12-26 14:42 - 00146761 _____ C:\Documents and Settings\Milovan\Desktop\26122013_scan.txt
2013-12-26 12:03 - 2008-04-14 13:00 - 00014336 _____ (Microsoft Corporation) C:\WINDOWS\system32\svchost.exe
2013-12-26 10:38 - 2013-12-26 10:38 - 01658485 _____ C:\Documents and Settings\Milovan\Desktop\2612bbb.txt
2013-12-26 01:23 - 2012-01-10 04:21 - 00258392 ____N (360.cn) C:\WINDOWS\system32\Drivers\dlhpnmlg.sys
2013-12-26 01:02 - 2013-12-26 19:49 - 00000406 _____ C:\Documents and Settings\Milovan\Desktop\catchme.log
2013-12-26 01:02 - 2013-12-26 00:31 - 00147456 _____ C:\Documents and Settings\Milovan\Desktop\98887tf44.exe
2013-12-26 01:01 - 2013-12-26 19:42 - 00000294 _____ C:\Documents and Settings\Milovan\Desktop\mbr.log
2013-12-26 01:01 - 2013-12-26 00:17 - 00089088 _____ C:\Documents and Settings\Milovan\Desktop\0123rrrd.exe
2013-12-26 00:59 - 2013-12-26 00:59 - 00156959 _____ C:\Documents and Settings\Milovan\Desktop\2512AAA.txt
2013-12-26 00:02 - 2013-12-26 00:02 - 00000000 _____ C:\Documents and Settings\Milovan\Desktop\52fokxzl.reg
2013-12-25 23:45 - 2013-12-25 23:16 - 00377856 _____ C:\Documents and Settings\Milovan\Desktop\52fokxzl.exe
2013-12-25 23:15 - 2013-12-25 23:16 - 00040170 _____ C:\Documents and Settings\Milovan\My Documents\aswMBR.txt
2013-12-25 23:15 - 2013-12-25 23:16 - 00000512 _____ C:\Documents and Settings\Milovan\My Documents\MBR.dat
2013-12-25 19:49 - 2013-12-25 19:48 - 130469680 _____ C:\Documents and Settings\Milovan\Desktop\setup_11.0.1.1245.x01_2013_12_25_21_35.exe
2013-12-25 11:26 - 2013-12-25 11:26 - 00000000 ____D C:\Documents and Settings\Milovan\Start Menu\Programs\WinRAR
2013-12-25 11:26 - 2013-12-25 11:26 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
2013-12-25 09:01 - 2013-12-26 01:24 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-12-25 09:01 - 2013-12-25 09:02 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Norton Identity Safe
2013-12-25 09:01 - 2013-12-25 09:01 - 00000000 ____D C:\WINDOWS\system32\Drivers\NST
2013-12-25 09:01 - 2013-12-25 09:01 - 00000000 ____D C:\Program Files\Norton Identity Safe
2013-12-25 08:45 - 2013-12-18 23:27 - 02799296 _____ (Sysinternals - www.sysinternals.com) C:\Documents and Settings\Milovan\Desktop\notepad.exe
2013-12-18 23:38 - 2013-12-18 23:27 - 02799296 _____ (Sysinternals - www.sysinternals.com) C:\Documents and Settings\Milovan\Desktop\procexp.exe
2013-12-18 17:53 - 2013-12-26 18:48 - 00052352 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\VOLSNAP.SYS
2013-12-18 15:56 - 2013-12-18 17:04 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\SecTaskMan
2013-12-18 15:33 - 2013-12-18 15:33 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-12-18 15:33 - 2013-12-18 15:33 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-12-16 21:06 - 2013-12-16 21:06 - 00000825 _____ C:\Documents and Settings\Milovan\Desktop\dolphins.txt
2013-12-16 17:18 - 2013-12-16 17:18 - 00309320 _____ (BitDefender S.R.L.) C:\WINDOWS\system32\Drivers\TrufosAlt.sys
2013-12-16 01:17 - 2013-12-16 01:17 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Sophos
2013-12-14 23:27 - 2008-04-14 13:00 - 00052352 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\volsnap.sys
2013-12-11 10:31 - 2013-12-11 10:31 - 00000428 _____ C:\Documents and Settings\Milovan\Desktop\Router Settings.txt
2013-12-10 21:27 - 2013-12-10 22:47 - 00000000 ____D C:\WINDOWS\220FB0354744483A9A0B41DF77061583.TMP
2013-12-10 21:26 - 2013-12-10 21:26 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
2013-12-09 23:30 - 2013-12-10 19:27 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-12-09 23:07 - 2013-12-12 11:20 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2013-12-09 23:07 - 2013-12-09 23:07 - 00000000 ____H C:\WINDOWS\system32\config\system.tmp.LOG
2013-12-09 23:07 - 2013-12-09 23:07 - 00000000 ____H C:\WINDOWS\system32\config\software.tmp.LOG
2013-12-09 23:07 - 2013-12-09 23:07 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG
2013-12-09 23:07 - 2013-12-09 23:07 - 00000000 ____H C:\WINDOWS\system32\config\default.tmp.LOG
2013-12-09 21:29 - 2013-12-31 14:56 - 00000000 ____D C:\Program Files\Malware Defender
2013-12-09 21:29 - 2013-12-09 21:29 - 00001669 _____ C:\Documents and Settings\All Users\Desktop\Malware Defender.lnk
2013-12-09 21:29 - 2013-12-09 21:29 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malware Defender
2013-12-07 21:21 - 2013-12-07 21:21 - 00000000 _RSHD C:\cmdcons
2013-12-07 21:21 - 2013-11-30 22:28 - 00000211 _____ C:\Boot.bak
2013-12-07 21:21 - 2004-08-03 23:00 - 00260272 __RSH C:\cmldr
2013-12-07 21:19 - 2011-06-26 07:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2013-12-07 21:19 - 2010-11-07 18:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2013-12-07 21:19 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2013-12-07 21:19 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2013-12-07 21:19 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2013-12-07 21:19 - 2000-08-31 01:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2013-12-07 21:19 - 2000-08-31 01:00 - 00098816 _____ C:\WINDOWS\sed.exe
2013-12-07 21:19 - 2000-08-31 01:00 - 00080412 _____ C:\WINDOWS\grep.exe
2013-12-07 21:19 - 2000-08-31 01:00 - 00068096 _____ C:\WINDOWS\zip.exe
2013-12-07 21:18 - 2013-12-18 19:23 - 00000000 ____D C:\Qoobox
2013-12-07 21:18 - 2013-12-18 18:47 - 00000000 ____D C:\WINDOWS\erdnt
2013-12-07 20:37 - 2013-12-07 20:37 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-12-07 20:37 - 2013-12-07 20:37 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-12-07 20:37 - 2013-12-07 20:37 - 00000000 ____D C:\Documents and Settings\Milovan\Application Data\Malwarebytes
2013-12-07 20:37 - 2013-12-07 20:37 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-12-07 20:37 - 2013-12-07 20:37 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-12-07 20:37 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2013-12-07 20:36 - 2013-12-07 20:36 - 00000000 ____D C:\WINDOWS\PIF
2013-12-06 01:36 - 2013-12-06 01:36 - 00000016 _____ C:\Documents and Settings\Milovan\My Documents\IdeaSuperKartica.txt
2013-12-04 22:13 - 2013-12-04 22:13 - 00090112 _____ C:\WINDOWS\Minidump\Mini120413-01.dmp
2013-12-04 15:59 - 2013-12-18 18:10 - 00000000 ____D C:\Documents and Settings\Milovan\Application Data\AVAST Software
2013-12-02 16:49 - 2013-10-03 19:38 - 00608256 _____ C:\Documents and Settings\Milovan\My Documents\GeografijaAleksandra.ppt

