Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz

Backdoor.Win32.Sinowal i po placeném odvirování

Máte problém s virem? Vložte sem log z FRST nebo RSIT.

Moderátor: Moderátoři

Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]

Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.

!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Odpovědět
Zpráva
Autor
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Backdoor.Win32.Sinowal i po placeném odvirování

#1 Příspěvek od Dr.Honza »

Dobrý den bojuji s virem Win32/Mebroot resp. Backdoor.Win32.Sinowal:

Omlouvám se za delší popis:
Nejdříve jsem o viru vůbec nevěděl (ESET 4 ho nenašel) a PC odvezl do
specializované prodejny. Technici hlásili, že jim ESET 5 našel Mebroot,
zaplatil jsem za odvirování celého PC a formát systémového disku a dostal PC zpět.

Následně jsem zjistil, že technik mebroot asi neodstranil, jenom zakázal úvodní
sektor disku, posunul systémový disk a přeházel pořadí písmen disků. Systémový disk jsem
tedy raději znovu zformátoval. Pak jsem disk připojil do jiného PC a v PartitionMagicu tyto
části sloučil, přeházel písmena a celý sloučený disk znovu zformátoval (opakovaně). Odpojil,
zformátoval a nainstaloval nový systém - Windows XP SP 3. Vzápětí jsem zjistil divnou věc,
ptalo se to kterou ze 2 moznych instalaci XP zvolim, ta druha odkazovala na neexistující soubory
- vyřešil jsem kontrolou a odmáznutím řádky v souboru boot na C: a mylně se domníval, že je po boji.
Nainstaloval jsem nejnovější ESS 5 Trial, kontrola - čisté.
Pak mi to nedalo a zkusil jsem to projet Kaspersky TDSSKiller:
našlo to Backdoor.Win32.Sinowal, odstranil jsem a uložil si log. Další spuštění
TDSSKiller už čisté. Stáhl jsem nejnovější Kaspersky Virus removal tool - čisté.
Následně nejnovější ESET EMebRemover - čisté. Pak jsem udělal log z mbr.exe
a našlo mi to ntoskrnl.exe - kt. dle ESETu je součástí viru. Zkusil jsem
gmer.exe a log znovu ukazuje: Disk - \Device\Harddisk0\DR0 - malicious Win32:MBRoot code @ sector 976768068
Neúspěšně jsem se ve WinHex pokusil najít kam na disku odkazuje ten sektor 976768068, tipl bych,
že je to karanténa TDSSKilleru (adresář je na C:).Opakovaně restart, opakoveně ESET 5,
EMebRemover, TDSSKiller - čisté. Systém běží normálně. "fixmbr" jsem zatím nedával.

Už vážně nevím. Štve mě to o to víc, že jsem zaplatil prof. firmě za odvirování (ne málo),
v PC nebyla od té doby žádná flash ani jiné nové médium z kterého bych to znovu chytil.
Je možné že vir nějak mé pokusy přežil? Pokud někdo ví co se děje budu vděčný za radu...
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#2 Příspěvek od Dr.Honza »

Provedeno, upnuto. Jen ještě - můj primární harddisk je s oddílem C:, mám ale v PC i druhý
harddisk - ten jsem si sám neformátoval, ale tam snad není... Vytáhl jsem dumpy i druhého disku, jsou ve složce, moc děkuji...