==================== One Month Modified Files and Folders =======

2014-12-25 13:05 - 2014-12-25 12:06 - 00026872 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\FixTDSS.sys
2014-12-25 12:08 - 2013-02-19 17:43 - 00000178 ___SH C:\Documents and Settings\alibra\ntuser.ini
2014-12-25 12:08 - 2013-02-19 17:43 - 00000000 ____D C:\Documents and Settings\alibra
2014-12-25 12:06 - 2014-12-25 12:06 - 00000000 ____D C:\Documents and Settings\Milovan\Application Data\FixTDSS
2014-12-25 11:57 - 2014-12-25 11:55 - 00000178 ___SH C:\Documents and Settings\NoviAdmin\ntuser.ini
2014-12-25 11:55 - 2014-12-25 11:55 - 00000695 _____ C:\Documents and Settings\NoviAdmin\Start Menu\Programs\Windows Media Player.lnk
2014-12-25 11:55 - 2014-12-25 11:55 - 00000649 _____ C:\Documents and Settings\NoviAdmin\Start Menu\Programs\Outlook Express.lnk
2014-12-25 11:55 - 2014-12-25 11:55 - 00000000 ____D C:\Documents and Settings\NoviAdmin
2014-12-25 11:55 - 2009-08-01 03:46 - 00028544 _____ C:\WINDOWS\wmsetup.log
2013-12-31 15:04 - 2013-12-31 14:58 - 00014315 _____ C:\Documents and Settings\Milovan\Desktop\FRST.txt
2013-12-31 15:03 - 2013-12-31 15:03 - 01064333 _____ (Farbar) C:\Documents and Settings\Milovan\Desktop\FRST.exe
2013-12-31 15:03 - 2013-12-31 14:58 - 00000000 ____D C:\FRST
2013-12-31 15:01 - 2009-07-31 15:53 - 00859072 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-12-31 14:59 - 2013-12-31 14:59 - 00019044 _____ C:\Documents and Settings\Milovan\Desktop\Addition.txt
2013-12-31 14:56 - 2013-12-09 21:29 - 00000000 ____D C:\Program Files\Malware Defender
2013-12-31 14:56 - 2009-08-01 03:55 - 00000278 ___SH C:\Documents and Settings\Milovan\ntuser.ini
2013-12-31 14:56 - 2009-08-01 03:52 - 00032542 _____ C:\WINDOWS\SchedLgU.Txt
2013-12-31 14:56 - 2009-08-01 03:52 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-12-31 14:56 - 2009-08-01 03:48 - 01611568 _____ C:\WINDOWS\WindowsUpdate.log
2013-12-31 14:56 - 2009-07-31 15:55 - 00000216 _____ C:\WINDOWS\wiadebug.log
2013-12-31 14:56 - 2009-07-31 15:55 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-12-31 14:50 - 2013-11-17 18:37 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-12-31 14:28 - 2009-08-21 17:35 - 00000920 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-12-31 11:19 - 2009-08-21 17:35 - 00000916 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-12-28 12:24 - 2009-07-31 15:52 - 00941456 _____ C:\WINDOWS\setupapi.log
2013-12-26 20:57 - 2013-12-26 20:57 - 00395820 _____ C:\Documents and Settings\Milovan\Desktop\3rdpartyscan_26122013.txt
2013-12-26 20:17 - 2013-12-26 20:17 - 00183772 _____ C:\Documents and Settings\Milovan\Desktop\rootkitscan_26122013.txt
2013-12-26 19:49 - 2013-12-26 01:02 - 00000406 _____ C:\Documents and Settings\Milovan\Desktop\catchme.log
2013-12-26 19:42 - 2013-12-26 01:01 - 00000294 _____ C:\Documents and Settings\Milovan\Desktop\mbr.log
2013-12-26 18:50 - 2013-12-26 18:45 - 00000000 ___SD C:\ComboFix
2013-12-26 18:48 - 2013-12-18 17:53 - 00052352 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\VOLSNAP.SYS
2013-12-26 17:21 - 2013-12-26 17:21 - 02972548 _____ C:\Documents and Settings\Milovan\Desktop\26122013_3rd.txt
2013-12-26 14:42 - 2013-12-26 14:42 - 00146761 _____ C:\Documents and Settings\Milovan\Desktop\26122013_scan.txt
2013-12-26 14:25 - 2009-08-26 18:40 - 00000000 __SHD C:\WINDOWS\CSC
2013-12-26 11:17 - 2009-08-01 03:52 - 00000178 ___SH C:\Documents and Settings\NetworkService\ntuser.ini
2013-12-26 11:16 - 2009-08-01 03:52 - 00000178 ___SH C:\Documents and Settings\LocalService\ntuser.ini
2013-12-26 10:56 - 2009-07-31 15:46 - 00000000 ____D C:\WINDOWS\system32\inetsrv
2013-12-26 10:38 - 2013-12-26 10:38 - 01658485 _____ C:\Documents and Settings\Milovan\Desktop\2612bbb.txt
2013-12-26 01:24 - 2013-12-25 09:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-12-26 00:59 - 2013-12-26 00:59 - 00156959 _____ C:\Documents and Settings\Milovan\Desktop\2512AAA.txt
2013-12-26 00:31 - 2013-12-26 01:02 - 00147456 _____ C:\Documents and Settings\Milovan\Desktop\98887tf44.exe
2013-12-26 00:17 - 2013-12-26 01:01 - 00089088 _____ C:\Documents and Settings\Milovan\Desktop\0123rrrd.exe
2013-12-26 00:02 - 2013-12-26 00:02 - 00000000 _____ C:\Documents and Settings\Milovan\Desktop\52fokxzl.reg
2013-12-25 23:16 - 2013-12-25 23:45 - 00377856 _____ C:\Documents and Settings\Milovan\Desktop\52fokxzl.exe
2013-12-25 23:16 - 2013-12-25 23:15 - 00040170 _____ C:\Documents and Settings\Milovan\My Documents\aswMBR.txt
2013-12-25 23:16 - 2013-12-25 23:15 - 00000512 _____ C:\Documents and Settings\Milovan\My Documents\MBR.dat
2013-12-25 19:48 - 2013-12-25 19:49 - 130469680 _____ C:\Documents and Settings\Milovan\Desktop\setup_11.0.1.1245.x01_2013_12_25_21_35.exe
2013-12-25 19:44 - 2008-04-14 13:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2013-12-25 11:26 - 2013-12-25 11:26 - 00000000 ____D C:\Documents and Settings\Milovan\Start Menu\Programs\WinRAR
2013-12-25 11:26 - 2013-12-25 11:26 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
2013-12-25 11:26 - 2009-10-07 12:18 - 00000000 ____D C:\Program Files\WinRAR
2013-12-25 09:02 - 2013-12-25 09:01 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Norton Identity Safe
2013-12-25 09:01 - 2013-12-25 09:01 - 00000000 ____D C:\WINDOWS\system32\Drivers\NST
2013-12-25 09:01 - 2013-12-25 09:01 - 00000000 ____D C:\Program Files\Norton Identity Safe
2013-12-18 23:27 - 2013-12-25 08:45 - 02799296 _____ (Sysinternals - www.sysinternals.com) C:\Documents and Settings\Milovan\Desktop\notepad.exe
2013-12-18 23:27 - 2013-12-18 23:38 - 02799296 _____ (Sysinternals - www.sysinternals.com) C:\Documents and Settings\Milovan\Desktop\procexp.exe
2013-12-18 19:23 - 2013-12-07 21:18 - 00000000 ____D C:\Qoobox
2013-12-18 18:58 - 2009-08-01 03:52 - 00000000 __SHD C:\Documents and Settings\NetworkService
2013-12-18 18:57 - 2009-08-01 03:52 - 00000000 __SHD C:\Documents and Settings\LocalService
2013-12-18 18:47 - 2013-12-07 21:18 - 00000000 ____D C:\WINDOWS\erdnt
2013-12-18 18:47 - 2008-04-14 13:00 - 00000263 _____ C:\WINDOWS\system.ini
2013-12-18 18:10 - 2013-12-04 15:59 - 00000000 ____D C:\Documents and Settings\Milovan\Application Data\AVAST Software
2013-12-18 18:10 - 2012-11-25 10:41 - 00000000 ____D C:\Program Files\AVAST Software
2013-12-18 18:10 - 2012-11-25 10:41 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVAST Software
2013-12-18 18:10 - 2009-08-01 03:49 - 00002577 _____ C:\WINDOWS\system32\CONFIG.NT
2013-12-18 17:04 - 2013-12-18 15:56 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\SecTaskMan
2013-12-18 17:04 - 2009-07-31 15:51 - 00000327 __RSH C:\boot.ini
2013-12-18 17:04 - 2008-04-14 13:00 - 00000668 _____ C:\WINDOWS\win.ini
2013-12-18 16:21 - 2009-08-18 21:41 - 00000000 ____D C:\Documents and Settings\Milovan\Local Settings\Application Data\Adobe
2013-12-18 15:33 - 2013-12-18 15:33 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-12-18 15:33 - 2013-12-18 15:33 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-12-18 08:05 - 2013-03-29 16:14 - 00000000 ____D C:\WINDOWS\pss
2013-12-18 01:39 - 2011-12-24 21:51 - 00000000 ____D C:\Documents and Settings\Milovan\My Documents\Visual Studio 2010
2013-12-18 01:39 - 2010-12-01 17:36 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-12-18 01:36 - 2013-11-03 12:50 - 00002483 _____ C:\Documents and Settings\Milovan\Desktop\Microsoft Office PowerPoint 2003.lnk
2013-12-18 01:13 - 2009-08-18 21:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Adobe
2013-12-16 21:06 - 2013-12-16 21:06 - 00000825 _____ C:\Documents and Settings\Milovan\Desktop\dolphins.txt
2013-12-16 17:18 - 2013-12-16 17:18 - 00309320 _____ (BitDefender S.R.L.) C:\WINDOWS\system32\Drivers\TrufosAlt.sys
2013-12-16 01:17 - 2013-12-16 01:17 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Sophos
2013-12-12 21:26 - 2009-09-03 18:19 - 00000000 ____D C:\Documents and Settings\Milovan\My Documents\The KMPlayer
2013-12-12 11:21 - 2009-07-31 15:52 - 00098304 _____ C:\WINDOWS\system32\config\SECURITY.bak
2013-12-12 11:21 - 2009-07-31 15:52 - 00040960 _____ C:\WINDOWS\system32\config\SAM.bak
2013-12-12 11:21 - 2009-07-31 15:51 - 75673600 _____ C:\WINDOWS\system32\config\software.bak
2013-12-12 11:21 - 2009-07-31 15:51 - 05505024 _____ C:\WINDOWS\system32\config\system.bak
2013-12-12 11:21 - 2009-07-31 15:51 - 04177920 _____ C:\WINDOWS\system32\config\default.bak
2013-12-12 11:20 - 2013-12-09 23:07 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2013-12-11 10:31 - 2013-12-11 10:31 - 00000428 _____ C:\Documents and Settings\Milovan\Desktop\Router Settings.txt
2013-12-10 22:47 - 2013-12-10 21:27 - 00000000 ____D C:\WINDOWS\220FB0354744483A9A0B41DF77061583.TMP
2013-12-10 21:38 - 2009-08-01 03:55 - 00001599 _____ C:\Documents and Settings\Milovan\Start Menu\Programs\Remote Assistance.lnk
2013-12-10 21:34 - 2014-12-25 11:55 - 00001599 _____ C:\Documents and Settings\NoviAdmin\Start Menu\Programs\Remote Assistance.lnk
2013-12-10 21:34 - 2013-02-19 17:43 - 00001599 _____ C:\Documents and Settings\alibra\Start Menu\Programs\Remote Assistance.lnk
2013-12-10 21:34 - 2009-08-01 03:49 - 00001607 _____ C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
2013-12-10 21:34 - 2009-08-01 03:49 - 00001599 _____ C:\Documents and Settings\Default User\Start Menu\Programs\Remote Assistance.lnk
2013-12-10 21:34 - 2009-08-01 03:49 - 00001507 _____ C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk
2013-12-10 21:26 - 2013-12-10 21:26 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
2013-12-10 19:58 - 2009-08-01 03:46 - 00000000 ____D C:\WINDOWS\Registration
2013-12-10 19:27 - 2013-12-09 23:30 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-12-10 19:26 - 2009-08-01 03:47 - 00000000 ____D C:\WINDOWS\system32\Restore
2013-12-10 01:11 - 2009-08-01 03:47 - 00000000 ____D C:\WINDOWS\srchasst
2013-12-10 00:20 - 2009-07-31 15:46 - 00000000 ____D C:\WINDOWS\msagent
2013-12-09 23:07 - 2013-12-09 23:07 - 00000000 ____H C:\WINDOWS\system32\config\system.tmp.LOG
2013-12-09 23:07 - 2013-12-09 23:07 - 00000000 ____H C:\WINDOWS\system32\config\software.tmp.LOG
2013-12-09 23:07 - 2013-12-09 23:07 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG
2013-12-09 23:07 - 2013-12-09 23:07 - 00000000 ____H C:\WINDOWS\system32\config\default.tmp.LOG
2013-12-09 21:29 - 2013-12-09 21:29 - 00001669 _____ C:\Documents and Settings\All Users\Desktop\Malware Defender.lnk
2013-12-09 21:29 - 2013-12-09 21:29 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malware Defender
2013-12-09 18:56 - 2009-08-21 17:15 - 00000000 ____D C:\Program Files\Google
2013-12-09 18:55 - 2012-09-12 12:27 - 00000000 ____D C:\Documents and Settings\Milovan\Application Data\Dropbox
2013-12-09 01:26 - 2009-07-31 15:53 - 00312254 _____ C:\WINDOWS\iis6.log
2013-12-09 01:26 - 2009-07-31 15:53 - 00058449 _____ C:\WINDOWS\ocgen.log
2013-12-09 01:26 - 2009-07-31 15:53 - 00058305 _____ C:\WINDOWS\FaxSetup.log
2013-12-09 01:26 - 2009-07-31 15:53 - 00038820 _____ C:\WINDOWS\tsoc.log
2013-12-09 01:26 - 2009-07-31 15:53 - 00036132 _____ C:\WINDOWS\msmqinst.log
2013-12-09 01:26 - 2009-07-31 15:53 - 00033059 _____ C:\WINDOWS\comsetup.log
2013-12-09 01:26 - 2009-07-31 15:53 - 00020606 _____ C:\WINDOWS\ntdtcsetup.log
2013-12-09 01:26 - 2009-07-31 15:53 - 00011444 _____ C:\WINDOWS\netfxocm.log
2013-12-09 01:26 - 2009-07-31 15:53 - 00005601 _____ C:\WINDOWS\MedCtrOC.log
2013-12-09 01:26 - 2009-07-31 15:53 - 00004819 _____ C:\WINDOWS\imsins.log
2013-12-09 01:26 - 2009-07-31 15:53 - 00004023 _____ C:\WINDOWS\ocmsn.log
2013-12-09 01:26 - 2009-07-31 15:53 - 00003861 _____ C:\WINDOWS\msgsocm.log
2013-12-09 01:26 - 2009-07-31 15:53 - 00003118 _____ C:\WINDOWS\tabletoc.log
2013-12-07 21:28 - 2009-08-01 03:55 - 00000000 ____D C:\Documents and Settings\Milovan
2013-12-07 21:21 - 2013-12-07 21:21 - 00000000 _RSHD C:\cmdcons
2013-12-07 20:55 - 2009-08-04 07:37 - 00000000 ____D C:\WINDOWS\SHELLNEW
2013-12-07 20:37 - 2013-12-07 20:37 - 00000784 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-12-07 20:37 - 2013-12-07 20:37 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-12-07 20:37 - 2013-12-07 20:37 - 00000000 ____D C:\Documents and Settings\Milovan\Application Data\Malwarebytes
2013-12-07 20:37 - 2013-12-07 20:37 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2013-12-07 20:37 - 2013-12-07 20:37 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2013-12-07 20:36 - 2013-12-07 20:36 - 00000000 ____D C:\WINDOWS\PIF
2013-12-06 15:11 - 2012-03-19 01:20 - 02696896 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-725345543-308236825-1177238915-1003-0.dat
2013-12-06 15:11 - 2011-12-24 22:23 - 00198586 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2013-12-06 01:36 - 2013-12-06 01:36 - 00000016 _____ C:\Documents and Settings\Milovan\My Documents\IdeaSuperKartica.txt
2013-12-05 21:58 - 2010-10-31 19:10 - 00000000 ____D C:\Program Files\Cuvari Prirode
2013-12-04 22:13 - 2013-12-04 22:13 - 00090112 _____ C:\WINDOWS\Minidump\Mini120413-01.dmp
2013-12-04 22:13 - 2010-12-22 23:54 - 00000000 ____D C:\WINDOWS\Minidump
2013-12-04 15:30 - 2012-04-15 18:04 - 00000000 ____D C:\Documents and Settings\Milovan\Application Data\Skype
2013-12-02 17:14 - 2012-09-12 12:02 - 00000000 ____D C:\Documents and Settings\Milovan\My Documents\Preuzimanja
2013-12-01 00:16 - 2009-08-02 22:12 - 00004328 _____ C:\WINDOWS\COM+.log

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2008-04-14 13:00] - [2008-04-14 13:00] - 0108544 ____A (Microsoft Corporation) 0e776ed5f7cc9f94299e70461b7b8185

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Kreiran je (u safe rezimu) i fajl:Addition.txt, ali ja ne znam kako da 'attacujem' fajl u poruci (ne vidim nikakvu opciju 'prikaci file').

Da li mozes da protumacis sadrzaj ovog log-a (napominjem da je program izvrsen u safe rezimu, jer u normalnom rezimu ne mogu da ga pokrenem -> ocigledno ga rootkit blokira, cak i kada mu promijenim ime) ?

Ako nije mnogo, pitao bih i sledece: vidim da svi (ili skoro svi) anti rootkit alati rade tako sto kreiraju log fajlove -> pitanje glasi: kako ja da interpretiram sadrzaj log fajlova?

[ kristi1 @ 02.01.2014. 19:46 ] @
Preuzmi ComboFix sa sledece adrese na Desktop:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Iskljuci AV

Pokreni Combofix iskljucivo sa desktopa (I Agree)
Na svaki popup prozor klikci Yes \ Ok

Kad zavrsi skeniranje izbacice ti log na desktop

Kopiraj mi log ovde




Ti si vec pokretao Combofix, obrisi tu ikonicu i preuzmi novu iz mog uputstva.



Citat:
Ako neko znanja i vremena da pregleda GMER log, mogu ih postaviti na forum.


Postavi i Gmer.

[Ovu poruku je menjao kristi1 dana 02.01.2014. u 21:06 GMT+1]
[ nikitaGradov @ 03.01.2014. 00:34 ] @
Za pocetak da postavim log iz alata GMER (pokrenuo sam quickscan, a verzija GMER-a je 2.1.19163):

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2014-01-03 01:31:14
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 FUJITSU_ rev.8909 232,89GB
Running: 52fokxzl.exe; Driver: C:\DOCUME~1\Milovan\LOCALS~1\Temp\fwtdrpog.sys


---- System - GMER 2.1 ----

SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwAssignProcessToJobObject [0xA0554CA8]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwClose [0xA054EAF8]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwCreateFile [0xA05531F6]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwCreateSection [0xA0554340]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwCreateThread [0xA055518C]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwDebugActiveProcess [0xA0554BCA]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwDeleteFile [0xA055359A]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwDeviceIoControlFile [0xA054ECDA]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwDuplicateObject [0xA05526C6]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwFsControlFile [0xA054EB18]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwInitiatePowerAction [0xA054E7FC]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwLoadDriver [0xA05520A8]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwMakeTemporaryObject [0xA054E92C]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwOpenFile [0xA0552EB6]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwOpenProcess [0xA0554636]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwOpenSection [0xA054EE9C]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwOpenThread [0xA0554F62]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwProtectVirtualMemory [0xA0555BDA]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwQueueApcThread [0xA0555520]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwReadFile [0xA054EA5C]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwReadVirtualMemory [0xA054EF8C]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwRenameKey [0xA055062C]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwReplaceKey [0xA0554064]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwRequestWaitReplyPort [0xA05524A4]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwRestoreKey [0xA0553EC0]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwSetContextThread [0xA055599A]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwSetInformationFile [0xA0553A26]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwSetInformationProcess [0xA0554E92]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwSetSecurityObject [0xA0552B86]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwSetSystemInformation [0xA055220E]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwSetSystemPowerState [0xA054E896]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwSetSystemTime [0xA054E6C8]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwShutdownSystem [0xA054E78A]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwSuspendProcess [0xA0554AEE]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwSuspendThread [0xA0555888]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwSystemDebugControl [0xA054E63A]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwTerminateJobObject [0xA0554D7E]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwTerminateProcess [0xA05549B2]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwTerminateThread [0xA0555758]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwUnmapViewOfSection [0xA055421E]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwWriteFile [0xA0553706]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwWriteFileGather [0xA0553896]
SSDT \??\c:\windows\system32\drivers\dlhpnmlg.sys ZwWriteVirtualMemory [0xA0555AAC]
SSDT \WINDOWS\system32\ntkrnlpa.exe ZwCreateKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70AE] ZwCreateKey [0x804D70AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe ZwDeleteKey [0x804D70B8]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70B8] ZwDeleteKey [0x804D70B8]
SSDT \WINDOWS\system32\ntkrnlpa.exe ZwDeleteValueKey [0x804D70A9]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70A9] ZwDeleteValueKey [0x804D70A9]
SSDT \WINDOWS\system32\ntkrnlpa.exe ZwEnumerateKey [0x804D70BD]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70BD] ZwEnumerateKey [0x804D70BD]
SSDT \WINDOWS\system32\ntkrnlpa.exe ZwEnumerateValueKey [0x804D70C2]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70C2] ZwEnumerateValueKey [0x804D70C2]
SSDT \WINDOWS\system32\ntkrnlpa.exe ZwOpenKey [0x804D70D1]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70D1] ZwOpenKey [0x804D70D1]
SSDT \WINDOWS\system32\ntkrnlpa.exe ZwQueryKey [0x804D70CC]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70CC] ZwQueryKey [0x804D70CC]
SSDT \WINDOWS\system32\ntkrnlpa.exe ZwQueryValueKey [0x804D70C7]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70C7] ZwQueryValueKey [0x804D70C7]
SSDT \WINDOWS\system32\ntkrnlpa.exe ZwSetValueKey [0x804D70B3]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70B3] ZwSetValueKey [0x804D70B3]

INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70DB

---- Kernel code sections - GMER 2.1 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C28 805044B4 4 Bytes [F8, EA, 54, A0]
.text ntkrnlpa.exe!ZwCallbackReturn + 2CBC 80504548 7 Bytes [9A, 35, 55, A0, B8, 70, 4D] {CALL FAR 0x4d70:0xb8a05535}
.text ntkrnlpa.exe!ZwCallbackReturn + 2D68 805045F4 4 Bytes JMP D422E64D
.text ntkrnlpa.exe!ZwCallbackReturn + 2EA0 8050472C 4 Bytes JMP C9F4A054
.text ntkrnlpa.exe!ZwCallbackReturn + 2F84 80504810 12 Bytes [0E, 22, 55, A0, 96, E8, 54, ...]
.text ...
? C:\WINDOWS\system32\ntkrnlpa.exe Access is denied.
? C:\WINDOWS\system32\hal.dll Access is denied.
? C:\WINDOWS\system32\KDCOM.DLL Access is denied.
? C:\WINDOWS\system32\BOOTVID.dll Access is denied.
? C:\WINDOWS\System32\win32k.sys Access is denied.
? C:\WINDOWS\System32\watchdog.sys Access is denied.
? C:\WINDOWS\System32\igxpgd32.dll Access is denied.
? C:\WINDOWS\System32\igxprd32.dll Access is denied.
? C:\WINDOWS\System32\igxpdv32.DLL Access is denied.
? C:\WINDOWS\System32\igxpdx32.DLL Access is denied.
? C:\WINDOWS\System32\ATMFD.DLL Access is denied.
.text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0x9AD64000, 0x44527, 0xE0000020]
.init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0x9ADB6224]
.init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0x9ADB6000, 0x7000, 0xE20000E0]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0x9AC91400, 0x88182, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x9AD35820] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x9AD35820]
.protectÿÿÿÿhardlockunknown last code section [0x9AD35600, 0x50F6, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0x9AD35600, 0x50F6, 0xE0000020]
? C:\DOCUME~1\Milovan\LOCALS~1\Temp\mbr.sys The filename, directory name, or volume label syntax is incorrect. !
? C:\WINDOWS\system32\ntdll.dll Access is denied.

---- User code sections - GMER 2.1 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2520] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0172E210 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2520] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 01EF22CD C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2520] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 01EF22AA C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2520] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 01732C10 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2520] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 01EF222B C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3136] USER32.dll!DefWindowProcA + 11A 7E42C298 7 Bytes JMP 106112C8 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3136] USER32.dll!SetWindowLongA + 19 7E42C2B6 7 Bytes JMP 10611339 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3136] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1061508F C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3136] USER32.dll!GetMenuContextHelpId + 1A 7E465319 7 Bytes JMP 1060EA7F C:\Program Files\Mozilla Firefox\xul.dll

---- Devices - GMER 2.1 ----

AttachedDevice \Driver\Tcpip \Device\Ip dlhpnmlg.sys
AttachedDevice \Driver\Tcpip \Device\Tcp dlhpnmlg.sys
AttachedDevice \Driver\Tcpip \Device\Udp dlhpnmlg.sys

Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys

AttachedDevice \Driver\Tcpip \Device\RawIp dlhpnmlg.sys
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys
---- Processes - GMER 2.1 ----

Library C:\WINDOWS\system32\wbem\wbemprox.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [876] 0x74EF0000
Library C:\WINDOWS\system32\wbem\wbemcomn.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [876] 0x75290000
Library C:\WINDOWS\system32\wbem\wbemsvc.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [876] 0x74ED0000
Library C:\WINDOWS\system32\wbem\fastprox.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [876] 0x75690000
Library c:\windows\system32\wbem\wmisvc.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1316] 0x59490000
Library C:\WINDOWS\system32\wbem\wbemcomn.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1316] 0x75290000
Library C:\WINDOWS\system32\wbem\wbemcore.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1316] 0x762C0000
Library C:\WINDOWS\system32\wbem\esscli.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1316] 0x75310000
Library C:\WINDOWS\system32\wbem\FastProx.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1316] 0x75690000
Library C:\WINDOWS\system32\wbem\wmiutils.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1316] 0x75020000
Library C:\WINDOWS\system32\wbem\repdrvfs.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1316] 0x75200000
Library C:\WINDOWS\system32\wbem\wmiprvsd.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1316] 0x597F0000
Library C:\WINDOWS\system32\wbem\wbemess.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1316] 0x75390000
Library C:\WINDOWS\system32\wbem\ncprov.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1316] 0x5F740000
Library C:\WINDOWS\system32\wbem\wbemsvc.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1316] 0x74ED0000

---- Registry - GMER 2.1 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1

---- Files - GMER 2.1 ----

File C:\WINDOWS\system32\drivers\acpi.sys 187776 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\acpiec.sys 11648 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\ADIHdAud.sys 281600 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\aeaudio.sys 94976 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\aec.sys 142592 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\afd.sys 138112 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\AGRSM.sys 1202560 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\aksfridge.sys 351744 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\amdk6.sys 37376 bytes executable
File C:\WINDOWS\system32\drivers\amdk7.sys 37760 bytes executable
File C:\WINDOWS\system32\drivers\arp1394.sys 60800 bytes executable
File C:\WINDOWS\system32\drivers\ASUSHWIO.SYS 5824 bytes executable
File C:\WINDOWS\system32\drivers\asyncmac.sys 14336 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\atapi.sys 96512 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\atmarpc.sys 59904 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\atmepvc.sys 31360 bytes executable
File C:\WINDOWS\system32\drivers\atmlane.sys 55808 bytes executable
File C:\WINDOWS\system32\drivers\atmuni.sys 352256 bytes executable
File C:\WINDOWS\system32\drivers\audstub.sys 3072 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\nwlnkflt.sys 12416 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\nwlnkfwd.sys 32512 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\nwlnkipx.sys 88320 bytes executable
File C:\WINDOWS\system32\drivers\nwlnknb.sys 63232 bytes executable
File C:\WINDOWS\system32\drivers\nwlnkspx.sys 55936 bytes executable
File C:\WINDOWS\system32\drivers\nwrdr.sys 163584 bytes executable
File C:\WINDOWS\system32\drivers\oprghdlr.sys 3456 bytes executable
File C:\WINDOWS\system32\drivers\p3.sys 42752 bytes executable
File C:\WINDOWS\system32\drivers\parport.sys 80128 bytes executable
File C:\WINDOWS\system32\drivers\partmgr.sys 19712 bytes executable
File C:\WINDOWS\system32\drivers\parvdm.sys 6784 bytes executable
File C:\WINDOWS\system32\drivers\pci.sys 68224 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\pciide.sys 3328 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\pciidex.sys 24960 bytes executable
File C:\WINDOWS\system32\drivers\pcmcia.sys 120192 bytes executable
File C:\WINDOWS\system32\drivers\portcls.sys 146048 bytes executable
File C:\WINDOWS\system32\drivers\processr.sys 35840 bytes executable
File C:\WINDOWS\system32\drivers\psched.sys 69120 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\ptilink.sys 17792 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\qcusbser.sys 103552 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\rasacd.sys 8832 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\crusoe.sys 36736 bytes executable
File C:\WINDOWS\system32\drivers\DGIVECP.SYS 41984 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\disdn 0 bytes
File C:\WINDOWS\system32\drivers\disk.sys 36352 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\diskdump.sys 14208 bytes executable
File C:\WINDOWS\system32\drivers\dlhpnmlg.sys 258392 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\dmboot.sys 799744 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\dmio.sys 153344 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\dmload.sys 5888 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\DMusic.sys 52864 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\drmk.sys 60160 bytes executable
File C:\WINDOWS\system32\drivers\drmkaud.sys 2944 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\dxapi.sys 10496 bytes executable
File C:\WINDOWS\system32\drivers\dxg.sys 71168 bytes executable
File C:\WINDOWS\system32\drivers\dxgthk.sys 3328 bytes executable
File C:\WINDOWS\system32\drivers\e1e5132.sys 250776 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\EIO.sys 8703 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\etc 0 bytes
File C:\WINDOWS\system32\drivers\fastfat.sys 143744 bytes executable
File C:\WINDOWS\system32\drivers\fdc.sys 27392 bytes executable
File C:\WINDOWS\system32\drivers\fips.sys 44544 bytes executable
File C:\WINDOWS\system32\drivers\FixTDSS.sys 26872 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\flpydisk.sys 20480 bytes executable
File C:\WINDOWS\system32\drivers\fltMgr.sys 129792 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\fsvga.sys 12160 bytes executable
File C:\WINDOWS\system32\drivers\fs_rec.sys 7936 bytes executable
File C:\WINDOWS\system32\drivers\ftdibus.sys 24209 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\ftdisk.sys 125056 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\ftser2k.sys 57404 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\gm.dls 3440660 bytes
File C:\WINDOWS\system32\drivers\hardlock.sys 694272 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\hdaudbus.sys 144384 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\hidclass.sys 36864 bytes executable
File C:\WINDOWS\system32\drivers\hidparse.sys 24960 bytes executable
File C:\WINDOWS\system32\drivers\hidusb.sys 10368 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\HpqKbFiltr.sys 16768 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\http.sys 264832 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\i8042prt.sys 52480 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\iaStor.sys 312344 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\igxpmp32.sys 5955872 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\imapi.sys 42112 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\intelppm.sys 36352 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\ip6fw.sys 36608 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\ipfltdrv.sys 32896 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\ipinip.sys 20864 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\ipnat.sys 152832 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\ipsec.sys 75264 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\raspppoe.sys 41472 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\raspptp.sys 48384 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\raspti.sys 16512 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\rawwan.sys 34432 bytes executable
File C:\WINDOWS\system32\drivers\rdbss.sys 175744 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\rdpcdd.sys 4224 bytes executable <-- ROOTKIT !!!
File
[ nikitaGradov @ 03.01.2014. 01:19 ] @
[quote]kristi1:
Preuzmi ComboFix sa sledece adrese na Desktop:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Iskljuci AV

Pokreni Combofix iskljucivo sa desktopa (I Agree)
Na svaki popup prozor klikci Yes \ Ok

Kad zavrsi skeniranje izbacice ti log na desktop

Kopiraj mi log ovde




Ti si vec pokretao Combofix, obrisi tu ikonicu i preuzmi novu iz mog uputstva.



Evo kako stoje stvari sa ComboFix-om.
Preuzeo sam ga sa putanje koju si naveo.
Ako na desktop iskopiram .exe fajl, rootkit ne dozvoljava da se program pokrene.
Na desktop-u sam postavio shortcut na .exe verziju (koju sam preuzeo u folder \Downloads) i uspio da pokrenem program. Program prijavi da je VolSnap.sys infected, javi da je detektovao rootkit i da treba da restartuje racunar. Po restartu, pojavi se dijalog u kome pise da ComboFix pokusava da kreira SystemRestore point i na tome se zavrsi (poslije nekog vremena dijalog se zatvara). Log fajl bi trebao biti na putanji C:\ComboFix.txt -> ali na C: postoji samo ikonica ComboFix: klikom na nju, ne desava se nista.

U safe rezimu, program se pokrece, javlja poruke tipa 'Completed stage 1' pa do 'Completed stage 50' i kreira log fajl.