11:05:42.0750 2124 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
11:05:44.0031 2124 ============================================================
11:05:44.0031 2124 Current date / time: 2012/06/02 11:05:44.0031
11:05:44.0031 2124 SystemInfo:
11:05:44.0031 2124
11:05:44.0031 2124 OS Version: 5.1.2600 ServicePack: 3.0
11:05:44.0031 2124 Product type: Workstation
11:05:44.0031 2124 ComputerName: DOMACI-PC
11:05:44.0031 2124 UserName: Honza
11:05:44.0031 2124 Windows directory: C:\WINDOWS
11:05:44.0031 2124 System windows directory: C:\WINDOWS
11:05:44.0031 2124 Processor architecture: Intel x86
11:05:44.0031 2124 Number of processors: 1
11:05:44.0031 2124 Page size: 0x1000
11:05:44.0031 2124 Boot type: Normal boot
11:05:44.0031 2124 ============================================================
11:05:45.0812 2124 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
11:05:45.0828 2124 Drive \Device\Harddisk1\DR1 - Size: 0x45DD826000 (279.46 Gb), SectorSize: 0x200, Cylinders: 0x8E81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
11:05:45.0828 2124 ============================================================
11:05:45.0828 2124 \Device\Harddisk0\DR0:
11:05:45.0828 2124 MBR partitions:
11:05:45.0828 2124 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4E1EDEC
11:05:45.0828 2124 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x4E1EE2B, BlocksNum 0x1A9C79CF
11:05:45.0828 2124 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1F7E67FA, BlocksNum 0x1AB9E447
11:05:45.0828 2124 \Device\Harddisk1\DR1:
11:05:45.0828 2124 MBR partitions:
11:05:45.0843 2124 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F00, BlocksNum 0x8BA619C
11:05:45.0843 2124 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x8BAA0DB, BlocksNum 0x8BA619C
11:05:45.0859 2124 \Device\Harddisk1\DR1\Partition2: MBR, Type 0x7, StartLBA 0x117502B6, BlocksNum 0xC35314E
11:05:45.0875 2124 \Device\Harddisk1\DR1\Partition3: MBR, Type 0x7, StartLBA 0x1DAA3443, BlocksNum 0x54478FE
11:05:45.0875 2124 ============================================================
11:05:45.0890 2124 C: <-> \Device\Harddisk0\DR0\Partition0
11:05:45.0968 2124 D: <-> \Device\Harddisk0\DR0\Partition1
11:05:46.0015 2124 E: <-> \Device\Harddisk0\DR0\Partition2
11:05:46.0062 2124 F: <-> \Device\Harddisk1\DR1\Partition0
11:05:46.0109 2124 G: <-> \Device\Harddisk1\DR1\Partition1
11:05:46.0140 2124 H: <-> \Device\Harddisk1\DR1\Partition2
11:05:46.0171 2124 I: <-> \Device\Harddisk1\DR1\Partition3
11:05:46.0171 2124 ============================================================
11:05:46.0171 2124 Initialize success
11:05:46.0171 2124 ============================================================
11:05:48.0062 3304 ============================================================
11:05:48.0062 3304 Scan started
11:05:48.0062 3304 Mode: Manual;
11:05:48.0062 3304 ============================================================
11:05:49.0015 3304 Abiosdsk - ok
11:05:49.0031 3304 abp480n5 - ok
11:05:49.0093 3304 ACPI (4fe34f1f3126b61fcc6b2043aa8112c9) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:05:49.0109 3304 ACPI - ok
11:05:49.0140 3304 ACPIEC (afdff022a01f0b11c776f0860c3b282f) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:05:49.0156 3304 ACPIEC - ok
11:05:49.0171 3304 adpu160m - ok
11:05:49.0218 3304 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:05:49.0234 3304 aec - ok
11:05:49.0265 3304 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
11:05:49.0281 3304 AFD - ok
11:05:49.0281 3304 Aha154x - ok
11:05:49.0312 3304 aic78u2 - ok
11:05:49.0328 3304 aic78xx - ok
11:05:49.0359 3304 Alerter (e0a6fa244b8624d78fe5ff6f56a33bae) C:\WINDOWS\system32\alrsvc.dll
11:05:49.0359 3304 Alerter - ok
11:05:49.0390 3304 ALG (88842de939a827577bf24243699ac80a) C:\WINDOWS\System32\alg.exe
11:05:49.0390 3304 ALG - ok
11:05:49.0437 3304 ALIEHCD (c5f267a1ea036a662e42691b790ca283) C:\WINDOWS\system32\Drivers\ALIEHCI.sys
11:05:49.0453 3304 ALIEHCD - ok
11:05:49.0468 3304 AliIde - ok
11:05:49.0500 3304 aliroothub (8fae0ad01154140fa8e1da0eca833936) C:\WINDOWS\system32\DRIVERS\AliRtHub.sys
11:05:49.0500 3304 aliroothub - ok
11:05:49.0515 3304 amsint - ok
11:05:49.0562 3304 AppMgmt (6b8e7a90e576d4fe308f97c69060a171) C:\WINDOWS\System32\appmgmts.dll
11:05:49.0562 3304 AppMgmt - ok
11:05:49.0593 3304 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:05:49.0593 3304 Arp1394 - ok
11:05:49.0625 3304 asc - ok
11:05:49.0640 3304 asc3350p - ok
11:05:49.0656 3304 asc3550 - ok
11:05:49.0718 3304 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
11:05:49.0734 3304 aspnet_state - ok
11:05:49.0765 3304 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:05:49.0781 3304 AsyncMac - ok
11:05:49.0812 3304 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:05:49.0812 3304 atapi - ok
11:05:49.0843 3304 Atdisk - ok
11:05:49.0859 3304 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:05:49.0859 3304 Atmarpc - ok
11:05:49.0906 3304 AudioSrv (de31b88962a8645dba5a37b993e7b0f1) C:\WINDOWS\System32\audiosrv.dll
11:05:49.0906 3304 AudioSrv - ok
11:05:49.0953 3304 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:05:49.0953 3304 audstub - ok
11:05:50.0171 3304 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:05:50.0203 3304 Beep - ok
11:05:50.0265 3304 BITS (19395d092fd85ddc2d9c7729cf5a2ac8) C:\WINDOWS\system32\qmgr.dll
11:05:50.0312 3304 BITS - ok
11:05:50.0343 3304 Browser (249276d3ef1e74b992299cb96099e4d7) C:\WINDOWS\System32\browser.dll
11:05:50.0343 3304 Browser - ok
11:05:50.0375 3304 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:05:50.0390 3304 cbidf2k - ok
11:05:50.0421 3304 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
11:05:50.0421 3304 CCDECODE - ok
11:05:50.0437 3304 cd20xrnt - ok
11:05:50.0468 3304 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:05:50.0468 3304 Cdaudio - ok
11:05:50.0500 3304 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:05:50.0500 3304 Cdfs - ok
11:05:50.0531 3304 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:05:50.0546 3304 Cdrom - ok
11:05:50.0562 3304 Changer - ok
11:05:50.0578 3304 CiSvc (e390dc1d7c461d7d56ec53402f329928) C:\WINDOWS\system32\cisvc.exe
11:05:50.0593 3304 CiSvc - ok
11:05:50.0625 3304 ClipSrv (064507a8dfa8c5c7e2ffddd3e6f424fa) C:\WINDOWS\system32\clipsrv.exe
11:05:50.0640 3304 ClipSrv - ok
11:05:50.0671 3304 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
11:05:50.0718 3304 clr_optimization_v4.0.30319_32 - ok
11:05:50.0734 3304 CmdIde - ok
11:05:50.0765 3304 COMSysApp - ok
11:05:50.0796 3304 Cpqarray - ok
11:05:50.0828 3304 Creative Service for CDROM Access (3c8b6609712f4ff78e521f6dcfc4032b) C:\WINDOWS\system32\CTsvcCDA.EXE
11:05:50.0828 3304 Creative Service for CDROM Access - ok
11:05:50.0859 3304 CryptSvc (f3ab0933cbd166d271992f411c27ccaf) C:\WINDOWS\System32\cryptsvc.dll
11:05:50.0859 3304 CryptSvc - ok
11:05:50.0890 3304 ctac32k (08489a6fcc1ce1ef6ea2d290a169a3b3) C:\WINDOWS\system32\drivers\ctac32k.sys
11:05:50.0906 3304 ctac32k - ok
11:05:50.0937 3304 ctprxy2k (b493ec482fa7b4352694cc473d22d3b7) C:\WINDOWS\system32\drivers\ctprxy2k.sys
11:05:50.0937 3304 ctprxy2k - ok
11:05:50.0984 3304 ctsfm2k (7bb189da3f0e1e89d84a324b795c0350) C:\WINDOWS\system32\drivers\ctsfm2k.sys
11:05:51.0000 3304 ctsfm2k - ok
11:05:51.0015 3304 dac2w2k - ok
11:05:51.0031 3304 dac960nt - ok
11:05:51.0109 3304 DcomLaunch (c868f3ae15cf71a93f2aa3a32856d839) C:\WINDOWS\system32\rpcss.dll
11:05:51.0125 3304 DcomLaunch - ok
11:05:51.0171 3304 Dhcp (8c9a53e285ac5e6704844d0459ec85be) C:\WINDOWS\System32\dhcpcsvc.dll
11:05:51.0187 3304 Dhcp - ok
11:05:51.0203 3304 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:05:51.0218 3304 Disk - ok
11:05:51.0234 3304 dmadmin - ok
11:05:51.0312 3304 dmboot (db5fd2bf5b07dc54bfcb3664ff05bd7c) C:\WINDOWS\system32\drivers\dmboot.sys
11:05:51.0359 3304 dmboot - ok
11:05:51.0390 3304 dmio (fff1720af51171f32f1ead5cf71f2810) C:\WINDOWS\system32\drivers\dmio.sys
11:05:51.0390 3304 dmio - ok
11:05:51.0421 3304 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:05:51.0421 3304 dmload - ok
11:05:51.0453 3304 dmserver (2bfefe9e865655a76982f050450b9591) C:\WINDOWS\System32\dmserver.dll
11:05:51.0453 3304 dmserver - ok
11:05:51.0484 3304 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:05:51.0500 3304 DMusic - ok
11:05:51.0531 3304 Dnscache (0634b791684b84f4a331f3d3536feef8) C:\WINDOWS\System32\dnsrslvr.dll
11:05:51.0531 3304 Dnscache - ok
11:05:51.0578 3304 Dot3svc (4a3e2bd20157a0946751229e92eb8621) C:\WINDOWS\System32\dot3svc.dll
11:05:51.0593 3304 Dot3svc - ok
11:05:51.0609 3304 dpti2o - ok
11:05:51.0640 3304 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:05:51.0640 3304 drmkaud - ok
11:05:51.0687 3304 eamon (8c2b6bbc82ad12cd9a2e73e5dcbba705) C:\WINDOWS\system32\DRIVERS\eamon.sys
11:05:51.0703 3304 eamon - ok
11:05:51.0718 3304 EapHost (0887d9c2be8d940778cad1e3b85f2a41) C:\WINDOWS\System32\eapsvc.dll
11:05:51.0734 3304 EapHost - ok
11:05:51.0781 3304 ehdrv (5412ed24fffca64e2f0168399b86c952) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
11:05:51.0796 3304 ehdrv - ok
11:05:51.0953 3304 ekrn (ad4faade819e0da9933bea7c01d2c763) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
11:05:51.0984 3304 ekrn - ok
11:05:52.0140 3304 emu10kx (ef99d8dab9fce9b734b40d5e0dd6abb4) C:\WINDOWS\system32\drivers\e10kx2k.sys
11:05:52.0203 3304 emu10kx - ok
11:05:52.0296 3304 emupia (16f794ab0a5a0dcd45c69579b426a6e3) C:\WINDOWS\system32\drivers\emupia2k.sys
11:05:52.0296 3304 emupia - ok
11:05:52.0328 3304 epfw (774babcb1144513dc86992003740b774) C:\WINDOWS\system32\DRIVERS\epfw.sys
11:05:52.0343 3304 epfw - ok
11:05:52.0375 3304 Epfwndis (4b86da2c58063b647577cd669cffaeeb) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
11:05:52.0375 3304 Epfwndis - ok
11:05:52.0437 3304 epfwtdi (1b36748ea9e25549ebe5d8ea105bd981) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
11:05:52.0468 3304 epfwtdi - ok
11:05:52.0500 3304 ERSvc (a2a4912798f2be706abadd3d30800d16) C:\WINDOWS\System32\ersvc.dll
11:05:52.0500 3304 ERSvc - ok
11:05:52.0546 3304 Eventlog (f0d2ae69035092bf22dad6b50fab85c2) C:\WINDOWS\system32\services.exe
11:05:52.0578 3304 Eventlog - ok
11:05:52.0625 3304 EventSystem (260c69fd67687b0dc062fc3d31655857) C:\WINDOWS\system32\es.dll
11:05:52.0640 3304 EventSystem - ok
11:05:52.0671 3304 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:05:52.0671 3304 Fastfat - ok
11:05:52.0718 3304 FastUserSwitchingCompatibility (b927443008910b412bec72fc41c1bad0) C:\WINDOWS\System32\shsvcs.dll
11:05:52.0734 3304 FastUserSwitchingCompatibility - ok
11:05:52.0765 3304 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
11:05:52.0765 3304 Fdc - ok
11:05:52.0781 3304 Fips (ac366695a0796560aa37215ad5762aaf) C:\WINDOWS\system32\drivers\Fips.sys
11:05:52.0781 3304 Fips - ok
11:05:52.0812 3304 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
11:05:52.0812 3304 Flpydisk - ok
11:05:52.0843 3304 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
11:05:52.0859 3304 FltMgr - ok
11:05:52.0875 3304 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:05:52.0890 3304 Fs_Rec - ok
11:05:52.0906 3304 Ftdisk (4e664d8541db4a66b73a24257e322e1f) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:05:52.0906 3304 Ftdisk - ok
11:05:52.0953 3304 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
11:05:52.0968 3304 gameenum - ok
11:05:52.0984 3304 GMSIPCI - ok
11:05:53.0031 3304 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:05:53.0031 3304 Gpc - ok
11:05:53.0062 3304 helpsvc (fcfe31fb75f8a6295b6b0af87a626282) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:05:53.0062 3304 helpsvc - ok
11:05:53.0078 3304 HidServ - ok
11:05:53.0109 3304 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:05:53.0125 3304 hidusb - ok