Za svaku slucaj, evo sadrzaja fajla ComboFix.txt (da ponovim kreiranom u safe rezimu):

ComboFix 14-01-01.01 - Milovan 03.01.2014 1:54.14.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1698 [GMT 1:00]
Running from: c:\documents and settings\Milovan\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-12-03 to 2014-01-03 )))))))))))))))))))))))))))))))
.
.
2014-12-25 11:06 . 2014-12-25 12:05 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2014-12-25 11:06 . 2014-12-25 11:06 -------- d-----w- c:\documents and settings\Milovan\Application Data\FixTDSS
2014-12-25 10:55 . 2014-12-25 10:55 -------- d-----w- c:\documents and settings\NoviAdmin
2013-12-31 13:58 . 2013-12-31 14:03 -------- d-----w- C:\FRST
2013-12-26 17:10 . 2008-04-14 12:00 95232 ----a-w- c:\windows\system32\wbem\wmiutils.dll
2013-12-26 17:10 . 2008-04-14 12:00 531456 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2013-12-26 17:10 . 2008-04-14 12:00 437248 ----a-w- c:\windows\system32\wbem\wmiprvsd.dll
2013-12-26 17:10 . 2008-04-14 12:00 273920 ----a-w- c:\windows\system32\wbem\wbemess.dll
2013-12-26 17:10 . 2008-04-14 12:00 247808 ----a-w- c:\windows\system32\wbem\esscli.dll
2013-12-26 17:10 . 2008-04-14 12:00 144896 ----a-w- c:\windows\system32\wbem\wmisvc.dll
2013-12-26 17:10 . 2008-04-14 12:00 47104 ----a-w- c:\windows\system32\wbem\ncprov.dll
2013-12-26 17:10 . 2008-04-14 12:00 178176 ----a-w- c:\windows\system32\wbem\repdrvfs.dll
2013-12-26 11:03 . 2008-04-14 12:00 14336 ----a-w- c:\windows\system32\svchost.exe
2013-12-26 00:23 . 2012-01-10 03:21 258392 ------w- c:\windows\system32\drivers\dlhpnmlg.sys
2013-12-25 08:02 . 2013-12-25 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NCOTEMP
2013-12-25 08:01 . 2013-12-25 08:01 -------- d-----w- c:\windows\system32\drivers\NST
2013-12-25 08:01 . 2013-12-25 08:01 -------- d-----w- c:\program files\Norton Identity Safe
2013-12-25 08:01 . 2013-12-26 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2013-12-25 08:00 . 2013-12-25 18:44 -------- d-----w- c:\program files\NortonInstaller
2013-12-18 16:53 . 2014-01-03 00:43 52352 ----a-w- c:\windows\system32\drivers\VOLSNAP.SYS
2013-12-18 14:56 . 2013-12-18 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2013-12-18 14:33 . 2013-12-18 14:33 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-18 14:33 . 2013-12-18 14:33 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-16 16:18 . 2013-12-16 16:18 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2013-12-16 00:17 . 2013-12-16 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2013-12-14 22:27 . 2008-04-14 12:00 52352 -c--a-w- c:\windows\system32\dllcache\volsnap.sys
2013-12-10 20:27 . 2013-12-10 21:47 -------- d-----w- c:\windows\220FB0354744483A9A0B41DF77061583.TMP
2013-12-10 20:26 . 2013-12-10 20:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2013-12-09 22:30 . 2013-12-10 18:27 -------- d-----w- C:\TDSSKiller_Quarantine
2013-12-09 20:29 . 2014-01-03 00:47 -------- d-----w- c:\program files\Malware Defender
2013-12-07 19:37 . 2013-12-07 19:37 -------- d-----w- c:\documents and settings\Milovan\Application Data\Malwarebytes
2013-12-07 19:37 . 2013-12-07 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-12-07 19:37 . 2013-12-07 19:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-12-07 19:37 . 2013-04-04 13:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-12-07 19:36 . 2013-12-07 19:36 -------- d-----w- c:\windows\PIF
2013-12-04 14:59 . 2013-12-18 17:10 -------- d-----w- c:\documents and settings\Milovan\Application Data\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-08 05:50 . 2013-10-23 07:18 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-08 05:29 . 2013-10-23 07:18 145408 ----a-w- c:\windows\system32\javacpl.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-31 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malware Defender"="c:\program files\malware defender\malwaredefender.exe" [2012-01-10 2436952]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SophosVirusRemovalTool]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Milovan^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Milovan\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-07-31 11:59 166424 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-07-31 11:59 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malware Defender]
2012-01-10 03:19 2436952 ----a-w- c:\program files\Malware Defender\MalwareDefender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-07-31 11:59 137752 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMBVolumeWatcher]
2010-06-01 01:01 600928 ----a-w- c:\program files\Sony\PMB\PMBVolumeWatcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintDisp]
2011-02-19 07:55 826368 ----a-w- c:\windows\system32\PrintDisp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-06-03 14:40 177456 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
2008-09-03 07:52 536576 ----a-w- c:\windows\Samsung\PanelMgr\SSMMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-10-02 09:08 20472992 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 06:12 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-06 00:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 07:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer_Service.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"4430:TCP"= 4430:TCP:zuvre
"21:TCP"= 21:TCP:Ftp
"5556:TCP"= 5556:TCP:Spools
"5558:TCP"= 5558:TCP:Update
.
R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [12/25/2014 12:06 PM 26872]
S1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\NST\7DE06000.01B\ccSetx86.sys [12/25/2013 9:02 AM 127064]
S1 dlhpnmlg;dlhpnmlg;c:\windows\system32\drivers\dlhpnmlg.sys [12/26/2013 1:23 AM 258392]
S2 MalwareDefenderService;Malware Defender Service;c:\program files\Malware Defender\mdservice.exe [1/10/2012 4:19 AM 90968]
S2 MSSQL$SQLEXPRESS_2008;SQL Server (SQLEXPRESS_2008);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS_2008\MSSQL\Binn\sqlservr.exe [7/10/2008 4:33 PM 40999448]
S2 NCO;Norton Identity Safe;c:\program files\Norton Identity Safe\Engine\2014.6.0.27\NST.exe [12/25/2013 9:02 AM 129424]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [9/5/2013 9:34 AM 171680]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 ajugfk;ajugfk;\??\c:\windows\system32\051.tmp --> c:\windows\system32\051.tmp [?]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [8/18/2009 8:29 PM 193840]
S3 elyhlr;elyhlr;\??\c:\windows\system32\02D.tmp --> c:\windows\system32\02D.tmp [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 hxzbyrtx;hxzbyrtx;\??\c:\windows\system32\0E.tmp --> c:\windows\system32\0E.tmp [?]
S3 lbacps;lbacps;\??\c:\windows\system32\01A.tmp --> c:\windows\system32\01A.tmp [?]
S3 mbncm;mbncm;\??\c:\windows\system32\0A.tmp --> c:\windows\system32\0A.tmp [?]
S3 qcusbser;Modem Interface USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbser.sys [2/13/2011 12:51 PM 103552]
S3 SophosVirusRemovalTool;Sophos Virus Removal Tool;c:\documents and settings\Milovan\My Documents\Downloads\Sophos Virus Removal Tool\SVRTservice.exe [12/16/2013 1:14 AM 151848]
S3 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [3/29/2013 9:07 AM 3560288]
S3 tlgvmb;tlgvmb;\??\c:\windows\system32\054.tmp --> c:\windows\system32\054.tmp [?]
S3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\system32\drivers\TMUSBXP.SYS [9/25/2009 9:51 AM 46336]
S3 uituqghb;uituqghb;\??\c:\windows\system32\0F.tmp --> c:\windows\system32\0F.tmp [?]
S3 xlbvjtv;xlbvjtv;\??\c:\windows\system32\06.tmp --> c:\windows\system32\06.tmp [?]
S3 ykndj;ykndj;\??\c:\windows\system32\09.tmp --> c:\windows\system32\09.tmp [?]
S4 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 4:33 PM 47128]
S4 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [6/1/2010 2:01 AM 367456]
S4 POSPerformanceCounters;Point Of Service Performance Counters;c:\program files\Microsoft Point Of Service\Microsoft.PointOfService.Service.exe [2/29/2008 1:25 PM 42056]
S4 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [2/5/2013 3:57 PM 65536]
S4 Proficy Driver Runtime;Proficy Driver Runtime;c:\program files\GE Fanuc\Proficy Machine Edition\fxView\Runtime\ProficyDrivers\Win32\GefPdfOpc.exe --> c:\program files\GE Fanuc\Proficy Machine Edition\fxView\Runtime\ProficyDrivers\Win32\GefPdfOpc.exe [?]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
S4 SQLAgent$SQLEXPRESS_2008;SQL Server Agent (SQLEXPRESS_2008);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS_2008\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 4:33 PM 369688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
cjibrsitz
kefwcrr
emxtcu
uicwczrk
kcbkkxo
czoxyxyal
vhjqgzyy
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-21 16:20]
.
2014-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-21 16:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchAssistant = hxxp://dts.search-results.com/sr?src=ieb&appid=101&systemid=406&sr=0&q={searchTerms}
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: raiffeisenbank.rs\rol
TCP: DhcpNameServer = 192.168.0.1
DPF: {73848533-39E1-49F1-9363-28054268C094} - hxxps://rol.raiffeisenbank.rs/RetailDLL/FSINT9.dll
DPF: {F6FFAC18-CAD4-4054-9D49-D610286CE323} - hxxps://rol.raiffeisenbank.rs/RetailDLL/EBCSCC2a.dll
FF - ProfilePath - c:\documents and settings\Milovan\Application Data\Mozilla\Firefox\Profiles\7fgsg3zr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2560206&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - hxxp://www.google.rs/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=101&systemid=406&sr=0&q=
FF - ExtSQL: 2013-12-26 01:24; {F04D2D30-776C-4d02-8627-8E4385ECA58D}; c:\documents and settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.6.0.27\coFFPlgn
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-03 01:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NCO]
"ImagePath"="\"c:\program files\Norton Identity Safe\Engine\2014.6.0.27\NST.exe\" /s \"NCO\" /m \"c:\program files\Norton Identity Safe\Engine\2014.6.0.27\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ajugfk]
"ImagePath"="\??\c:\windows\system32\051.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\elyhlr]
"ImagePath"="\??\c:\windows\system32\02D.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hxzbyrtx]
"ImagePath"="\??\c:\windows\system32\0E.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbacps]
"ImagePath"="\??\c:\windows\system32\01A.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mbncm]
"ImagePath"="\??\c:\windows\system32\0A.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tlgvmb]
"ImagePath"="\??\c:\windows\system32\054.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uituqghb]
"ImagePath"="\??\c:\windows\system32\0F.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xlbvjtv]
"ImagePath"="\??\c:\windows\system32\06.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ykndj]
"ImagePath"="\??\c:\windows\system32\09.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(868)
c:\windows\system32\msi.dll
.
Completion time: 2014-01-03 02:01:13
ComboFix-quarantined-files.txt 2014-01-03 01:01
ComboFix2.txt 2013-12-18 17:49
ComboFix3.txt 2013-12-18 14:46
ComboFix4.txt 2013-12-14 22:24
ComboFix5.txt 2013-12-18 18:23
.
Pre-Run: 76.296.318.976 bytes free
Post-Run: 76.577.431.552 bytes free
.
- - End Of File - - C8849AA8996612C300FA19052767CB37
8F558EB6672622401DA993E1E865C861




Moram da priznam da se, zaista, prvi put susrecem sa necim ovakvim i zahvalan sam za svaku pomoc ... kakav je motiv nekoga da ulozi, ocigledno, veliki trud u ovakve stvari ?
[ kristi1 @ 03.01.2014. 09:27 ] @
Ovako, obrisi obe ikonice i preuzmi novi CF na desktop.


Otvori Notepad i kopiraj tekst koji se nalazi ispod Code taga:

Code:



KillAll:: 

NoMBR:: 


File::
c:\windows\system32\051.tmp
c:\windows\system32\02D.tmp
c:\windows\system32\0E.tmp
c:\windows\system32\01A.tmp
c:\windows\system32\0A.tmp
c:\windows\system32\054.tmp
c:\windows\system32\0F.tmp
c:\windows\system32\06.tmp
c:\windows\system32\09.tmp

NetSvc::
cjibrsitz
kefwcrr
emxtcu
uicwczrk
kcbkkxo
czoxyxyal
vhjqgzyy

Driver::
ajugfk
elyhlr
hxzbyrtx
lbacps
mbncm
tlgvmb
uituqghb
xlbvjtv
ykndj


Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"=-
"1947:UDP"=-
"5985:TCP"=-
"4430:TCP"=-
"21:TCP"=-
"5556:TCP"=-
"5558:TCP"=-




Klikni na File\Save as i sacuvaj tekst kao CFScript na desktop




Prati uputstvo sa slike i prevuci CFScript.txt preko ikonice ComboFix.exe
To ce startovati ComboFix, mozda ce doci do restarta sistema (to je normalno)
Kada zavrsi,pojavice se log (C:\ComboFix.txt)

[Ovu poruku je menjao kristi1 dana 03.01.2014. u 11:09 GMT+1]
[ nikitaGradov @ 03.01.2014. 15:22 ] @
Uradio sam sve prema tvojim uputstvima. Rezultat je manje-vise isti, a ComboFix.txt se ne kreira (postoji , kao ikonica, na kojoj pise ComboFix).

Prevlacenjem txt fajla na ComboFix (dakle, iskopirao sam exe verziju na desktop), ComboFix se pokrece. Poslije nekog vremena pojavi se dijalog, ComboFix prijavljuje da je VolSnap.sys inficiran i da pokusava da ga restoruje, dalje se pojavljuje messagebox da je detektovan rootkit i da treba restartovati racunar. Po restartu, pojavljuje se dijalog i poruke se sledece:

Access is denied
Could not find file Mirrors

Please wait
ComboFix is preparing to run (ali, po meni, se ne pokrece, barem ne onako kao u safe rezimu, nema poruka 'Completed stage n')

Try to create System Restore point

... i poslije nekog vremena se dijalog zatvori.

Na rut putanji diska C: nema fajla ComboFix.txt -> postoji kao ikonica ispod koje pise 'ComboFix' (u properties te ikonice stoji da se radi o folderu). Klikom na tu ikonicu (odnosno, folder) prikazuje se prikaz 'My Computer' (dakle, prikaz diskova i particija).

Zaista hvala na pomoci ... imas li ideju sta bi jos mogli da pokusamo ?
[ kristi1 @ 03.01.2014. 15:39 ] @
Preuzmi TDSSKiller, sacuvaj alat na Desktop i dvoklikom pokreni TDSSKiller.exe
U "End user Licence Agreement" dijalogu klikni na Accept.
Takođe, u "KSN Statement" dijalogu klikni na Accept.[/size]

[*] klikni na dugme Start Scan

[*] Ukoliko sumnjive stavke Suspicious object budu detektovani, podrazumevana opcija (default action) jeste [color=green]Skip[/color], klikni na Continue.
[*] Ukoliko maliciozni objekti Malicious objects budu detektovani, izaberi opciju Cure.
Okaci mi sadrzaj log-a sa sledece lokacije:
C:\TDSSKiller_verzija programa_DD.MM.GG_HH.MM.SS.txt
(DD-dan, MM-mesec, GG-godina, HH-sat, MM-minut, SS-sekunda; datum i vreme kada je log napravljen)
[ nikitaGradov @ 03.01.2014. 15:55 ] @
Sa desktop-a ne mogu da pokrenem ovaj program -> pokretanje je moguce samo sa foldera \My Documents\Downloads.