11:05:53.0156 3304 hkmsvc (7a6b320928f86bc851530d63c82965d9) C:\WINDOWS\System32\kmsvc.dll
11:05:53.0171 3304 hkmsvc - ok
11:05:53.0187 3304 hpn - ok
11:05:53.0234 3304 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
11:05:53.0250 3304 HTTP - ok
11:05:53.0281 3304 HTTPFilter (58fe2f2da3bc5573f4a35b3760d3125f) C:\WINDOWS\System32\w3ssl.dll
11:05:53.0296 3304 HTTPFilter - ok
11:05:53.0296 3304 i2omgmt - ok
11:05:53.0343 3304 i2omp - ok
11:05:53.0375 3304 i8042prt (c528e27945367191e7bae364930b6932) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:05:53.0390 3304 i8042prt - ok
11:05:53.0421 3304 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:05:53.0421 3304 Imapi - ok
11:05:53.0468 3304 ImapiService (f7b93aafad33b2320954c17e26c8d361) C:\WINDOWS\system32\imapi.exe
11:05:53.0484 3304 ImapiService - ok
11:05:53.0515 3304 ini910u - ok
11:05:53.0531 3304 IntelIde - ok
11:05:53.0562 3304 intelppm (27b290d632af2cf3cf40bfddb7370985) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:05:53.0562 3304 intelppm - ok
11:05:53.0578 3304 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
11:05:53.0593 3304 Ip6Fw - ok
11:05:53.0625 3304 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:05:53.0640 3304 IpFilterDriver - ok
11:05:53.0671 3304 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:05:53.0671 3304 IpInIp - ok
11:05:53.0703 3304 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:05:53.0718 3304 IpNat - ok
11:05:53.0750 3304 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:05:53.0765 3304 IPSec - ok
11:05:53.0828 3304 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:05:53.0843 3304 IRENUM - ok
11:05:53.0875 3304 isapnp (cc9f8a2d60aed1a51a3ac34c59b987ae) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:05:53.0875 3304 isapnp - ok
11:05:53.0906 3304 Kbdclass (1b6162fe7f66b1a71a4b70f941c4aa9b) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:05:53.0906 3304 Kbdclass - ok
11:05:53.0953 3304 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:05:53.0968 3304 kmixer - ok
11:05:54.0015 3304 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
11:05:54.0015 3304 KSecDD - ok
11:05:54.0046 3304 LanmanServer (21920ac69594ab021237054fa728fe46) C:\WINDOWS\System32\srvsvc.dll
11:05:54.0078 3304 LanmanServer - ok
11:05:54.0109 3304 lanmanworkstation (5190783f51a2d7a8495202c664d7c963) C:\WINDOWS\System32\wkssvc.dll
11:05:54.0125 3304 lanmanworkstation - ok
11:05:54.0140 3304 lbrtfdc - ok
11:05:54.0187 3304 LmHosts (0ab159f536e3e8f7f07113702a07cca5) C:\WINDOWS\System32\lmhsvc.dll
11:05:54.0203 3304 LmHosts - ok
11:05:54.0265 3304 McciCMService (4f74184920b2d6e33024409b4c5c57c1) C:\Program Files\Common Files\Motive\McciCMService.exe
11:05:54.0265 3304 McciCMService - ok
11:05:54.0296 3304 Messenger (221cd1c815b8a6b79389c3f5d1018de8) C:\WINDOWS\System32\msgsvc.dll
11:05:54.0312 3304 Messenger - ok
11:05:54.0375 3304 Microsoft Office Groove Audit Service (fafe367d032ed82e9332b4c741a20216) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
11:05:54.0375 3304 Microsoft Office Groove Audit Service - ok
11:05:54.0406 3304 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:05:54.0437 3304 mnmdd - ok
11:05:54.0500 3304 mnmsrvc (9a57d046f88f4b69751b11fd40088a61) C:\WINDOWS\system32\mnmsrvc.exe
11:05:54.0531 3304 mnmsrvc - ok
11:05:54.0562 3304 Modem (44032b0c6d9954d3fd26438330b99ee7) C:\WINDOWS\system32\drivers\Modem.sys
11:05:54.0578 3304 Modem - ok
11:05:54.0609 3304 Mouclass (4cb582831dbde63ce43b45d771218374) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:05:54.0625 3304 Mouclass - ok
11:05:54.0640 3304 mouhid (bb269eba740737ab749b214d568b6812) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:05:54.0640 3304 mouhid - ok
11:05:54.0671 3304 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:05:54.0671 3304 MountMgr - ok
11:05:54.0687 3304 mraid35x - ok
11:05:54.0734 3304 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
11:05:54.0734 3304 MREMP50 - ok
11:05:54.0765 3304 MREMP50a64 - ok
11:05:54.0781 3304 MREMPR5 - ok
11:05:54.0796 3304 MRENDIS5 - ok
11:05:54.0812 3304 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
11:05:54.0812 3304 MRESP50 - ok
11:05:54.0828 3304 MRESP50a64 - ok
11:05:54.0875 3304 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:05:54.0875 3304 MRxDAV - ok
11:05:54.0937 3304 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:05:54.0953 3304 MRxSmb - ok
11:05:54.0968 3304 MSDTC (6db4d1521caba9a5ffab54ade0ae867d) C:\WINDOWS\system32\msdtc.exe
11:05:54.0968 3304 MSDTC - ok
11:05:55.0015 3304 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:05:55.0015 3304 Msfs - ok
11:05:55.0031 3304 MSIServer - ok
11:05:55.0062 3304 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:05:55.0078 3304 MSKSSRV - ok
11:05:55.0093 3304 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:05:55.0093 3304 MSPCLOCK - ok
11:05:55.0109 3304 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:05:55.0109 3304 MSPQM - ok
11:05:55.0140 3304 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:05:55.0140 3304 mssmbios - ok
11:05:55.0171 3304 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
11:05:55.0171 3304 MSTEE - ok
11:05:55.0203 3304 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
11:05:55.0218 3304 Mup - ok
11:05:55.0250 3304 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
11:05:55.0265 3304 NABTSFEC - ok
11:05:55.0312 3304 napagent (6ea362e9db03d44f6b996f4d8be237e9) C:\WINDOWS\System32\qagentrt.dll
11:05:55.0343 3304 napagent - ok
11:05:55.0375 3304 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:05:55.0375 3304 NDIS - ok
11:05:55.0406 3304 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
11:05:55.0406 3304 NdisIP - ok
11:05:55.0468 3304 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:05:55.0468 3304 NdisTapi - ok
11:05:55.0515 3304 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:05:55.0515 3304 Ndisuio - ok
11:05:55.0546 3304 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:05:55.0546 3304 NdisWan - ok
11:05:55.0578 3304 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
11:05:55.0578 3304 NDProxy - ok
11:05:55.0593 3304 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:05:55.0593 3304 NetBIOS - ok
11:05:55.0625 3304 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:05:55.0640 3304 NetBT - ok
11:05:55.0671 3304 NetDDE (933de774986ec85e48210c44ab431de6) C:\WINDOWS\system32\netdde.exe
11:05:55.0703 3304 NetDDE - ok
11:05:55.0718 3304 NetDDEdsdm (933de774986ec85e48210c44ab431de6) C:\WINDOWS\system32\netdde.exe
11:05:55.0718 3304 NetDDEdsdm - ok
11:05:55.0750 3304 Netlogon (ed0a176354487ceed65b80a7148ab739) C:\WINDOWS\system32\lsass.exe
11:05:55.0750 3304 Netlogon - ok
11:05:55.0796 3304 Netman (72e1e9e2977be08bdeedb6d8fd9d4d40) C:\WINDOWS\System32\netman.dll
11:05:55.0812 3304 Netman - ok
11:05:55.0859 3304 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
11:05:55.0890 3304 NetTcpPortSharing - ok
11:05:55.0921 3304 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:05:55.0921 3304 NIC1394 - ok
11:05:55.0968 3304 Nla (aac97dab5f8a0573cf10e0eac42a7724) C:\WINDOWS\System32\mswsock.dll
11:05:55.0984 3304 Nla - ok
11:05:56.0015 3304 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:05:56.0015 3304 Npfs - ok
11:05:56.0078 3304 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:05:56.0093 3304 Ntfs - ok
11:05:56.0109 3304 NtLmSsp (ed0a176354487ceed65b80a7148ab739) C:\WINDOWS\system32\lsass.exe
11:05:56.0125 3304 NtLmSsp - ok
11:05:56.0171 3304 NtmsSvc (023dd70573d644f3d9c8b1258a7bfd08) C:\WINDOWS\system32\ntmssvc.dll
11:05:56.0218 3304 NtmsSvc - ok
11:05:56.0250 3304 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:05:56.0250 3304 Null - ok
11:05:56.0453 3304 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
11:05:56.0546 3304 nv - ok
11:05:56.0625 3304 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:05:56.0640 3304 NwlnkFlt - ok
11:05:56.0656 3304 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:05:56.0671 3304 NwlnkFwd - ok
11:05:56.0781 3304 odserv (84de1dd996b48b05ace31ad015fa108a) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
11:05:56.0796 3304 odserv - ok
11:05:56.0843 3304 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:05:56.0843 3304 ohci1394 - ok
11:05:56.0921 3304 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
11:05:56.0968 3304 ose - ok
11:05:57.0031 3304 ossrv (d653f455b176529f0427b24361139619) C:\WINDOWS\system32\drivers\ctoss2k.sys
11:05:57.0046 3304 ossrv - ok
11:05:57.0140 3304 PAC207 (16ea91ac88c700a3632ddb91c62834ec) C:\WINDOWS\system32\DRIVERS\PFC027.SYS
11:05:57.0156 3304 PAC207 - ok
11:05:57.0203 3304 Parport (46f8db73b4a53e543f8e371dc7c75bae) C:\WINDOWS\system32\DRIVERS\parport.sys
11:05:57.0203 3304 Parport - ok
11:05:57.0218 3304 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:05:57.0218 3304 PartMgr - ok
11:05:57.0250 3304 ParVdm (1fae19d0457176318bba4a8795656ebc) C:\WINDOWS\system32\drivers\ParVdm.sys
11:05:57.0250 3304 ParVdm - ok
11:05:57.0281 3304 PCI (6ce351d149cb4befc702951e471e1730) C:\WINDOWS\system32\DRIVERS\pci.sys
11:05:57.0281 3304 PCI - ok
11:05:57.0296 3304 PCIDump - ok
11:05:57.0328 3304 PCIIde (2da4ec85e0ea7a45c6b2a05820492d5a) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:05:57.0328 3304 PCIIde - ok
11:05:57.0359 3304 Pcmcia (4fc31e6c19a5ce5198b1abff94cae758) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:05:57.0359 3304 Pcmcia - ok
11:05:57.0375 3304 PDCOMP - ok
11:05:57.0390 3304 PDFRAME - ok
11:05:57.0406 3304 PDRELI - ok
11:05:57.0421 3304 PDRFRAME - ok
11:05:57.0437 3304 perc2 - ok
11:05:57.0453 3304 perc2hib - ok
11:05:57.0531 3304 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\system32\PfModNT.sys
11:05:57.0562 3304 PfModNT - ok
11:05:57.0593 3304 PlugPlay (f0d2ae69035092bf22dad6b50fab85c2) C:\WINDOWS\system32\services.exe
11:05:57.0593 3304 PlugPlay - ok
11:05:57.0625 3304 PolicyAgent (ed0a176354487ceed65b80a7148ab739) C:\WINDOWS\system32\lsass.exe
11:05:57.0625 3304 PolicyAgent - ok
11:05:57.0671 3304 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:05:57.0671 3304 PptpMiniport - ok
11:05:57.0703 3304 PQNTDrv (4228630829c0e521c43d882a00533374) C:\WINDOWS\system32\drivers\PQNTDrv.sys
11:05:57.0718 3304 PQNTDrv - ok
11:05:57.0734 3304 ProtectedStorage (ed0a176354487ceed65b80a7148ab739) C:\WINDOWS\system32\lsass.exe
11:05:57.0734 3304 ProtectedStorage - ok
11:05:57.0765 3304 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:05:57.0765 3304 PSched - ok
11:05:57.0781 3304 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:05:57.0796 3304 Ptilink - ok
11:05:57.0796 3304 ql1080 - ok
11:05:57.0828 3304 Ql10wnt - ok
11:05:57.0828 3304 ql12160 - ok
11:05:57.0843 3304 ql1240 - ok
11:05:57.0859 3304 ql1280 - ok
11:05:57.0906 3304 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:05:57.0906 3304 RasAcd - ok
11:05:57.0937 3304 RasAuto (2b5e44ea009f2f374b980e1e9a70635d) C:\WINDOWS\System32\rasauto.dll
11:05:57.0968 3304 RasAuto - ok
11:05:58.0015 3304 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:05:58.0031 3304 Rasl2tp - ok
11:05:58.0078 3304 RasMan (d57554c664b64604bd1ee13ea2c07e77) C:\WINDOWS\System32\rasmans.dll
11:05:58.0109 3304 RasMan - ok
11:05:58.0125 3304 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:05:58.0140 3304 RasPppoe - ok
11:05:58.0156 3304 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:05:58.0171 3304 Raspti - ok
11:05:58.0218 3304 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:05:58.0218 3304 Rdbss - ok
11:05:58.0234 3304 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:05:58.0250 3304 RDPCDD - ok
11:05:58.0296 3304 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:05:58.0296 3304 rdpdr - ok
11:05:58.0359 3304 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
11:05:58.0375 3304 RDPWD - ok
11:05:58.0421 3304 RDSessMgr (c0d9d9711cb74ee9bc66353d8cbdab0e) C:\WINDOWS\system32\sessmgr.exe
11:05:58.0437 3304 RDSessMgr - ok
11:05:58.0484 3304 redbook (611bfd220305be3a85ae876ea47d4aa5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:05:58.0500 3304 redbook - ok
11:05:58.0546 3304 RemoteAccess (127c26b5371651043450e52542099aba) C:\WINDOWS\System32\mprdim.dll
11:05:58.0562 3304 RemoteAccess - ok
11:05:58.0609 3304 RemoteRegistry (8f31505484a190d5b22274708799f4ec) C:\WINDOWS\system32\regsvc.dll
11:05:58.0609 3304 RemoteRegistry - ok
11:05:58.0640 3304 RpcLocator (718b3bdc0bc3c2f7d065a53d26202af9) C:\WINDOWS\system32\locator.exe
11:05:58.0656 3304 RpcLocator - ok
11:05:58.0703 3304 RpcSs (c868f3ae15cf71a93f2aa3a32856d839) C:\WINDOWS\system32\rpcss.dll
11:05:58.0718 3304 RpcSs - ok
11:05:58.0750 3304 RSVP (09ab2e71e58b078038e3bfdba7ffc984) C:\WINDOWS\system32\rsvp.exe
11:05:58.0765 3304 RSVP - ok
11:05:58.0796 3304 rtl8139 (8be348f9aeeb4da0005b7f500f46f6ad) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
11:05:58.0796 3304 rtl8139 - ok
11:05:58.0812 3304 SamSs (ed0a176354487ceed65b80a7148ab739) C:\WINDOWS\system32\lsass.exe
11:05:58.0828 3304 SamSs - ok
11:05:58.0859 3304 SCardSvr (410046e401eb11e1e6749e9deea41d4a) C:\WINDOWS\System32\SCardSvr.exe
11:05:58.0859 3304 SCardSvr - ok
11:05:58.0906 3304 Schedule (3ff232a7731621b8902d81d42418c93c) C:\WINDOWS\system32\schedsvc.dll
11:05:58.0921 3304 Schedule - ok
11:05:58.0937 3304 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:05:58.0937 3304 Secdrv - ok
11:05:58.0968 3304 seclogon (477e2c3cc5e4a0d635bcb0ea8dcac3c6) C:\WINDOWS\System32\seclogon.dll
11:05:58.0968 3304 seclogon - ok
11:05:58.0984 3304 SENS (a530b75c10c23c9ab28fdb6ce719e21f) C:\WINDOWS\system32\sens.dll
11:05:59.0000 3304 SENS - ok
11:05:59.0031 3304 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:05:59.0031 3304 serenum - ok
11:05:59.0062 3304 Serial (b842729337c9b921615c40d3c1a1af96) C:\WINDOWS\system32\DRIVERS\serial.sys
11:05:59.0062 3304 Serial - ok
11:05:59.0125 3304 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:05:59.0140 3304 Sfloppy - ok
11:05:59.0203 3304 SharedAccess (f58faca9621d2db01bd0927d9a0a208e) C:\WINDOWS\System32\ipnathlp.dll
11:05:59.0203 3304 SharedAccess - ok
11:05:59.0250 3304 ShellHWDetection (b927443008910b412bec72fc41c1bad0) C:\WINDOWS\System32\shsvcs.dll
11:05:59.0250 3304 ShellHWDetection - ok
11:05:59.0265 3304 Simbad - ok
11:05:59.0312 3304 sisagp (c729eb60dd40948e5eb3fb53dc9cad44) C:\WINDOWS\system32\DRIVERS\sisagp.sys
11:05:59.0312 3304 sisagp - ok
11:05:59.0359 3304 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
11:05:59.0359 3304 SLIP - ok
11:05:59.0390 3304 Sparrow - ok
11:05:59.0421 3304 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:05:59.0437 3304 splitter - ok
11:05:59.0468 3304 Spooler (cb1090bca0e7b40d0b5b4e4d66531809) C:\WINDOWS\system32\spoolsv.exe
11:05:59.0484 3304 Spooler - ok
11:05:59.0578 3304 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
11:05:59.0578 3304 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
11:05:59.0593 3304 sptd ( LockedFile.Multi.Generic ) - warning
11:05:59.0593 3304 sptd - detected LockedFile.Multi.Generic (1)
11:05:59.0625 3304 sr (94610c8653635e4459316a0050d55ce7) C:\WINDOWS\system32\DRIVERS\sr.sys
11:05:59.0625 3304 sr - ok
11:05:59.0656 3304 srservice (35b91147124f64ac8081a2edb9ea4dee) C:\WINDOWS\system32\srsvc.dll
11:05:59.0671 3304 srservice - ok
11:05:59.0718 3304 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
11:05:59.0734 3304 Srv - ok
11:05:59.0765 3304 SSDPSRV (becd5271dc4e3b7c3d035f790fcbc1e5) C:\WINDOWS\System32\ssdpsrv.dll
11:05:59.0765 3304 SSDPSRV - ok
11:05:59.0812 3304 stisvc (c1cdd9275f6a115bb0ae1d55d8d27ba6) C:\WINDOWS\system32\wiaservc.dll
11:05:59.0843 3304 stisvc - ok
11:05:59.0859 3304 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
11:05:59.0875 3304 streamip - ok
11:05:59.0906 3304 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:05:59.0906 3304 swenum - ok
11:05:59.0937 3304 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:05:59.0953 3304 swmidi - ok
11:05:59.0968 3304 SwPrv - ok
11:05:59.0984 3304 symc810 - ok
11:06:00.0015 3304 symc8xx - ok
11:06:00.0031 3304 sym_hi - ok
11:06:00.0046 3304 sym_u3 - ok
11:06:00.0078 3304 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:06:00.0078 3304 sysaudio - ok
11:06:00.0109 3304 SysmonLog (ce06f01b88ace199a1bf460cac29c110) C:\WINDOWS\system32\smlogsvc.exe
11:06:00.0125 3304 SysmonLog - ok
11:06:00.0171 3304 TapiSrv (c2546cd7a398476f9df5614b2ae160e8) C:\WINDOWS\System32\tapisrv.dll
11:06:00.0187 3304 TapiSrv - ok
11:06:00.0234 3304 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:06:00.0250 3304 Tcpip - ok
11:06:00.0296 3304 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:06:00.0296 3304 TDPIPE - ok
11:06:00.0312 3304 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:06:00.0328 3304 TDTCP - ok
11:06:00.0359 3304 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:06:00.0359 3304 TermDD - ok
11:06:00.0406 3304 TermService (a75dd6fc3dbee4fff5ebc9f2c28bb66e) C:\WINDOWS\System32\termsrv.dll
11:06:00.0421 3304 TermService - ok
11:06:00.0453 3304 Themes (b927443008910b412bec72fc41c1bad0) C:\WINDOWS\System32\shsvcs.dll
11:06:00.0468 3304 Themes - ok
11:06:00.0484 3304 TlntSvr (cd0cc7b167d78043a41c98d4921efb54) C:\WINDOWS\system32\tlntsvr.exe
11:06:00.0500 3304 TlntSvr - ok
11:06:00.0531 3304 TosIde - ok
11:06:00.0562 3304 TrkWks (38853304ccb938d30e0c4cde8d2c2a8a) C:\WINDOWS\system32\trkwks.dll
11:06:00.0578 3304 TrkWks - ok
11:06:00.0625 3304 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:06:00.0625 3304 Udfs - ok
11:06:00.0640 3304 ultra - ok
11:06:01.0140 3304 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) D:\Nove instalacky\Unlocker 1.9.0\x86\UnlockerDriver5.sys
11:06:01.0156 3304 UnlockerDriver5 - ok
11:06:01.0218 3304 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:06:01.0250 3304 Update - ok
11:06:01.0312 3304 upnphost (651bd90dcee5b7bdc74a2eb7c9266f9e) C:\WINDOWS\System32\upnphost.dll
11:06:01.0343 3304 upnphost - ok
11:06:01.0375 3304 UPS (20a0f6a11959e92908717d09e87d670d) C:\WINDOWS\System32\ups.exe
11:06:01.0390 3304 UPS - ok
11:06:01.0437 3304 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:06:01.0453 3304 usbehci - ok
11:06:01.0468 3304 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:06:01.0468 3304 usbhub - ok
11:06:01.0500 3304 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
11:06:01.0515 3304 usbohci - ok
11:06:01.0546 3304 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:06:01.0562 3304 USBSTOR - ok
11:06:01.0578 3304 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:06:01.0593 3304 VgaSave - ok
11:06:01.0609 3304 ViaIde - ok
11:06:01.0640 3304 VolSnap (28a4b296b47782173c346e376cb374d1) C:\WINDOWS\system32\drivers\VolSnap.sys
11:06:01.0640 3304 VolSnap - ok
11:06:01.0671 3304 VSS (d6ba1a63d9e00933f1cd2a885573afb2) C:\WINDOWS\System32\vssvc.exe
11:06:01.0703 3304 VSS - ok
11:06:01.0734 3304 W32Time (fa4e1cdba256787f2149f4aad07bc91f) C:\WINDOWS\system32\w32time.dll
11:06:01.0765 3304 W32Time - ok
11:06:01.0796 3304 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:06:01.0796 3304 Wanarp - ok
11:06:01.0812 3304 WDICA - ok
11:06:01.0859 3304 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:06:01.0875 3304 wdmaud - ok
11:06:01.0921 3304 WebClient (47ae51048a82dfa1cd6b51d369f7e169) C:\WINDOWS\System32\webclnt.dll
11:06:01.0921 3304 WebClient - ok
11:06:02.0000 3304 winmgmt (e488332126e3b1182d2b8a0c35408ec6) C:\WINDOWS\system32\wbem\WMIsvc.dll
11:06:02.0015 3304 winmgmt - ok
11:06:02.0078 3304 WMDM PMSP Service (581176f60885aef8f78c6e38dcc3cdf9) C:\WINDOWS\system32\MsPMSPSv.exe
11:06:02.0078 3304 WMDM PMSP Service - ok
11:06:02.0109 3304 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\mspmsnsv.dll
11:06:02.0109 3304 WmdmPmSN - ok
11:06:02.0187 3304 Wmi (6538d6bde04b56737fe743c24d4ce83d) C:\WINDOWS\System32\advapi32.dll
11:06:02.0218 3304 Wmi - ok
11:06:02.0265 3304 WmiApSrv (23f6f03272f7e5679f1f050aed5acee6) C:\WINDOWS\system32\wbem\wmiapsrv.exe
11:06:02.0265 3304 WmiApSrv - ok
11:06:02.0390 3304 WMPNetworkSvc (3739866d20abd42f26a7b85f9e2560af) C:\Program Files\Windows Media Player\WMPNetwk.exe
11:06:02.0421 3304 WMPNetworkSvc - ok
11:06:02.0593 3304 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
11:06:02.0640 3304 WPFFontCache_v0400 - ok
11:06:02.0718 3304 wscsvc (4c86d5faf78194995af9cc1075f65dd3) C:\WINDOWS\system32\wscsvc.dll
11:06:02.0734 3304 wscsvc - ok
11:06:02.0765 3304 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
11:06:02.0765 3304 WSTCODEC - ok
11:06:02.0796 3304 wuauserv (c1364564800ee9784192145324a23308) C:\WINDOWS\system32\wuauserv.dll
11:06:02.0812 3304 wuauserv - ok
11:06:02.0843 3304 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
11:06:02.0859 3304 WudfPf - ok
11:06:02.0890 3304 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
11:06:02.0890 3304 WudfRd - ok
11:06:02.0921 3304 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
11:06:02.0937 3304 WudfSvc - ok
11:06:03.0000 3304 WZCSVC (a27d4ba7264c0bf52f32d10405bea1d4) C:\WINDOWS\System32\wzcsvc.dll
11:06:03.0046 3304 WZCSVC - ok
11:06:03.0109 3304 xmlprov (eaa4bb9edb3fb10cf8979fe65e63658f) C:\WINDOWS\System32\xmlprov.dll
11:06:03.0140 3304 xmlprov - ok
11:06:03.0171 3304 MBR (0x1B8) (413fc2a0c716421b3158746d63736515) \Device\Harddisk0\DR0
11:06:03.0203 3304 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - infected
11:06:03.0203 3304 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Sinowal.b (0)
11:06:03.0234 3304 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk1\DR1
11:06:03.0234 3304 \Device\Harddisk1\DR1 - ok
11:06:03.0250 3304 Boot (0x1200) (e53bbfb43a1a7d155fc2f9529affd814) \Device\Harddisk0\DR0\Partition0
11:06:03.0250 3304 \Device\Harddisk0\DR0\Partition0 - ok
11:06:03.0296 3304 Boot (0x1200) (e631e98ede6c871997ba041e66a246ed) \Device\Harddisk0\DR0\Partition1
11:06:03.0296 3304 \Device\Harddisk0\DR0\Partition1 - ok
11:06:03.0312 3304 Boot (0x1200) (38128683195653d78d4e296c1886fba2) \Device\Harddisk0\DR0\Partition2
11:06:03.0328 3304 \Device\Harddisk0\DR0\Partition2 - ok
11:06:03.0328 3304 Boot (0x1200) (570d283aec0daaa232a8e8bca08643c3) \Device\Harddisk1\DR1\Partition0
11:06:03.0343 3304 \Device\Harddisk1\DR1\Partition0 - ok
11:06:03.0359 3304 Boot (0x1200) (e914101121217a84e6da7051ab9762c6) \Device\Harddisk1\DR1\Partition1
11:06:03.0359 3304 \Device\Harddisk1\DR1\Partition1 - ok
11:06:03.0390 3304 Boot (0x1200) (3764d93264adf5625722a58950a93954) \Device\Harddisk1\DR1\Partition2
11:06:03.0390 3304 \Device\Harddisk1\DR1\Partition2 - ok
11:06:03.0406 3304 Boot (0x1200) (ad93ca5ab9bb4d971c11ca926c3e4d5d) \Device\Harddisk1\DR1\Partition3
11:06:03.0406 3304 \Device\Harddisk1\DR1\Partition3 - ok
11:06:03.0421 3304 ============================================================
11:06:03.0421 3304 Scan finished
11:06:03.0421 3304 ============================================================
11:06:03.0453 3584 Detected object count: 2
11:06:03.0453 3584 Actual detected object count: 2
11:09:33.0687 3584 sptd ( LockedFile.Multi.Generic ) - skipped by user
11:09:33.0687 3584 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
11:09:34.0593 3584 \Device\Harddisk0\DR0\# - copied to quarantine
11:09:34.0593 3584 \Device\Harddisk0\DR0 - copied to quarantine
11:09:34.0656 3584 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - will be cured on reboot
11:09:34.0656 3584 \Device\Harddisk0\DR0 - ok
11:09:34.0656 3584 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - User select action: Cure
11:36:43.0593 3628 Deinitialize success