Na rutu diska C: se kreira fajl: TDSSKiller.2.8.16.0_03.01.2014_16.51.21_log.txt

Evo njegovog sadrzaja (program nije prijavo nikakvu infekciju, odnosno, poslednja poruka glasi 'No threats found'):

16:51:22.0078 2116 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
16:51:22.0421 2116 ============================================================
16:51:22.0421 2116 Current date / time: 2014/01/03 16:51:22.0421
16:51:22.0421 2116 SystemInfo:
16:51:22.0421 2116
16:51:22.0421 2116 OS Version: 5.1.2600 ServicePack: 3.0
16:51:22.0421 2116 Product type: Workstation
16:51:22.0421 2116 ComputerName: IVING1
16:51:22.0421 2116 UserName: Milovan
16:51:22.0421 2116 Windows directory: C:\WINDOWS
16:51:22.0421 2116 System windows directory: C:\WINDOWS
16:51:22.0421 2116 Processor architecture: Intel x86
16:51:22.0421 2116 Number of processors: 2
16:51:22.0421 2116 Page size: 0x1000
16:51:22.0421 2116 Boot type: Normal boot
16:51:22.0421 2116 ============================================================
16:51:27.0046 2116 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
16:51:27.0062 2116 ============================================================
16:51:27.0062 2116 \Device\Harddisk0\DR0:
16:51:27.0062 2116 MBR partitions:
16:51:27.0062 2116 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xC34F28D
16:51:27.0078 2116 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0xC34F30B, BlocksNum 0x10E713B5
16:51:27.0078 2116 ============================================================
16:51:27.0156 2116 C: <-> \Device\Harddisk0\DR0\Partition1
16:51:27.0187 2116 D: <-> \Device\Harddisk0\DR0\Partition2
16:51:27.0203 2116 ============================================================
16:51:27.0203 2116 Initialize success
16:51:27.0203 2116 ============================================================
16:51:33.0109 2164 ============================================================
16:51:33.0109 2164 Scan started
16:51:33.0109 2164 Mode: Manual; TDLFS;
16:51:33.0109 2164 ============================================================
16:51:33.0312 2164 ================ Scan system memory ========================
16:51:33.0328 2164 System memory - ok
16:51:33.0328 2164 ================ Scan services =============================
16:51:33.0781 2164 Abiosdsk - ok
16:51:33.0781 2164 abp480n5 - ok
16:51:33.0828 2164 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:51:33.0828 2164 ACPI - ok
16:51:33.0859 2164 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
16:51:33.0859 2164 ACPIEC - ok
16:51:33.0906 2164 [ DFC0162928BFA584B5E5C0CC4A07DFD1 ] ADIHdAudAddService C:\WINDOWS\system32\drivers\ADIHdAud.sys
16:51:33.0906 2164 ADIHdAudAddService - ok
16:51:33.0906 2164 adpu160m - ok
16:51:33.0921 2164 [ FFF87A9B1AB36EE4B7BEC98A4CB01B79 ] AEAudio C:\WINDOWS\system32\drivers\AEAudio.sys
16:51:33.0921 2164 AEAudio - ok
16:51:33.0968 2164 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
16:51:33.0968 2164 aec - ok
16:51:34.0000 2164 [ 322D0E36693D6E24A2398BEE62A268CD ] AFD C:\WINDOWS\System32\drivers\afd.sys
16:51:34.0000 2164 AFD - ok
16:51:34.0046 2164 [ 8ED60797908FD394EEE0D6949F493224 ] AgereModemAudio C:\WINDOWS\system32\agrsmsvc.exe
16:51:34.0046 2164 AgereModemAudio - ok
16:51:34.0109 2164 [ 38325C6AA8EAE011897D61CE48EC6435 ] AgereSoftModem C:\WINDOWS\system32\DRIVERS\AGRSM.sys
16:51:34.0156 2164 AgereSoftModem - ok
16:51:34.0171 2164 Aha154x - ok
16:51:34.0171 2164 aic78u2 - ok
16:51:34.0187 2164 aic78xx - ok
16:51:34.0187 2164 ajugfk - ok
16:51:34.0250 2164 [ 9E989429631A0588C60C430FD7DB7576 ] aksfridge C:\WINDOWS\system32\drivers\aksfridge.sys
16:51:34.0250 2164 aksfridge - ok
16:51:34.0265 2164 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
16:51:34.0265 2164 Alerter - ok
16:51:34.0296 2164 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
16:51:34.0296 2164 ALG - ok
16:51:34.0312 2164 AliIde - ok
16:51:34.0312 2164 amsint - ok
16:51:34.0359 2164 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
16:51:34.0375 2164 AppMgmt - ok
16:51:34.0375 2164 asc - ok
16:51:34.0390 2164 asc3350p - ok
16:51:34.0390 2164 asc3550 - ok
16:51:34.0531 2164 [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
16:51:34.0531 2164 aspnet_state - ok
16:51:34.0562 2164 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:51:34.0562 2164 AsyncMac - ok
16:51:34.0593 2164 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
16:51:34.0593 2164 atapi - ok
16:51:34.0609 2164 Atdisk - ok
16:51:34.0640 2164 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:51:34.0640 2164 Atmarpc - ok
16:51:34.0671 2164 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
16:51:34.0671 2164 AudioSrv - ok
16:51:34.0687 2164 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
16:51:34.0687 2164 audstub - ok
16:51:34.0734 2164 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
16:51:34.0734 2164 Beep - ok
16:51:34.0796 2164 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
16:51:34.0812 2164 BITS - ok
16:51:34.0859 2164 [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser C:\WINDOWS\System32\browser.dll
16:51:34.0859 2164 Browser - ok
16:51:34.0921 2164 [ 3AA4BF555C00C5B87FD48DD7BDBD4E97 ] btaudio C:\WINDOWS\system32\drivers\btaudio.sys
16:51:34.0937 2164 btaudio - ok
16:51:34.0953 2164 [ 07F0A66CFA550B13AD0674AE09E3CBA0 ] BTDriver C:\WINDOWS\system32\DRIVERS\btport.sys
16:51:34.0953 2164 BTDriver - ok
16:51:35.0015 2164 [ BA57F31EAB93DC597D772F6F5B9ED54F ] BTKRNL C:\WINDOWS\system32\DRIVERS\btkrnl.sys
16:51:35.0031 2164 BTKRNL - ok
16:51:35.0140 2164 [ 0ECE2B1910527AE85691151D56621891 ] btwdins C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
16:51:35.0140 2164 btwdins - ok
16:51:35.0171 2164 [ B1D350F3F13CF340FCE93912D2BA1EBF ] BTWDNDIS C:\WINDOWS\system32\DRIVERS\btwdndis.sys
16:51:35.0171 2164 BTWDNDIS - ok
16:51:35.0187 2164 [ 57E91E9925976BBC98984EEBAAF1D84C ] BTWUSB C:\WINDOWS\system32\Drivers\btwusb.sys
16:51:35.0187 2164 BTWUSB - ok
16:51:35.0296 2164 catchme - ok
16:51:35.0312 2164 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
16:51:35.0312 2164 cbidf2k - ok
16:51:35.0328 2164 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
16:51:35.0343 2164 CCDECODE - ok
16:51:35.0343 2164 CCFLIC0 - ok
16:51:35.0406 2164 [ 56C2811FD0D7B727808A69407B5BFAE0 ] ccSet_NST C:\WINDOWS\system32\drivers\NST\7DE06000.01B\ccSetx86.sys
16:51:35.0421 2164 ccSet_NST - ok
16:51:35.0421 2164 cd20xrnt - ok
16:51:35.0437 2164 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
16:51:35.0453 2164 Cdaudio - ok
16:51:35.0500 2164 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
16:51:35.0500 2164 Cdfs - ok
16:51:35.0515 2164 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:51:35.0515 2164 Cdrom - ok
16:51:35.0531 2164 Changer - ok
16:51:35.0531 2164 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
16:51:35.0546 2164 CiSvc - ok
16:51:35.0546 2164 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
16:51:35.0546 2164 ClipSrv - ok
16:51:35.0609 2164 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
16:51:35.0734 2164 clr_optimization_v2.0.50727_32 - ok
16:51:35.0765 2164 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
16:51:35.0781 2164 clr_optimization_v4.0.30319_32 - ok
16:51:35.0812 2164 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
16:51:35.0812 2164 CmBatt - ok
16:51:35.0812 2164 CmdIde - ok
16:51:35.0906 2164 [ 7795F8CEBC284A426B53F541E538695F ] Com4QLBEx C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
16:51:35.0921 2164 Com4QLBEx - ok
16:51:35.0953 2164 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
16:51:35.0953 2164 Compbatt - ok
16:51:35.0953 2164 COMSysApp - ok
16:51:35.0968 2164 Cpqarray - ok
16:51:36.0015 2164 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
16:51:36.0015 2164 CryptSvc - ok
16:51:36.0031 2164 dac2w2k - ok
16:51:36.0031 2164 dac960nt - ok
16:51:36.0078 2164 [ 2589FE6015A316C0F5D5112B4DA7B509 ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
16:51:36.0109 2164 DcomLaunch - ok
16:51:36.0125 2164 [ 770471DE2550820FEEB7E5D24BF2E273 ] DgiVecp C:\WINDOWS\system32\Drivers\DgiVecp.sys
16:51:36.0140 2164 DgiVecp - ok
16:51:36.0156 2164 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
16:51:36.0156 2164 Dhcp - ok
16:51:36.0171 2164 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
16:51:36.0171 2164 Disk - ok
16:51:36.0218 2164 [ 62EB760FB6FE72AE0500C6FB42EC8979 ] dlhpnmlg c:\windows\system32\drivers\dlhpnmlg.sys
16:51:36.0218 2164 dlhpnmlg - ok
16:51:36.0234 2164 dmadmin - ok
16:51:36.0265 2164 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
16:51:36.0312 2164 dmboot - ok
16:51:36.0312 2164 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
16:51:36.0328 2164 dmio - ok
16:51:36.0328 2164 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
16:51:36.0343 2164 dmload - ok
16:51:36.0343 2164 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
16:51:36.0343 2164 dmserver - ok
16:51:36.0375 2164 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
16:51:36.0375 2164 DMusic - ok
16:51:36.0375 2164 [ 474B4DC3983173E4B4C9740B0DAC98A6 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
16:51:36.0390 2164 Dnscache - ok
16:51:36.0406 2164 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
16:51:36.0421 2164 Dot3svc - ok
16:51:36.0421 2164 dpti2o - ok
16:51:36.0468 2164 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
16:51:36.0468 2164 drmkaud - ok
16:51:36.0515 2164 [ ED91F1042071A36F54E7C430E130E4CD ] e1express C:\WINDOWS\system32\DRIVERS\e1e5132.sys
16:51:36.0515 2164 e1express - ok
16:51:36.0546 2164 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
16:51:36.0546 2164 EapHost - ok
16:51:36.0578 2164 [ EE236706228A5DF709DDD9BC1C6DAFD0 ] EIO C:\WINDOWS\system32\drivers\EIO.sys
16:51:36.0593 2164 EIO - ok
16:51:36.0593 2164 elyhlr - ok
16:51:36.0640 2164 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
16:51:36.0640 2164 ERSvc - ok
16:51:36.0640 2164 esgiguard - ok
16:51:36.0703 2164 [ 0E776ED5F7CC9F94299E70461B7B8185 ] Eventlog C:\WINDOWS\system32\services.exe
16:51:36.0703 2164 Eventlog - ok
16:51:36.0750 2164 [ 19A799805B24990867B00C120D300C3A ] EventSystem C:\WINDOWS\system32\es.dll
16:51:36.0750 2164 EventSystem - ok
16:51:36.0781 2164 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
16:51:36.0781 2164 Fastfat - ok
16:51:36.0812 2164 [ 1926899BF9FFE2602B63074971700412 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
16:51:36.0812 2164 FastUserSwitchingCompatibility - ok
16:51:36.0843 2164 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
16:51:36.0843 2164 Fdc - ok
16:51:36.0859 2164 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
16:51:36.0875 2164 Fips - ok
16:51:36.0906 2164 [ 77D6FFAA3010B66FB4692532D75A585F ] FixTDSS C:\WINDOWS\system32\drivers\FixTDSS.sys
16:51:36.0906 2164 FixTDSS - ok
16:51:36.0921 2164 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
16:51:36.0921 2164 Flpydisk - ok
16:51:36.0968 2164 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys
16:51:36.0968 2164 FltMgr - ok
16:51:37.0046 2164 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
16:51:37.0046 2164 FontCache3.0.0.0 - ok
16:51:37.0062 2164 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:51:37.0078 2164 Fs_Rec - ok
16:51:37.0109 2164 [ BB5107CA0569C95F2A850722C34D20C9 ] FTDIBUS C:\WINDOWS\system32\drivers\ftdibus.sys
16:51:37.0109 2164 FTDIBUS - ok
16:51:37.0125 2164 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:51:37.0140 2164 Ftdisk - ok
16:51:37.0140 2164 [ 296BE0A1D7C96A7ABBEDE6B97BAF96B3 ] FTSER2K C:\WINDOWS\system32\drivers\ftser2k.sys
16:51:37.0140 2164 FTSER2K - ok
16:51:37.0187 2164 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:51:37.0187 2164 Gpc - ok
16:51:37.0234 2164 [ 626A24ED1228580B9518C01930936DF9 ] gupdate1ca227b4401f542 C:\Program Files\Google\Update\GoogleUpdate.exe
16:51:37.0250 2164 gupdate1ca227b4401f542 - ok
16:51:37.0250 2164 [ 626A24ED1228580B9518C01930936DF9 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
16:51:37.0250 2164 gupdatem - ok
16:51:37.0312 2164 [ C03718F2B954972A40AD75E22D159F9F ] Hardlock C:\WINDOWS\system32\drivers\hardlock.sys
16:51:37.0343 2164 Hardlock - ok
16:51:37.0359 2164 hasplms - ok
16:51:37.0390 2164 [ 407E41DDB2BFECE109132AEC296E0D98 ] HBtnKey C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
16:51:37.0390 2164 HBtnKey - ok
16:51:37.0453 2164 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
16:51:37.0453 2164 HDAudBus - ok
16:51:37.0531 2164 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
16:51:37.0531 2164 helpsvc - ok
16:51:37.0531 2164 HidServ - ok
16:51:37.0578 2164 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:51:37.0578 2164 HidUsb - ok
16:51:37.0609 2164 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
16:51:37.0625 2164 hkmsvc - ok
16:51:37.0625 2164 hpn - ok
16:51:37.0656 2164 [ 35956140E686D53BF676CF0C778880FC ] HpqKbFiltr C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
16:51:37.0656 2164 HpqKbFiltr - ok
16:51:37.0687 2164 [ 1665C7121A026DF10C903DB9BC5E9D43 ] hpqwmiex C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
16:51:37.0687 2164 hpqwmiex - ok
16:51:37.0718 2164 [ F6AACF5BCE2893E0C1754AFEB672E5C9 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
16:51:37.0734 2164 HTTP - ok
16:51:37.0765 2164 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
16:51:37.0781 2164 HTTPFilter - ok
16:51:37.0781 2164 hxzbyrtx - ok
16:51:37.0781 2164 i2omgmt - ok
16:51:37.0796 2164 i2omp - ok
16:51:37.0828 2164 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:51:37.0828 2164 i8042prt - ok
16:51:38.0078 2164 [ CD32607F1CC8AC67224334AE123F7B98 ] ialm C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
16:51:38.0265 2164 ialm - ok
16:51:38.0328 2164 [ DB0CC620B27A928D968C1A1E9CD9CB87 ] iaStor C:\WINDOWS\system32\DRIVERS\iaStor.sys
16:51:38.0328 2164 iaStor - ok
16:51:38.0421 2164 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
16:51:38.0453 2164 idsvc - ok
16:51:38.0484 2164 IISADMIN - ok
16:51:38.0531 2164 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
16:51:38.0531 2164 Imapi - ok
16:51:38.0562 2164 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
16:51:38.0562 2164 ImapiService - ok
16:51:38.0593 2164 ini910u - ok
16:51:38.0609 2164 IntelIde - ok
16:51:38.0625 2164 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:51:38.0625 2164 intelppm - ok
16:51:38.0656 2164 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
16:51:38.0671 2164 Ip6Fw - ok
16:51:38.0687 2164 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:51:38.0703 2164 IpFilterDriver - ok
16:51:38.0718 2164 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:51:38.0718 2164 IpInIp - ok
16:51:38.0750 2164 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:51:38.0750 2164 IpNat - ok
16:51:38.0765 2164 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:51:38.0765 2164 IPSec - ok
16:51:38.0796 2164 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
16:51:38.0796 2164 IRENUM - ok
16:51:38.0843 2164 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:51:38.0843 2164 isapnp - ok
16:51:38.0968 2164 [ 80A79264302910C7C24BA7E44267EFEF ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
16:51:38.0984 2164 JavaQuickStarterService - ok
16:51:38.0984 2164 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:51:38.0984 2164 Kbdclass - ok
16:51:39.0015 2164 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
16:51:39.0015 2164 kbdhid - ok
16:51:39.0031 2164 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
16:51:39.0031 2164 kmixer - ok
16:51:39.0062 2164 [ 1705745D900DABF2D89F90EBADDC7517 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
16:51:39.0062 2164 KSecDD - ok
16:51:39.0093 2164 [ F385F4B02C535BFFE1D70CAB80838123 ] LanmanServer C:\WINDOWS\System32\srvsvc.dll
16:51:39.0109 2164 LanmanServer - ok
16:51:39.0140 2164 [ 1B67B632786FEF1C1BBAEF46C2F3F2E6 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
16:51:39.0156 2164 lanmanworkstation - ok
16:51:39.0156 2164 lbacps - ok
16:51:39.0171 2164 lbrtfdc - ok
16:51:39.0187 2164 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
16:51:39.0187 2164 LmHosts - ok
16:51:39.0265 2164 [ 7F7AD3116BA3DDC8B8E354EB83FEB1BA ] MalwareDefenderService c:\program files\malware defender\mdservice.exe
16:51:39.0265 2164 MalwareDefenderService - ok
16:51:39.0281 2164 mbncm - ok
16:51:39.0296 2164 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
16:51:39.0296 2164 Messenger - ok
16:51:39.0328 2164 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
16:51:39.0328 2164 mnmdd - ok
16:51:39.0359 2164 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
16:51:39.0375 2164 mnmsrvc - ok
16:51:39.0390 2164 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
16:51:39.0390 2164 Modem - ok
16:51:39.0421 2164 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:51:39.0421 2164 Mouclass - ok
16:51:39.0437 2164 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:51:39.0437 2164 mouhid - ok
16:51:39.0484 2164 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
16:51:39.0500 2164 MountMgr - ok
16:51:39.0546 2164 [ 5E0686615A80A6279B2314E13CD23F6E ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
16:51:39.0562 2164 MozillaMaintenance - ok
16:51:39.0562 2164 mraid35x - ok
16:51:39.0578 2164 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:51:39.0578 2164 MRxDAV - ok
16:51:39.0625 2164 [ 68755F0FF16070178B54674FE5B847B0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:51:39.0640 2164 MRxSmb - ok
16:51:39.0671 2164 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
16:51:39.0671 2164 MSDTC - ok
16:51:39.0703 2164 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
16:51:39.0703 2164 Msfs - ok
16:51:39.0703 2164 MSIServer - ok
16:51:39.0750 2164 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:51:39.0750 2164 MSKSSRV - ok
16:51:39.0765 2164 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:51:39.0765 2164 MSPCLOCK - ok
16:51:39.0781 2164 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
16:51:39.0781 2164 MSPQM - ok
16:51:39.0812 2164 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:51:39.0812 2164 mssmbios - ok
16:51:39.0875 2164 MSSQL$SQLEXPRESS - ok
16:51:39.0906 2164 MSSQL$SQLEXPRESS_2008 - ok
16:51:39.0953 2164 [ F1761C8FB2B25A32C6D63E36BB88C3AE ] MSSQLServerADHelper100 C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE
16:51:39.0968 2164 MSSQLServerADHelper100 - ok