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKB-00H8A0 rev.05.04E05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spbf.sys >>UNKNOWN [0x8678D938]<<
spbf.sys
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x86739AB8]
3 CLASSPNP[0xF788EFD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\0000005d[0x86729F18]
5 ACPI[0xF76CD620] -> nt!IofCallDriver[0x804E37C5] -> \Device\Ide\IdeDeviceP0T0L0-4[0x8673FD98]
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 976768065

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-06-02 23:54:02
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD5000AAKB-00H8A0 rev.05.04E05
Running: gmer.exe; Driver: C:\DOCUME~1\Honza\LOCALS~1\Temp\pxlyrpow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 976768068

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\2646299drv.sys ZwEnumerateKey [0xF211C00A]
SSDT \SystemRoot\system32\DRIVERS\2646299drv.sys ZwEnumerateValueKey [0xF211C0A2]

Code \SystemRoot\system32\DRIVERS\4341338drv.sys FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\4341338drv.sys IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\ayw328fo \Device\Scsi\ayw328fo1 864A2500
Device \Driver\ayw328fo \Device\Scsi\ayw328fo1Port2Path0Target0Lun0 864A2500
Device \FileSystem\Ntfs \Ntfs 867D81F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

---- EOF - GMER 1.0.15 ----

Kód: Vybrat vše

MBRScan v1.1.1

OS             : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR      : x86 Family 15 Model 2 Stepping 4, GenuineIntel
BOOT           : Normal Boot
DATE           : 2012/06/03 (ISO 8601) at 11:45:00
________________________________________________________________________________

DISK           : Device\Harddisk0\DR0 __WDC WD5000AAKB-00H8A0 (05.04E05)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

DISK           : Device\Harddisk1\DR1 __ST3300622A (3.AAH)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

Device\Harddisk0\DR0	465.8 Go  [Fixed] ==> XP MBR Code

MBR_MD5   : 86A438E548C157B4A11CAA6EBE95596A
MBR_SHA1  : D7713C070CE27FCA9421CB62BD62FBF95369BAFC

Device\Harddisk0\Partition1	39.06 Go  	0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2	212.9 Go  	0x07 NTFS / HPFS
Device\Harddisk0\Partition3	213.8 Go  	0x07 NTFS / HPFS
________________________________________________________________________________

Device\Harddisk1\DR1	279.5 Go  [Fixed] ==> Unknown MBR Code

MBR_MD5   : EB3B8963DC355FF8288598B30BC56618
MBR_SHA1  : 07C227B53A520AF37C348CF63CDFD5C722C6CADE

Device\Harddisk1\Partition1	69.82 Go  	0x07 NTFS / HPFS
Device\Harddisk1\Partition2	69.82 Go  	0x07 NTFS / HPFS
Device\Harddisk1\Partition3	97.66 Go  	0x07 NTFS / HPFS
Device\Harddisk1\Partition4	42.14 Go  	0x07 NTFS / HPFS
________________________________________________________________________________

############################### Additional scan ################################

SystemStartOptions : NOEXECUTE=OPTIN  FASTDETECT

________________________________________________________________________________

_______MBR   \Device\Harddisk0\DR0  

0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3À.м.|ûP.P.ü¾.|
0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ¿..PW¹å.ó¤Ë½¾.±.
0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u..Å.âôÍ..õ
0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   .Æ.It.8,tö.µ.´..
0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   ð¬<.tü»..´.Í.ëò.
0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.èF.s*þF..~..t.
0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t..¶.uÒ.F...
0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..è!.s..¶.ë
0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   ¼.>þ}Uªt..~..tÈ.
0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ·.ë©.ü.W.õË¿...V
0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   .´.Í.r#.Á$?..Þ.ü
0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C÷ã.Ñ.Ö±.ÒîB÷â9V
0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s.¸..».|
0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V.Í.sQOtN2ä.
0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V.Í.ëä.V.`»ªU´AÍ
0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.ûUªu0öÁ.t+a`
0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j
0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.´B.ôÍ.aas.Ot.
0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 4E 65 70 6C   2ä.V.Í.ëÖaùÃNepl
0x00000130   61 74 6E A0 20 74 61 62 75 6C 6B 61 20 6F 64 64   atn. tabulka odd
0x00000140   A1 6C 85 00 43 68 79 62 61 20 70 FD 69 20 6E 61   ¡l..Chyba pýi na
0x00000150   9F A1 74 A0 6E A1 20 6F 70 65 72 61 9F 6E A1 68   .¡t.n¡ opera.n¡h
0x00000160   6F 20 73 79 73 74 82 6D 75 00 4F 70 65 72 61 9F   o syst.mu.Opera.
0x00000170   6E A1 20 73 79 73 74 82 6D 20 6E 65 6E 61 6C 65   n¡ syst.m nenale
0x00000180   7A 65 6E 00 00 00 00 00 00 00 00 00 00 00 00 00   zen.............
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 2C 44 6A 4C 06 3D 8C 00 00 80 01   .....,DjL.=.....
0x000001C0   01 00 07 FE FF FF 3F 00 00 00 EC ED E1 04 00 FE   ...þ..?...ìíá..þ
0x000001D0   FF FF 07 FE FF FF 2B EE E1 04 CF 79 9C 1A 00 FE   ...þ..+îá.Ïy...þ
0x000001E0   FF FF 07 FE FF FF FA 67 7E 1F 47 E4 B9 1A 00 00   ...þ..úg~.Gä¹...
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

__________________________16_BIT_ASM_CODE
   
0x0000    33c0            XOR AX, AX   
0x0002    8ed0            MOV SS, AX   
0x0004    bc 007c         MOV SP, 0x7c00   
0x0007    fb              STI   
0x0008    50              PUSH AX   
0x0009    07              POP ES   
0x000A    50              PUSH AX   
0x000B    1f              POP DS   
0x000C    fc              CLD   
0x000D    be 1b7c         MOV SI, 0x7c1b   
0x0010    bf 1b06         MOV DI, 0x61b   
0x0013    50              PUSH AX   
0x0014    57              PUSH DI   
0x0015    b9 e501         MOV CX, 0x1e5   
0x0018    f3 a4           REP MOVSB   
0x001A    cb              RETF   
0x001B    bd be07         MOV BP, 0x7be   
0x001E    b1 04           MOV CL, 0x4   
0x0020    386e 00         CMP [BP+0x0], CH   
0x0023    7c 09           JL 0x2e   
0x0025    75 13           JNZ 0x3a   
0x0027    83c5 10         ADD BP, 0x10   
0x002A    e2 f4           LOOP 0x20   
0x002C    cd 18           INT 0x18   
0x002E    8bf5            MOV SI, BP   
0x0030    83c6 10         ADD SI, 0x10   
0x0033    49              DEC CX   
0x0034    74 19           JZ 0x4f   
0x0036    382c            CMP [SI], CH   
0x0038    74 f6           JZ 0x30   
0x003A    a0 b507         MOV AL, [0x7b5]   
0x003D    b4 07           MOV AH, 0x7   
0x003F    8bf0            MOV SI, AX   
0x0041    ac              LODSB   
0x0042    3c 00           CMP AL, 0x0   
0x0044    74 fc           JZ 0x42   
0x0046    bb 0700         MOV BX, 0x7   
0x0049    b4 0e           MOV AH, 0xe   
0x004B    cd 10           INT 0x10   
0x004D    eb f2           JMP 0x41   
0x004F    884e 10         MOV [BP+0x10], CL   
0x0052    e8 4600         CALL 0x9b   
0x0055    73 2a           JAE 0x81   
0x0057    fe46 10         INC BYTE [BP+0x10]   
0x005A    807e 04 0b      CMP BYTE [BP+0x4], 0xb   
0x005E    74 0b           JZ 0x6b   
0x0060    807e 04 0c      CMP BYTE [BP+0x4], 0xc   
0x0064    74 05           JZ 0x6b   
0x0066    a0 b607         MOV AL, [0x7b6]   
0x0069    75 d2           JNZ 0x3d   
0x006B    8046 02 06      ADD BYTE [BP+0x2], 0x6   
0x006F    8346 08 06      ADD WORD [BP+0x8], 0x6   
0x0073    8356 0a 00      ADC WORD [BP+0xa], 0x0   
0x0077    e8 2100         CALL 0x9b   
0x007A    73 05           JAE 0x81   
0x007C    a0 b607         MOV AL, [0x7b6]   
0x007F    eb bc           JMP 0x3d   
0x0081    813e fe7d 55aa  CMP WORD [0x7dfe], 0xaa55   
0x0087    74 0b           JZ 0x94   
0x0089    807e 10 00      CMP BYTE [BP+0x10], 0x0   
0x008D    74 c8           JZ 0x57   
0x008F    a0 b707         MOV AL, [0x7b7]   
0x0092    eb a9           JMP 0x3d   
0x0094    8bfc            MOV DI, SP   
0x0096    1e              PUSH DS   
0x0097    57              PUSH DI   
0x0098    8bf5            MOV SI, BP   
0x009A    cb              RETF   
0x009B    bf 0500         MOV DI, 0x5   
0x009E    8a56 00         MOV DL, [BP+0x0]   
0x00A1    b4 08           MOV AH, 0x8   
0x00A3    cd 13           INT 0x13   
0x00A5    72 23           JB 0xca   
0x00A7    8ac1            MOV AL, CL   
0x00A9    24 3f           AND AL, 0x3f   
0x00AB    98              CBW   
0x00AC    8ade            MOV BL, DH   
0x00AE    8afc            MOV BH, AH   
0x00B0    43              INC BX   
0x00B1    f7e3            MUL BX   
0x00B3    8bd1            MOV DX, CX   
0x00B5    86d6            XCHG DH, DL   
0x00B7    b1 06           MOV CL, 0x6   
0x00B9    d2ee            SHR DH, CL   
0x00BB    42              INC DX   
0x00BC    f7e2            MUL DX   
0x00BE    3956 0a         CMP [BP+0xa], DX   
0x00C1    77 23           JA 0xe6   
0x00C3    72 05           JB 0xca   
0x00C5    3946 08         CMP [BP+0x8], AX   
0x00C8    73 1c           JAE 0xe6   
0x00CA    b8 0102         MOV AX, 0x201   
0x00CD    bb 007c         MOV BX, 0x7c00   
0x00D0    8b4e 02         MOV CX, [BP+0x2]   
0x00D3    8b56 00         MOV DX, [BP+0x0]   
0x00D6    cd 13           INT 0x13   
0x00D8    73 51           JAE 0x12b   
0x00DA    4f              DEC DI   
0x00DB    74 4e           JZ 0x12b   
0x00DD    32e4            XOR AH, AH   
0x00DF    8a56 00         MOV DL, [BP+0x0]   
0x00E2    cd 13           INT 0x13   
0x00E4    eb e4           JMP 0xca   
0x00E6    8a56 00         MOV DL, [BP+0x0]   
0x00E9    60              PUSHA   
0x00EA    bb aa55         MOV BX, 0x55aa   
0x00ED    b4 41           MOV AH, 0x41   
0x00EF    cd 13           INT 0x13   
0x00F1    72 36           JB 0x129   
0x00F3    81fb 55aa       CMP BX, 0xaa55   
0x00F7    75 30           JNZ 0x129   
0x00F9    f6c1 01         TEST CL, 0x1   
0x00FC    74 2b           JZ 0x129   
0x00FE    61              POPA   
0x00FF    60              PUSHA   
0x0100    6a 00           PUSH 0x0   
0x0102    6a 00           PUSH 0x0   
0x0104    ff76 0a         PUSH WORD [BP+0xa]   
0x0107    ff76 08         PUSH WORD [BP+0x8]   
0x010A    6a 00           PUSH 0x0   
0x010C    68 007c         PUSH 0x7c00   
0x010F    6a 01           PUSH 0x1   
0x0111    6a 10           PUSH 0x10   
0x0113    b4 42           MOV AH, 0x42   
0x0115    8bf4            MOV SI, SP   
0x0117    cd 13           INT 0x13   
0x0119    61              POPA   
0x011A    61              POPA   
0x011B    73 0e           JAE 0x12b   
0x011D    4f              DEC DI   
0x011E    74 0b           JZ 0x12b   
0x0120    32e4            XOR AH, AH   
0x0122    8a56 00         MOV DL, [BP+0x0]   
0x0125    cd 13           INT 0x13   
0x0127    eb d6           JMP 0xff   
0x0129    61              POPA   
0x012A    f9              STC   
0x012B    c3              RET   
0x012C    4e              DEC SI   
0x012D    65              DB 0x65   
0x012D    65 70 6c        JO 0x19c   
0x0130    61              POPA   
0x0131    74 6e           JZ 0x1a1   
0x0133    a0 2074         MOV AL, [0x7420]   
0x0136    61              POPA   
0x0137    6275 6c         BOUND SI, [DI+0x6c]   
0x013A    6b61 20 6f      IMUL SP, [BX+DI+0x20], 0x6f   
0x013E    64              DB 0x64   
0x013F    64 a1 6c85      MOV AX, FS:[0x856c]   
0x0143    0043 68         ADD [BP+DI+0x68], AL   
0x0146    79 62           JNS 0x1aa   
0x0148    61              POPA   
0x0149    2070 fd         AND [BX+SI-0x3], DH   
0x014C    6920 6e61       IMUL SP, [BX+SI], 0x616e   
0x0150    9f              LAHF   
0x0151    a1 74a0         MOV AX, [0xa074]   
0x0154    6e              OUTSB   
0x0155    a1 206f         MOV AX, [0x6f20]   
0x0158    70 65           JO 0x1bf   
0x015A    72 61           JB 0x1bd   
0x015C    9f              LAHF   
0x015D    6e              OUTSB   
0x015E    a1 686f         MOV AX, [0x6f68]   
0x0161    2073 79         AND [BP+DI+0x79], DH   
0x0164    73 74           JAE 0x1da   
0x0166    826d 75 00      SUB BYTE [DI+0x75], 0x0   
0x016A    4f              DEC DI   
0x016B    70 65           JO 0x1d2   
0x016D    72 61           JB 0x1d0   
0x016F    9f              LAHF   
0x0170    6e              OUTSB   
0x0171    a1 2073         MOV AX, [0x7320]   
0x0174    79 73           JNS 0x1e9   
0x0176    74 82           JZ 0xfa   
0x0178    6d              INSW   
0x0179    206e 65         AND [BP+0x65], CH   
0x017C    6e              OUTSB   
0x017D    61              POPA   
0x017E    6c              INSB   
0x017F    65              DB 0x65   
0x017F    65 7a 65        JP 0x1e7   
0x0182    6e              OUTSB   
0x0183    0000            ADD [BX+SI], AL   
0x0185    0000            ADD [BX+SI], AL   
0x0187    0000            ADD [BX+SI], AL   
0x0189    0000            ADD [BX+SI], AL   
0x018B    0000            ADD [BX+SI], AL   
0x018D    0000            ADD [BX+SI], AL   
0x018F    0000            ADD [BX+SI], AL   
0x0191    0000            ADD [BX+SI], AL   
0x0193    0000            ADD [BX+SI], AL   
0x0195    0000            ADD [BX+SI], AL   
0x0197    0000            ADD [BX+SI], AL   
0x0199    0000            ADD [BX+SI], AL   
0x019B    0000            ADD [BX+SI], AL   
0x019D    0000            ADD [BX+SI], AL   
0x019F    0000            ADD [BX+SI], AL   
0x01A1    0000            ADD [BX+SI], AL   
0x01A3    0000            ADD [BX+SI], AL   
0x01A5    0000            ADD [BX+SI], AL   
0x01A7    0000            ADD [BX+SI], AL   
0x01A9    0000            ADD [BX+SI], AL   
0x01AB    0000            ADD [BX+SI], AL   
0x01AD    0000            ADD [BX+SI], AL   
0x01AF    0000            ADD [BX+SI], AL   
0x01B1    0000            ADD [BX+SI], AL   
0x01B3    0000            ADD [BX+SI], AL   
0x01B5    2c 44           SUB AL, 0x44   
0x01B7    6a 4c           PUSH 0x4c   
0x01B9    06              PUSH ES   
0x01BA    3d 8c00         CMP AX, 0x8c   
0x01BD    0080 0101       ADD [BX+SI+0x101], AL   
0x01C1    0007            ADD [BX], AL   
0x01C3    fe              DB 0xfe   
0x01C4    ff              DB 0xff   
0x01C5    ff              DB 0xff   
0x01C6    3f              AAS   
0x01C7    0000            ADD [BX+SI], AL   
0x01C9    00ec            ADD AH, CH   
0x01CB    ed              IN AX, DX   
0x01CC    e1 04           LOOPZ 0x1d2   
0x01CE    00fe            ADD DH, BH   
0x01D0    ff              DB 0xff   
0x01D1    ff07            INC WORD [BX]   
0x01D3    fe              DB 0xfe   
0x01D4    ff              DB 0xff   
0x01D5    ff2b            JMP FAR WORD [BP+DI]   
0x01D7    ee              OUT DX, AL   
0x01D8    e1 04           LOOPZ 0x1de   
0x01DA    cf              IRET   
0x01DB    79 9c           JNS 0x179   
0x01DD    1a00            SBB AL, [BX+SI]   
0x01DF    fe              DB 0xfe   
0x01E0    ff              DB 0xff   
0x01E1    ff07            INC WORD [BX]   
0x01E3    fe              DB 0xfe   
0x01E4    ff              DB 0xff   
0x01E5    ff              DB 0xff   
0x01E6    fa              CLI   
0x01E7    67              DB 0x67   
0x01E7    67 7e 1f        JLE 0x209   
0x01EA    47              INC DI   
0x01EB    e4 b9           IN AL, 0xb9   
0x01ED    1a00            SBB AL, [BX+SI]   
0x01EF    0000            ADD [BX+SI], AL   
0x01F1    0000            ADD [BX+SI], AL   
0x01F3    0000            ADD [BX+SI], AL   
0x01F5    0000            ADD [BX+SI], AL   
0x01F7    0000            ADD [BX+SI], AL   
0x01F9    0000            ADD [BX+SI], AL   
0x01FB    0000            ADD [BX+SI], AL   
0x01FD    0055 aa         ADD [DI-0x56], DL   