16:51:39.0984 2164 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
16:51:39.0984 2164 MSTEE - ok
16:51:40.0015 2164 [ 2F625D11385B1A94360BFC70AAEFDEE1 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
16:51:40.0015 2164 Mup - ok
16:51:40.0046 2164 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
16:51:40.0046 2164 NABTSFEC - ok
16:51:40.0093 2164 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
16:51:40.0125 2164 napagent - ok
16:51:40.0203 2164 [ 3E3A97C7C7E79DF8F08F22F0666D9E03 ] NCO C:\Program Files\Norton Identity Safe\Engine\2014.6.0.27\NST.exe
16:51:40.0218 2164 NCO - ok
16:51:40.0250 2164 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
16:51:40.0250 2164 NDIS - ok
16:51:40.0281 2164 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
16:51:40.0296 2164 NdisIP - ok
16:51:40.0312 2164 [ 1AB3D00C991AB086E69DB84B6C0ED78F ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:51:40.0312 2164 NdisTapi - ok
16:51:40.0328 2164 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:51:40.0328 2164 Ndisuio - ok
16:51:40.0343 2164 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:51:40.0343 2164 NdisWan - ok
16:51:40.0375 2164 [ 6215023940CFD3702B46ABC304E1D45A ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
16:51:40.0390 2164 NDProxy - ok
16:51:40.0421 2164 [ 69C503C004F49AEE8B8E3067CC047BA7 ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
16:51:40.0437 2164 Net Driver HPZ12 - ok
16:51:40.0484 2164 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
16:51:40.0484 2164 NetBIOS - ok
16:51:40.0500 2164 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
16:51:40.0515 2164 NetBT - ok
16:51:40.0531 2164 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
16:51:40.0546 2164 NetDDE - ok
16:51:40.0546 2164 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
16:51:40.0562 2164 NetDDEdsdm - ok
16:51:40.0578 2164 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
16:51:40.0578 2164 Netlogon - ok
16:51:40.0593 2164 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
16:51:40.0609 2164 Netman - ok
16:51:40.0640 2164 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
16:51:40.0656 2164 NetTcpPortSharing - ok
16:51:40.0796 2164 [ 05743FFFC2BC88CC8E426321BC6A762E ] NETw5x32 C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
16:51:40.0921 2164 NETw5x32 - ok
16:51:40.0953 2164 [ B4138E99236F0F57D4CF49BAE98A0746 ] Nla C:\WINDOWS\System32\mswsock.dll
16:51:40.0953 2164 Nla - ok
16:51:40.0968 2164 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
16:51:40.0968 2164 Npfs - ok
16:51:41.0015 2164 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
16:51:41.0062 2164 Ntfs - ok
16:51:41.0078 2164 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
16:51:41.0078 2164 NtLmSsp - ok
16:51:41.0109 2164 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
16:51:41.0140 2164 NtmsSvc - ok
16:51:41.0171 2164 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
16:51:41.0171 2164 Null - ok
16:51:41.0187 2164 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:51:41.0203 2164 NwlnkFlt - ok
16:51:41.0203 2164 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:51:41.0218 2164 NwlnkFwd - ok
16:51:41.0250 2164 [ 29B143863AD781E18AD8C62E98AB665E ] OpcEnum C:\WINDOWS\system32\opcenum.exe
16:51:41.0250 2164 OpcEnum - ok
16:51:41.0328 2164 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
16:51:41.0328 2164 ose - ok
16:51:41.0359 2164 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys
16:51:41.0359 2164 Parport - ok
16:51:41.0375 2164 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
16:51:41.0390 2164 PartMgr - ok
16:51:41.0421 2164 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
16:51:41.0421 2164 ParVdm - ok
16:51:41.0437 2164 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
16:51:41.0453 2164 PCI - ok
16:51:41.0453 2164 PCIDump - ok
16:51:41.0468 2164 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
16:51:41.0468 2164 PCIIde - ok
16:51:41.0484 2164 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
16:51:41.0484 2164 Pcmcia - ok
16:51:41.0500 2164 PDCOMP - ok
16:51:41.0500 2164 PDFRAME - ok
16:51:41.0515 2164 PDRELI - ok
16:51:41.0515 2164 PDRFRAME - ok
16:51:41.0531 2164 perc2 - ok
16:51:41.0531 2164 perc2hib - ok
16:51:41.0578 2164 [ 0E776ED5F7CC9F94299E70461B7B8185 ] PlugPlay C:\WINDOWS\system32\services.exe
16:51:41.0593 2164 PlugPlay - ok
16:51:41.0656 2164 [ 80E85394D8CD7F84340B1C6F4B9D698F ] PMBDeviceInfoProvider C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
16:51:41.0671 2164 PMBDeviceInfoProvider - ok
16:51:41.0734 2164 [ 12B4549D515CB26BB8D375038017CA65 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
16:51:41.0734 2164 Pml Driver HPZ12 - ok
16:51:41.0750 2164 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
16:51:41.0750 2164 PolicyAgent - ok
16:51:41.0796 2164 [ A012D02F3CF9EAA4D6CD4D81F79A480F ] POSPerformanceCounters C:\Program Files\Microsoft Point Of Service\Microsoft.PointOfService.Service.exe
16:51:41.0796 2164 POSPerformanceCounters - ok
16:51:41.0843 2164 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:51:41.0843 2164 PptpMiniport - ok
16:51:41.0890 2164 [ 81DBFB92EC47CAC5A7DBAC688886C212 ] Printer Control C:\WINDOWS\system32\PrintCtrl.exe
16:51:41.0890 2164 Printer Control - ok
16:51:41.0890 2164 Proficy Driver Runtime - ok
16:51:41.0906 2164 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
16:51:41.0906 2164 ProtectedStorage - ok
16:51:41.0921 2164 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
16:51:41.0921 2164 PSched - ok
16:51:41.0937 2164 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:51:41.0937 2164 Ptilink - ok
16:51:41.0968 2164 [ 9CCF89372C5A04E97CD89B58AE697796 ] qcusbser C:\WINDOWS\system32\DRIVERS\qcusbser.sys
16:51:41.0984 2164 qcusbser - ok
16:51:41.0984 2164 ql1080 - ok
16:51:42.0000 2164 Ql10wnt - ok
16:51:42.0000 2164 ql12160 - ok
16:51:42.0015 2164 ql1240 - ok
16:51:42.0015 2164 ql1280 - ok
16:51:42.0031 2164 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:51:42.0031 2164 RasAcd - ok
16:51:42.0062 2164 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
16:51:42.0062 2164 RasAuto - ok
16:51:42.0093 2164 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:51:42.0093 2164 Rasl2tp - ok
16:51:42.0125 2164 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
16:51:42.0125 2164 RasMan - ok
16:51:42.0140 2164 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:51:42.0140 2164 RasPppoe - ok
16:51:42.0140 2164 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
16:51:42.0140 2164 Raspti - ok
16:51:42.0171 2164 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:51:42.0171 2164 Rdbss - ok
16:51:42.0187 2164 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:51:42.0187 2164 RDPCDD - ok
16:51:42.0234 2164 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:51:42.0250 2164 rdpdr - ok
16:51:42.0281 2164 [ 6728E45B66F93C08F11DE2E316FC70DD ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
16:51:42.0281 2164 RDPWD - ok
16:51:42.0312 2164 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
16:51:42.0328 2164 RDSessMgr - ok
16:51:42.0343 2164 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
16:51:42.0343 2164 redbook - ok
16:51:42.0375 2164 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
16:51:42.0375 2164 RemoteAccess - ok
16:51:42.0406 2164 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
16:51:42.0421 2164 RemoteRegistry - ok
16:51:42.0453 2164 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
16:51:42.0468 2164 RpcLocator - ok
16:51:42.0484 2164 [ 2589FE6015A316C0F5D5112B4DA7B509 ] RpcSs C:\WINDOWS\System32\rpcss.dll
16:51:42.0500 2164 RpcSs - ok
16:51:42.0546 2164 [ FEDD2710B75BE3ECF078ADACE790C423 ] RsFx0102 C:\WINDOWS\system32\DRIVERS\RsFx0102.sys
16:51:42.0546 2164 RsFx0102 - ok
16:51:42.0593 2164 [ FD692C6FFADE58F7C4C3C3C9A0EC35BD ] RsFx0103 C:\WINDOWS\system32\DRIVERS\RsFx0103.sys
16:51:42.0609 2164 RsFx0103 - ok
16:51:42.0625 2164 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
16:51:42.0625 2164 RSVP - ok
16:51:42.0656 2164 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
16:51:42.0656 2164 SamSs - ok
16:51:42.0671 2164 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
16:51:42.0687 2164 SCardSvr - ok
16:51:42.0718 2164 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
16:51:42.0734 2164 Schedule - ok
16:51:42.0750 2164 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:51:42.0765 2164 Secdrv - ok
16:51:42.0781 2164 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
16:51:42.0781 2164 seclogon - ok
16:51:42.0796 2164 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
16:51:42.0812 2164 SENS - ok
16:51:42.0812 2164 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] Serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
16:51:42.0812 2164 Serenum - ok
16:51:42.0843 2164 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
16:51:42.0843 2164 Serial - ok
16:51:42.0906 2164 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
16:51:42.0906 2164 Sfloppy - ok
16:51:42.0968 2164 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
16:51:42.0984 2164 SharedAccess - ok
16:51:43.0000 2164 [ 1926899BF9FFE2602B63074971700412 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
16:51:43.0000 2164 ShellHWDetection - ok
16:51:43.0015 2164 Simbad - ok
16:51:43.0078 2164 [ F5BBEDF602C310B00036EB2DBF4348A5 ] SkypeUpdate C:\Program Files\Skype\Updater\Updater.exe
16:51:43.0078 2164 SkypeUpdate - ok
16:51:43.0109 2164 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
16:51:43.0109 2164 SLIP - ok
16:51:43.0125 2164 SMTPSVC - ok
16:51:43.0250 2164 [ 99877AB5F793989F407EDAC422090E12 ] SophosVirusRemovalTool C:\Documents and Settings\Milovan\My Documents\Downloads\Sophos Virus Removal Tool\SVRTservice.exe
16:51:43.0250 2164 SophosVirusRemovalTool - ok
16:51:43.0265 2164 Sparrow - ok
16:51:43.0281 2164 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
16:51:43.0296 2164 splitter - ok
16:51:43.0296 2164 Spooler - ok
16:51:43.0343 2164 [ A687B5B326AFCFCF182C4931D1FF9771 ] SQLAgent$SQLEXPRESS C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE
16:51:43.0390 2164 SQLAgent$SQLEXPRESS - ok
16:51:43.0437 2164 [ EB2FD937449B7ACEB39372F875EB8E78 ] SQLAgent$SQLEXPRESS_2008 C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS_2008\MSSQL\Binn\SQLAGENT.EXE
16:51:43.0468 2164 SQLAgent$SQLEXPRESS_2008 - ok
16:51:43.0515 2164 [ B54B48F6D92423440C264E91225C5FF1 ] SQLBrowser C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
16:51:43.0515 2164 SQLBrowser - ok
16:51:43.0546 2164 [ 637A0F23F9012358E92E6F99835494D1 ] SQLWriter C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
16:51:43.0546 2164 SQLWriter - ok
16:51:43.0578 2164 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
16:51:43.0593 2164 sr - ok
16:51:43.0609 2164 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
16:51:43.0609 2164 srservice - ok
16:51:43.0625 2164 [ 5252605079810904E31C332E241CD59B ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
16:51:43.0640 2164 Srv - ok
16:51:43.0671 2164 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
16:51:43.0687 2164 SSDPSRV - ok
16:51:43.0687 2164 SSPORT - ok
16:51:43.0750 2164 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
16:51:43.0781 2164 stisvc - ok
16:51:43.0812 2164 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
16:51:43.0812 2164 streamip - ok
16:51:43.0843 2164 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
16:51:43.0843 2164 swenum - ok
16:51:43.0859 2164 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
16:51:43.0859 2164 swmidi - ok
16:51:43.0875 2164 SwPrv - ok
16:51:43.0875 2164 symc810 - ok
16:51:43.0890 2164 symc8xx - ok
16:51:43.0890 2164 sym_hi - ok
16:51:43.0906 2164 sym_u3 - ok
16:51:43.0921 2164 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
16:51:43.0921 2164 sysaudio - ok
16:51:43.0937 2164 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
16:51:43.0953 2164 TapiSrv - ok
16:51:43.0984 2164 [ 93EA8D04EC73A85DB02EB8805988F733 ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:51:44.0015 2164 Tcpip - ok
16:51:44.0046 2164 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
16:51:44.0046 2164 TDPIPE - ok
16:51:44.0062 2164 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
16:51:44.0062 2164 TDTCP - ok
16:51:44.0250 2164 [ 6B1B2F8D62D606B200C2072564090104 ] TeamViewer8 C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
16:51:44.0359 2164 TeamViewer8 - ok
16:51:44.0375 2164 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
16:51:44.0375 2164 TermDD - ok
16:51:44.0421 2164 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
16:51:44.0437 2164 TermService - ok
16:51:44.0453 2164 [ 1926899BF9FFE2602B63074971700412 ] Themes C:\WINDOWS\System32\shsvcs.dll
16:51:44.0468 2164 Themes - ok
16:51:44.0468 2164 tlgvmb - ok
16:51:44.0515 2164 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
16:51:44.0515 2164 TlntSvr - ok
16:51:44.0578 2164 [ D21AE9FFF1D3FC7CAB601F6AC86408E6 ] TMUSB C:\WINDOWS\system32\DRIVERS\TMUSBXP.SYS
16:51:44.0578 2164 TMUSB - ok
16:51:44.0578 2164 TosIde - ok
16:51:44.0609 2164 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
16:51:44.0625 2164 TrkWks - ok
16:51:44.0640 2164 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
16:51:44.0656 2164 Udfs - ok
16:51:44.0656 2164 uituqghb - ok
16:51:44.0671 2164 ultra - ok
16:51:44.0718 2164 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
16:51:44.0734 2164 Update - ok
16:51:44.0765 2164 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
16:51:44.0781 2164 upnphost - ok
16:51:44.0781 2164 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
16:51:44.0781 2164 UPS - ok
16:51:44.0812 2164 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:51:44.0828 2164 usbccgp - ok
16:51:44.0843 2164 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:51:44.0843 2164 usbehci - ok
16:51:44.0859 2164 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:51:44.0859 2164 usbhub - ok
16:51:44.0890 2164 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:51:44.0906 2164 usbprint - ok
16:51:44.0937 2164 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:51:44.0937 2164 USBSTOR - ok
16:51:44.0968 2164 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:51:44.0984 2164 usbuhci - ok
16:51:45.0015 2164 [ 63BBFCA7F390F4C49ED4B96BFB1633E0 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
16:51:45.0015 2164 usbvideo - ok
16:51:45.0062 2164 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
16:51:45.0062 2164 VgaSave - ok
16:51:45.0062 2164 ViaIde - ok
16:51:45.0140 2164 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
16:51:45.0140 2164 VolSnap - ok
16:51:45.0171 2164 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
16:51:45.0203 2164 VSS - ok
16:51:45.0250 2164 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
16:51:45.0250 2164 W32Time - ok
16:51:45.0265 2164 W3SVC - ok
16:51:45.0312 2164 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:51:45.0312 2164 Wanarp - ok
16:51:45.0359 2164 [ FD47474BD21794508AF449D9D91AF6E6 ] Wdf01000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
16:51:45.0375 2164 Wdf01000 - ok
16:51:45.0375 2164 WDICA - ok
16:51:45.0406 2164 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
16:51:45.0406 2164 wdmaud - ok
16:51:45.0421 2164 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
16:51:45.0421 2164 WebClient - ok
16:51:45.0546 2164 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
16:51:45.0562 2164 winmgmt - ok
16:51:45.0625 2164 [ 18F347402DA544A780949B8FDF83351B ] WinRM C:\WINDOWS\system32\WsmSvc.dll
16:51:45.0703 2164 WinRM - ok
16:51:45.0750 2164 [ C7E39EA41233E9F5B86C8DA3A9F1E4A8 ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
16:51:45.0750 2164 WmdmPmSN - ok
16:51:45.0796 2164 [ BAB489A5FE26F2D0C910CF7AF7E4CF92 ] Wmi C:\WINDOWS\System32\advapi32.dll
16:51:45.0828 2164 Wmi - ok
16:51:45.0843 2164 [ C42584FD66CE9E17403AEBCA199F7BDB ] WmiAcpi C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
16:51:45.0843 2164 WmiAcpi - ok
16:51:45.0906 2164 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
16:51:45.0906 2164 WmiApSrv - ok
16:51:46.0015 2164 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
16:51:46.0046 2164 WPFFontCache_v0400 - ok
16:51:46.0093 2164 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
16:51:46.0093 2164 WS2IFSL - ok
16:51:46.0140 2164 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
16:51:46.0140 2164 wscsvc - ok
16:51:46.0187 2164 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
16:51:46.0187 2164 WSTCODEC - ok
16:51:46.0234 2164 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
16:51:46.0234 2164 wuauserv - ok
16:51:46.0265 2164 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
16:51:46.0328 2164 WZCSVC - ok
16:51:46.0328 2164 xlbvjtv - ok
16:51:46.0375 2164 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
16:51:46.0375 2164 xmlprov - ok
16:51:46.0390 2164 ykndj - ok
16:51:46.0406 2164 ================ Scan global ===============================
16:51:46.0437 2164 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
16:51:46.0453 2164 [ 1618F36D4F7F6CCCEB3EE44BA95BE85C ] C:\WINDOWS\system32\winsrv.dll
16:51:46.0468 2164 [ 1618F36D4F7F6CCCEB3EE44BA95BE85C ] C:\WINDOWS\system32\winsrv.dll
16:51:46.0500 2164 [ 0E776ED5F7CC9F94299E70461B7B8185 ] C:\WINDOWS\system32\services.exe
16:51:46.0500 2164 [Global] - ok
16:51:46.0500 2164 ================ Scan MBR ==================================
16:51:46.0515 2164 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
16:51:46.0953 2164 \Device\Harddisk0\DR0 - ok
16:51:46.0953 2164 ================ Scan VBR ==================================
16:51:46.0968 2164 [ AC3BDCF1E93421DA9D3D24BDCD2DE52E ] \Device\Harddisk0\DR0\Partition1
16:51:46.0968 2164 \Device\Harddisk0\DR0\Partition1 - ok
16:51:46.0968 2164 [ 52FB0052E906C9B5360FE9C9C7BD6625 ] \Device\Harddisk0\DR0\Partition2
16:51:46.0968 2164 \Device\Harddisk0\DR0\Partition2 - ok
16:51:46.0968 2164 ============================================================
16:51:46.0968 2164 Scan finished
16:51:46.0968 2164 ============================================================
16:51:46.0984 2152 Detected object count: 0
16:51:46.0984 2152 Actual detected object count: 0
16:51:53.0234 2056 Deinitialize success
[ kristi1 @ 03.01.2014. 16:09 ] @
Preuzmi Malwarebytes Anti-Rootkit(MBAR) sa sledeceg linka i sacuvaj ga na Desktop.