_______MBR   \Device\Harddisk1\DR1  

0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3À.м.|ûP.P.ü¾.|
0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BE BE 07 B1 04   ¿..PW¹å.ó¤Ë¾¾.±.
0x00000020   38 2C 7C 09 75 15 83 C6 10 E2 F5 CD 18 8B 14 8B   8,|.u..Æ.âõÍ....
0x00000030   EE 83 C6 10 49 74 16 38 2C 74 F6 BE 10 07 4E AC   î.Æ.It.8,tö¾..N¬
0x00000040   3C 00 74 FA BB 07 00 B4 0E CD 10 EB F2 89 46 25   <.tú»..´.Í.ëò.F%
0x00000050   96 8A 46 04 B4 06 3C 0E 74 11 B4 0B 3C 0C 74 05   ..F.´.<.t.´.<.t.
0x00000060   3A C4 75 2B 40 C6 46 25 06 75 24 BB AA 55 50 B4   :Äu+@ÆF%.u$»ªUP´
0x00000070   41 CD 13 58 72 16 81 FB 55 AA 75 10 F6 C1 01 74   AÍ.Xr..ûUªu.öÁ.t
0x00000080   0B 8A E0 88 56 24 C7 06 A1 06 EB 1E 88 66 04 BF   ..à.V$Ç.¡.ë..f.¿
0x00000090   0A 00 B8 01 02 8B DC 33 C9 83 FF 05 7F 03 8B 4E   ..¸...Ü3É......N
0x000000A0   25 03 4E 02 CD 13 72 29 BE 46 07 81 3E FE 7D 55   %.N.Í.r)¾F..>þ}U
0x000000B0   AA 74 5A 83 EF 05 7F DA 85 F6 75 83 BE 27 07 EB   ªtZ.ï..Ú.öu.¾'.ë
0x000000C0   8A 98 91 52 99 03 46 08 13 56 0A E8 12 00 5A EB   ...R..F..V.è..Zë
0x000000D0   D5 4F 74 E4 33 C0 CD 13 EB B8 00 00 00 00 00 00   ÕOtä3ÀÍ.ë¸......
0x000000E0   56 33 F6 56 56 52 50 06 53 51 BE 10 00 56 8B F4   V3öVVRP.SQ¾..V.ô
0x000000F0   50 52 B8 00 42 8A 56 24 CD 13 5A 58 8D 64 10 72   PR¸.B.V$Í.ZX.d.r
0x00000100   0A 40 75 01 42 80 C7 02 E2 F7 F8 5E C3 EB 74 49   .@u.B.Ç.â÷ø^ÃëtI
0x00000110   6E 76 61 6C 69 64 20 70 61 72 74 69 74 69 6F 6E   nvalid partition
0x00000120   20 74 61 62 6C 65 00 45 72 72 6F 72 20 6C 6F 61    table.Error loa
0x00000130   64 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73   ding operating s
0x00000140   79 73 74 65 6D 00 4D 69 73 73 69 6E 67 20 6F 70   ystem.Missing op
0x00000150   65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 00   erating system..
0x00000160   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000170   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000180   00 00 00 8B FC 1E 57 8B F5 CB 00 00 00 00 00 00   ....ü.W.õË......
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 00 00 00 5B 74 E1 FA 00 00 00 00   ........[táú....
0x000001C0   01 01 0F FE FF FF C1 3E 00 00 80 6E EE 22 00 00   ...þ..Á>...nî"..
0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