[list][*] dvoklikom pokreni MBAR na ikonicu i u novom prozoru koji se otvori klikni na dugme Ok.
[size=9]>> Ukoliko se pojavi bilo kakav upit, klikni na dugme NO

Kada se MBAR startuje...
[*]klikni na dugme Next a potom na dugme Update da bi preuzeo najsvezije definicije;
[*]klikni na dugme Next i postaraj se da pod Scan targets: budu stiklirane Drivers, Sectors i System opcije;
[*]klikni na dugme Scan i picekaj da MBAR zavrsi skeniranje;


Ukoliko malware nije detektovan, klikni na dugme Exit da bi zatvorio program i postavi nam system-log.txt i mbar-log-year-month-day (sat-minuti-sekundi).txt izvestaje.


Ukoliko je malware detektovan, postaraj se da je Create Restore Point opcija stiklirana i klikni na [color=red]Cleanup[/color] dugme;
[size=9]Procedura uklanjanja malware ce biti zapoceta i ubrzo ce program zatraziti restart sistema.[/size]

[*] klikni na dugme Yes da bi dozvolio restart sistema radi ciscenja.
[*]Po zavrsetku ciscenja, otvori MBAR folder i uz poruku okaci sledece MBAR izvestaje koristeci opciju "Prikaci fajl"
[/list]
- system-log.txt
- mbar-log-year-month-day (sat-minuti-sekundi).txt.





Prikaci fajlj ti je ovde

[ nikitaGradov @ 05.01.2014. 18:38 ] @
Evo dva dana pokusavam da smislim neki 'trik' , ne bih li pokrenuo mbar. Ovaj rootkit (osim u safe rezimu) ne dozvoljava pokretanje mbar aplikacije.

Ima li jos nesto sto bi mogao da pokusam ?

[ Goran Mijailovic @ 05.01.2014. 20:42 ] @
Mogao bi da skines hard disk i da na nekom drugom kompjuteru koji ima Kaspersky ili Bitdefender da skeniras.
ili
Mogao bi da napravis neki disk sa npr. Kasperskim na njemu i da skeniras sa cd-a naravno uz live boot sa cd-a vidi ovaj link:
http://www.kaspersky.com/virus-scanner
Kaspersky
Rescue Disk 10
Naravno taj cd moras da skines na nekom kompjuteru koji je cist i takodje da narezes na cistom sistemu.

Posle ciscenja virusa nisam siguran koliko ce taj sistem da bude funkcionalan.
[ nikitaGradov @ 05.01.2014. 21:33 ] @
>Posle ciscenja virusa nisam siguran koliko ce taj sistem da bude funkcionalan.

Da li to znaci da se spremam za format diska i reinstalaciju sistema ?
[ kristi1 @ 06.01.2014. 07:52 ] @
Preuzmi Gmer na desktop:
http://www2.gmer.net/download.php

Pokreni Gmer dvoklikom

Sačekaj da se završi uvodno skeniranje - ukoliko se pojavi bilo kakav upit, klikni No;
klikni Scan i sačekaj da skeniranje bude završeno;
klikni Save ... - izveštaj sačuvaj na Desktop (pod nazivom Gmer1)
klikni desnim tasterom u prozor programa Gmer i odaberi Options > 3rd party - klikni Scan;
po završetku skeniranja klikni Save ... - izveštaj sačuvajte na Desktop (pod nazivom Gmer2);



Oba izvestaja postavi zasebno na http://pastebin.com/

Klikni Submit pa kopiraj linkove sa izvestajima u poruci.












Ponovo pokreni FRST/FRST64:

upiši volsnap.sys u polje Search: i klikni na dugme Search File(s);
alat će skenirati tvoj računar i formirati izveštaj (Search.txt) u isti direktorijum gde je FRST alat sačuvan;
iskopiraj sadržaj Search.txt izveštaja u poruku;
[ Goran Mijailovic @ 06.01.2014. 10:56 ] @
Citat:
nikitaGradov:
>Posle ciscenja virusa nisam siguran koliko ce taj sistem da bude funkcionalan.

Da li to znaci da se spremam za format diska i reinstalaciju sistema ?


Stvarno ne znam, vidim da je @kristi uporan da ti pomogne u ciscenju tog sistema pa je verovatno on i upoznat u stete koje ostaju posle te infekcije. Ko ce ga znati sta je taj rootkit sve spreman da uradi i koje je sve drugare pozvao u pomoc, ali necu da mracim ovde :)
Ono sto ja znam je da je posle nekih virusa sistem tako reci neupotrebljiv, opet iz svog iskustva znam da su neki sistemi posle uklanjanja rootkita bili ok za upotrebu medjutim koliko ja vidim ti si pazario neko uporno cudo. Jednom kada ga budes ocistio preporucujem detaljan sken svih tvojih particija nekim ozbiljnim antivirusom, makar i u trial verziji i naravno ciscenje svih fleski itsl.
[ kristi1 @ 06.01.2014. 13:42 ] @
Pokusavam da vidim sta ce novi Gmer da mi kaze, jer mi je sumnnjivo da mu je svaki win drajver inficiran rootkitom, to do sad jos nisam video.
[ nikitaGradov @ 06.01.2014. 23:02 ] @
link za log gmer1 : http://pastebin.com/R1G1gYMw

link za log gmer2: javlja mi poruku -> 'You have exceeded the maximum file size of 500 kilobytes per paste. PRO users don't have this limit!'

Da li da sadrzaj log-a gmer2 paste-jem u okviru poruke ?

Inace, ako ti nesto znaci - tokom skena GMER (izmedju ostalog) javlja sledece (a to je javljao i u prethodnim skenovima):

1. javlja 'Access is denied' za sledece fajlove:
ntkrnlpa.exe
hal.dll
KDCOM.dll
BOOTVID.dll
win32k.sys
watchdog.sys
igxpgd32.dll
igxprd32.dll
igxpdv32.dll
igxpdx32.dll
ATMFD.dll

Ne znam da li su ovo neki kriticni dll-ovi za Windows XP, pa je zbog toga 'access denied' ili , mozda, rootkit blokira pristup ovim fajlovima ?

2. crvenom bojom prikazuje (da se tako izrazim, zarazene fajlove) sledece Library fajlove:
wbemprox.dll -> winlogon.exe
wbemcomn.dll -> winlogon.exe
wbemsvc.dll -> winlogon.exe
fastprox.dll -> winlogon.exe

wmisvc.dll -> svchost.exe
wbemcomn.dll -> svchost.exe
wbemcore.dll -> svchost.exe
esscli.dll -> svchost.exe
FastProx.dll -> svchost.exe
wmiutils.dll -> svchost.exe
repdrvfs.dll -> svchost.exe
wmiprvsd.dll -> svchost.exe
wbemess.dll -> svchost.exe
ncprov.dll -> svchost.exe
wbemsvc.dll -> svchost.exe

Dok sam imao zivaca (na radnom stolu imam jos jedan racunar, sa identicnom instalacijom XP-a, dakle, sa istog instalacionog diska sam instalirao XP na obije masine) sa ciste masine (provjereno gmer-om, tdsskiller-om i combofix-om) sam iskopiraoo sve (gore navedene) dll fajlove (butovao sam zarazenu amsinu u safe rezim sa command prompt-om, pa preimenovao sve ove nabrojane fajlove, pa iskopirao ciste, pa ponovo butovao u safe rezim sa command promptom da bih obvrisao dll fajlove koje sam preimenovao itd). Zatim sam butovao racunar u normalnom rezimu i pokrenuo GMER. U jezicku 'processes' nije bilo procesa 'winlogon.exe', ali je ostao svchost.exe. Poslije , recimo, 20-ak minuta ponovo se pojavio i winlogon.exe.

3. javlja da je 'zarazen' i jedan servis: 'winspool.drv'. I njega sam brisao, pa kopirao sa 'cistog' racunara. Neko vrijeme ga GMER ne prijavljuje, a onda se, opet, prikazuje u scan-u.

Od 2009-e, kada sam kupio racunara, do ovoga , nikada nisam imao nikakav problem sa virusima (imao sam free Avast, koji sam uredno azurirao). Ni meni nije jasno sta se dogadja, tim prije sto sam za termin rootkit cuo upravo kada je ovaj problem i poceo ...
[ nikitaGradov @ 06.01.2014. 23:13 ] @
>Ponovo pokreni FRST/FRST64:

>upiši volsnap.sys u polje Search: i klikni na dugme Search File(s);
>alat će skenirati tvoj računar i formirati izveštaj (Search.txt) u isti direktorijum gde je FRST alat sačuvan;
i>skopiraj sadržaj Search.txt izveštaja u poruku;

Kao sto sam i ranije napisao, ovaj alat mogu da pokrenem samo u safe rezimu -> evo sadrzaja Search.txt:

Farbar Recovery Scan Tool (x86) Version: 05-01-2014
Ran by Milovan at 2014-01-07 00:05:59
Running from C:\Documents and Settings\Milovan\My Documents\Downloads
Boot Mode: Safe Mode (with Networking)

================== Search: "volsnap.sys" ===================

C:\WINDOWS\system32\drivers\VOLSNAP.SYS
[2013-12-18 17:53] - [2014-01-03 16:40] - 0052352 ____A (Microsoft Corporation) 4c8fcb5cc53aab716d810740fe59d025

C:\WINDOWS\system32\dllcache\volsnap.sys
[2013-12-14 23:27] - [2008-04-14 13:00] - 0052352 ___AC (Microsoft Corporation) 4c8fcb5cc53aab716d810740fe59d025

C:\Documents and Settings\Milovan\Application Data\FixTDSS\Archive\VolSnap.sys
[2014-12-25 12:06] - [2013-12-25 08:38] - 0052352 ____A (Microsoft Corporation) 4c8fcb5cc53aab716d810740fe59d025

=== End Of Search ===
[ kristi1 @ 07.01.2014. 08:08 ] @
Ovo se ne isplati da se cisti. Sve legitimni drajveri i svaki bi morao da se zameni.

Najbolje resenje je da oboris sistem.



Probaj jos ovaj alat ako nece rusi sistem




Preuzmi Malwarebytes Anti-Rootkit(MBAR) sa sledeceg linka i sacuvaj ga na Desktop.

[list][*] dvoklikom pokreni MBAR na ikonicu i u novom prozoru koji se otvori klikni na dugme Ok.
Alat ce biti raspakovan u zaseban mbar folder na desktop-u. Ovo ce ujedno i startovati Malwarebytes Anti-Rootkit.
>> Ukoliko se pojavi bilo kakav upit, klikni na dugme NO

Kada se MBAR startuje...
[*]klikni na dugme Next a potom na dugme Update da bi preuzeo najsvezije definicije;
[*]klikni na dugme Next i postaraj se da pod Scan targets: budu stiklirane Drivers, Sectors i System opcije;
[*]klikni na dugme [color=green]Scan[/color] i picekaj da MBAR zavrsi skeniranje;


Ukoliko malware nije detektovan, klikni na dugme [color=green]Exit[/color] da bi zatvorio program i postavi nam system-log.txt i mbar-log-year-month-day (sat-minuti-sekundi).txt izvestaje.


Ukoliko je malware detektovan, postaraj se da je Create Restore Point opcija stiklirana i klikni na [color=red]Cleanup[/color] dugme;
Procedura uklanjanja malware ce biti zapoceta i ubrzo ce program zatraziti restart sistema.

[*] klikni na dugme Yes da bi dozvolio restart sistema radi ciscenja.
[*]Po zavrsetku ciscenja, otvori MBAR folder i uz poruku okaci sledece MBAR izvestaje koristeci opciju "Prikaci fajl"
[/list]
- system-log.txt
- mbar-log-year-month-day (sat-minuti-sekundi).txt.




edit, sve mora da bude iz Normal mode.
[ Goran Mijailovic @ 07.01.2014. 09:46 ] @
Citat:
nikitaGradov:
Evo dva dana pokusavam da smislim neki 'trik' , ne bih li pokrenuo mbar. Ovaj rootkit (osim u safe rezimu) ne dozvoljava pokretanje mbar aplikacije.

Ima li jos nesto sto bi mogao da pokusam ?



???
[ kristi1 @ 07.01.2014. 11:23 ] @
Posalji winlogon.exe na https://www.virustotal.com/ Pa daj ovde izvestaj.
[ nikitaGradov @ 07.01.2014. 16:16 ] @
Citat:
kristi1: Posalji winlogon.exe na https://www.virustotal.com/ Pa daj ovde izvestaj.


Rezultat analize (izvestaj): ' Probably harmless! There are strong indicators suggesting that this file is safe to use. '

Pored svakog antivirus alata stoji zeleni simbol za znakom za potvrdu...

Zelim da se zahvalim na dosadasnjoj pomoci ... odradicu reinstalaciju sistema ...

Ako nista drugo, barem sam naucio koje alate treba da koristim u slucaju da se ovo ponovi (combofix, gmer, ...)...
[ kristi1 @ 07.01.2014. 16:51 ] @
Tebi nesto nije u redu sa tim sistemom, a mogu da se kladim da su svi oni fajlovi koji ukazuju na rootkit cisti.

Takodje i VOLSNAP.SYS na sve tri lokacije gde postoji je cist.

Sta i zasto se to desava ne znam, uglavnom ni TDSSKiller nije pokazao da imas rootkit. Kod Combofixa si imao problem sa malware-ima i pretpostavljam da ih je ocistio iako nisam dobio log.


Takodje video sam da imas program MalwareDefender, odakle ti to ne znam, ali proveravajuci google vidim da nije maliciozan.
http://www.softpedia.com/get/S...leaning/Malware-Defender.shtml

Sta ce ti to nije mi jasno.
[ kristi1 @ 07.01.2014. 17:05 ] @
C:\WINDOWS\system32\drivers\acpi.sys

Ajde ako nisi oborio sistem posalji na VT i ovaj fajl, cisto da vidimo, obelezen je da je rootkit.
[ nikitaGradov @ 07.01.2014. 17:08 ] @
Jos jednom hvala na odgovoru i javljanju ...

MalwareDefender sam ja instalirao poslije, da se tako izrazim, 'zaraze' -> htio sam da, ako postoje, blokiram 'maliciozne' veze, otvorene tcp portove i slicno ... da li je tvoja preporuka da ga deinstaliram ?

Da li imas ideju zasto ne mogu da pokrenem (skoro) nijedan program -> osim Internet browser-a, Notepad-a, za sve ostale programe javlja da ne moze da ih pokrene ???

[ nikitaGradov @ 07.01.2014. 17:10 ] @
Citat:
kristi1:
C:\WINDOWS\system32\drivers\acpi.sys

Ajde ako nisi oborio sistem posalji na VT i ovaj fajl, cisto da vidimo, obelezen je da je rootkit.


Ne mogu da ga posaljem, javlja mi da je 'Access denied' za windows\system32\drivers ???
[ nikitaGradov @ 07.01.2014. 17:22 ] @
Citat:
nikitaGradov: Ne mogu da ga posaljem, javlja mi da je 'Access denied' za windows\system32\drivers ???


Evo, sada sam uspio da upload-ujem acpi.sys, maloprije mi je javljao da je 'access denied' za folder drivers?

Rezultat analize: ' Probably harmless! There are strong indicators suggesting that this file is safe to use. '
Pored svakog antivirus alata stoji zeleni simbol sa potvrdom.

Sad si me 'zagolicao' -> znaci da GMER prijavljuje u log-u da je u ovom fajlu ROOTKIT, a ovaj scan pokazuje da je fajl cist ?

Sad cu da pokusam da testiram jos neke fajlove za koje GMER javlja da su inficirani ROOTKIT-om ...
[ nikitaGradov @ 07.01.2014. 17:38 ] @
Testirao sam sve fajlove (exe, sys, drv, dll) za koje GMER prijavljuje da imaju rootkit -> virustotal za sve njih kaze da su 'Probably harmless! There are strong indicators suggesting that this file is safe to use. ' i pored svakog antivirus alata stoji zeleni simbol sa potvrdom.

Kako da protumacim ove rezultate ?
[ Goran Mijailovic @ 07.01.2014. 18:08 ] @
Citat:
Malware Defender is an intrusion detection tool that allows you to prevent viruses or other applications for making modifications to your system.


Mozda je i ovo jedan od razloga neuspelog ciscenja, ovaj program stalno vraca neka podesavanja i/ili fajlove koji su sistemski i za koje on misli da su ok. Tako se slicno ponasala neka komponenta Ad-awarea koji je ranije bio popularan.
[ kristi1 @ 07.01.2014. 18:25 ] @
Ti si prijatelju 14 puta pokretao Combofix pre moje zadnje skripte, a uopste ne znas kako taj program funkcionise i kakvu stetu moze da napravi.

Milovan 03.01.2014 1:54.14.2 - x86 MINIMAL

Sta je tu radjeno ni bog otac to ne moze da ti kaze, jedino resenje je da instaliras nov sistem i ubuduce kad imas problem ovakve vrste nista ne cackaj nego pitaj.


[ nikitaGradov @ 08.01.2014. 22:05 ] @
Citat:
Goran Mijailovic:
Citat:
Malware Defender is an intrusion detection tool that allows you to prevent viruses or other applications for making modifications to your system.


Mozda je i ovo jedan od razloga neuspelog ciscenja, ovaj program stalno vraca neka podesavanja i/ili fajlove koji su sistemski i za koje on misli da su ok. Tako se slicno ponasala neka komponenta Ad-awarea koji je ranije bio popularan.


Dragi forumasi, vjerovali ili ne, moj racunar od juce popodne radi savrseno !

Uradio sam uninstall Malware Defender-a (mada se dobro sjecam da sam par puta pokusavao 'ciscenje' bez pokretanja ovog programa u StartUp-u, bezuspjesno) i poslije toga sam probao da: pokrenem sve MS aplikacije (koje do juce nije bilo moguce pokrenuti) - USPJESNO. Pokrenuo sam sve aplikacije koje mi je kristi predlagao i svaku sam uspio da pokrenem u Normal modu. GMER (kao ni ComboFix,FRST,...) vise ne prijavljuje rootkit !

Da li je, definitivno, bio problem u ovoj aplikaciji (od juce popodne neprestano testiram i radim na racunaru i za sada je SVE KAKO TREBA -> racunar radi savrseno, odnosno, onako kako je radio prije ovog napada) ? Ponavljam, vise puta sam pokusavao da podignem sistem bez ove aplikacije, ali sam dobijao rezultate kao da rootkit i dalje postoji ... inace se dobro sjecam da sam preporuku za ovaj program (kao firewall) procitao bas na ovom forumu ...

E sad, da li je uninstall ovog programa bio dobitna kombinacija, ja ne znam ?

Zaista VELIKO HVALA kristiju i tebi na pomoci ...

PITANJE (za ubuduce): da li je dovoljno da i dalje koristim Avast (free) ili bih trebao nesto da promijenim ?
[ Goran Mijailovic @ 09.01.2014. 01:13 ] @
Da sam na tvom mestu ja bih pokupio tu free licencu za Bitdefender s nemackog proksija sto se pominje ovde na jednoj temi.
Opet... ako poznajes licno kristija ili bar mene onda ne moras