__________________________16_BIT_ASM_CODE
   
0x0000    33c0            XOR AX, AX   
0x0002    8ed0            MOV SS, AX   
0x0004    bc 007c         MOV SP, 0x7c00   
0x0007    fb              STI   
0x0008    50              PUSH AX   
0x0009    07              POP ES   
0x000A    50              PUSH AX   
0x000B    1f              POP DS   
0x000C    fc              CLD   
0x000D    be 1b7c         MOV SI, 0x7c1b   
0x0010    bf 1b06         MOV DI, 0x61b   
0x0013    50              PUSH AX   
0x0014    57              PUSH DI   
0x0015    b9 e501         MOV CX, 0x1e5   
0x0018    f3 a4           REP MOVSB   
0x001A    cb              RETF   
0x001B    be be07         MOV SI, 0x7be   
0x001E    b1 04           MOV CL, 0x4   
0x0020    382c            CMP [SI], CH   
0x0022    7c 09           JL 0x2d   
0x0024    75 15           JNZ 0x3b   
0x0026    83c6 10         ADD SI, 0x10   
0x0029    e2 f5           LOOP 0x20   
0x002B    cd 18           INT 0x18   
0x002D    8b14            MOV DX, [SI]   
0x002F    8bee            MOV BP, SI   
0x0031    83c6 10         ADD SI, 0x10   
0x0034    49              DEC CX   
0x0035    74 16           JZ 0x4d   
0x0037    382c            CMP [SI], CH   
0x0039    74 f6           JZ 0x31   
0x003B    be 1007         MOV SI, 0x710   
0x003E    4e              DEC SI   
0x003F    ac              LODSB   
0x0040    3c 00           CMP AL, 0x0   
0x0042    74 fa           JZ 0x3e   
0x0044    bb 0700         MOV BX, 0x7   
0x0047    b4 0e           MOV AH, 0xe   
0x0049    cd 10           INT 0x10   
0x004B    eb f2           JMP 0x3f   
0x004D    8946 25         MOV [BP+0x25], AX   
0x0050    96              XCHG SI, AX   
0x0051    8a46 04         MOV AL, [BP+0x4]   
0x0054    b4 06           MOV AH, 0x6   
0x0056    3c 0e           CMP AL, 0xe   
0x0058    74 11           JZ 0x6b   
0x005A    b4 0b           MOV AH, 0xb   
0x005C    3c 0c           CMP AL, 0xc   
0x005E    74 05           JZ 0x65   
0x0060    3ac4            CMP AL, AH   
0x0062    75 2b           JNZ 0x8f   
0x0064    40              INC AX   
0x0065    c646 25 06      MOV BYTE [BP+0x25], 0x6   
0x0069    75 24           JNZ 0x8f   
0x006B    bb aa55         MOV BX, 0x55aa   
0x006E    50              PUSH AX   
0x006F    b4 41           MOV AH, 0x41   
0x0071    cd 13           INT 0x13   
0x0073    58              POP AX   
0x0074    72 16           JB 0x8c   
0x0076    81fb 55aa       CMP BX, 0xaa55   
0x007A    75 10           JNZ 0x8c   
0x007C    f6c1 01         TEST CL, 0x1   
0x007F    74 0b           JZ 0x8c   
0x0081    8ae0            MOV AH, AL   
0x0083    8856 24         MOV [BP+0x24], DL   
0x0086    c706 a106 eb1e  MOV WORD [0x6a1], 0x1eeb   
0x008C    8866 04         MOV [BP+0x4], AH   
0x008F    bf 0a00         MOV DI, 0xa   
0x0092    b8 0102         MOV AX, 0x201   
0x0095    8bdc            MOV BX, SP   
0x0097    33c9            XOR CX, CX   
0x0099    83ff 05         CMP DI, 0x5   
0x009C    7f 03           JG 0xa1   
0x009E    8b4e 25         MOV CX, [BP+0x25]   
0x00A1    034e 02         ADD CX, [BP+0x2]   
0x00A4    cd 13           INT 0x13   
0x00A6    72 29           JB 0xd1   
0x00A8    be 4607         MOV SI, 0x746   
0x00AB    813e fe7d 55aa  CMP WORD [0x7dfe], 0xaa55   
0x00B1    74 5a           JZ 0x10d   
0x00B3    83ef 05         SUB DI, 0x5   
0x00B6    7f da           JG 0x92   
0x00B8    85f6            TEST SI, SI   
0x00BA    75 83           JNZ 0x3f   
0x00BC    be 2707         MOV SI, 0x727   
0x00BF    eb 8a           JMP 0x4b   
0x00C1    98              CBW   
0x00C2    91              XCHG CX, AX   
0x00C3    52              PUSH DX   
0x00C4    99              CWD   
0x00C5    0346 08         ADD AX, [BP+0x8]   
0x00C8    1356 0a         ADC DX, [BP+0xa]   
0x00CB    e8 1200         CALL 0xe0   
0x00CE    5a              POP DX   
0x00CF    eb d5           JMP 0xa6   
0x00D1    4f              DEC DI   
0x00D2    74 e4           JZ 0xb8   
0x00D4    33c0            XOR AX, AX   
0x00D6    cd 13           INT 0x13   
0x00D8    eb b8           JMP 0x92   
0x00DA    0000            ADD [BX+SI], AL   
0x00DC    0000            ADD [BX+SI], AL   
0x00DE    0000            ADD [BX+SI], AL   
0x00E0    56              PUSH SI   
0x00E1    33f6            XOR SI, SI   
0x00E3    56              PUSH SI   
0x00E4    56              PUSH SI   
0x00E5    52              PUSH DX   
0x00E6    50              PUSH AX   
0x00E7    06              PUSH ES   
0x00E8    53              PUSH BX   
0x00E9    51              PUSH CX   
0x00EA    be 1000         MOV SI, 0x10   
0x00ED    56              PUSH SI   
0x00EE    8bf4            MOV SI, SP   
0x00F0    50              PUSH AX   
0x00F1    52              PUSH DX   
0x00F2    b8 0042         MOV AX, 0x4200   
0x00F5    8a56 24         MOV DL, [BP+0x24]   
0x00F8    cd 13           INT 0x13   
0x00FA    5a              POP DX   
0x00FB    58              POP AX   
0x00FC    8d64 10         LEA SP, [SI+0x10]   
0x00FF    72 0a           JB 0x10b   
0x0101    40              INC AX   
0x0102    75 01           JNZ 0x105   
0x0104    42              INC DX   
0x0105    80c7 02         ADD BH, 0x2   
0x0108    e2 f7           LOOP 0x101   
0x010A    f8              CLC   
0x010B    5e              POP SI   
0x010C    c3              RET   
0x010D    eb 74           JMP 0x183   
0x010F    49              DEC CX   
0x0110    6e              OUTSB   
0x0111    76 61           JBE 0x174   
0x0113    6c              INSB   
0x0114    6964 20 7061    IMUL SP, [SI+0x20], 0x6170   
0x0119    72 74           JB 0x18f   
0x011B    6974 69 6f6e    IMUL SI, [SI+0x69], 0x6e6f   
0x0120    2074 61         AND [SI+0x61], DH   
0x0123    626c 65         BOUND BP, [SI+0x65]   
0x0126    0045 72         ADD [DI+0x72], AL   
0x0129    72 6f           JB 0x19a   
0x012B    72 20           JB 0x14d   
0x012D    6c              INSB   
0x012E    6f              OUTSW   
0x012F    61              POPA   
0x0130    64 696e 67 206f IMUL BP, FS:[BP+0x67], 0x6f20   
0x0136    70 65           JO 0x19d   
0x0138    72 61           JB 0x19b   
0x013A    74 69           JZ 0x1a5   
0x013C    6e              OUTSB   
0x013D    67 2073 79      AND [EBX+0x79], DH   
0x0141    73 74           JAE 0x1b7   
0x0143    65 6d           INS WORD GS:[DI], DX   
0x0145    004d 69         ADD [DI+0x69], CL   
0x0148    73 73           JAE 0x1bd   
0x014A    696e 67 206f    IMUL BP, [BP+0x67], 0x6f20   
0x014F    70 65           JO 0x1b6   
0x0151    72 61           JB 0x1b4   
0x0153    74 69           JZ 0x1be   
0x0155    6e              OUTSB   
0x0156    67 2073 79      AND [EBX+0x79], DH   
0x015A    73 74           JAE 0x1d0   
0x015C    65 6d           INS WORD GS:[DI], DX   
0x015E    0000            ADD [BX+SI], AL   
0x0160    0000            ADD [BX+SI], AL   
0x0162    0000            ADD [BX+SI], AL   
0x0164    0000            ADD [BX+SI], AL   
0x0166    0000            ADD [BX+SI], AL   
0x0168    0000            ADD [BX+SI], AL   
0x016A    0000            ADD [BX+SI], AL   
0x016C    0000            ADD [BX+SI], AL   
0x016E    0000            ADD [BX+SI], AL   
0x0170    0000            ADD [BX+SI], AL   
0x0172    0000            ADD [BX+SI], AL   
0x0174    0000            ADD [BX+SI], AL   
0x0176    0000            ADD [BX+SI], AL   
0x0178    0000            ADD [BX+SI], AL   
0x017A    0000            ADD [BX+SI], AL   
0x017C    0000            ADD [BX+SI], AL   
0x017E    0000            ADD [BX+SI], AL   
0x0180    0000            ADD [BX+SI], AL   
0x0182    008b fc1e       ADD [BP+DI+0x1efc], CL   
0x0186    57              PUSH DI   
0x0187    8bf5            MOV SI, BP   
0x0189    cb              RETF   
0x018A    0000            ADD [BX+SI], AL   
0x018C    0000            ADD [BX+SI], AL   
0x018E    0000            ADD [BX+SI], AL   
0x0190    0000            ADD [BX+SI], AL   
0x0192    0000            ADD [BX+SI], AL   
0x0194    0000            ADD [BX+SI], AL   
0x0196    0000            ADD [BX+SI], AL   
0x0198    0000            ADD [BX+SI], AL   
0x019A    0000            ADD [BX+SI], AL   
0x019C    0000            ADD [BX+SI], AL   
0x019E    0000            ADD [BX+SI], AL   
0x01A0    0000            ADD [BX+SI], AL   
0x01A2    0000            ADD [BX+SI], AL   
0x01A4    0000            ADD [BX+SI], AL   
0x01A6    0000            ADD [BX+SI], AL   
0x01A8    0000            ADD [BX+SI], AL   
0x01AA    0000            ADD [BX+SI], AL   
0x01AC    0000            ADD [BX+SI], AL   
0x01AE    0000            ADD [BX+SI], AL   
0x01B0    0000            ADD [BX+SI], AL   
0x01B2    0000            ADD [BX+SI], AL   
0x01B4    0000            ADD [BX+SI], AL   
0x01B6    0000            ADD [BX+SI], AL   
0x01B8    5b              POP BX   
0x01B9    74 e1           JZ 0x19c   
0x01BB    fa              CLI   
0x01BC    0000            ADD [BX+SI], AL   
0x01BE    0000            ADD [BX+SI], AL   
0x01C0    0101            ADD [BX+DI], AX   
0x01C2    0ffeff          PADDD MM7, MM7   
0x01C5    ffc1            INC CX   
0x01C7    3e 0000         ADD DS:[BX+SI], AL   
0x01CA    806e ee 22      SUB BYTE [BP-0x12], 0x22   
0x01CE    0000            ADD [BX+SI], AL   
0x01D0    0000            ADD [BX+SI], AL   
0x01D2    0000            ADD [BX+SI], AL   
0x01D4    0000            ADD [BX+SI], AL   
0x01D6    0000            ADD [BX+SI], AL   
0x01D8    0000            ADD [BX+SI], AL   
0x01DA    0000            ADD [BX+SI], AL   
0x01DC    0000            ADD [BX+SI], AL   
0x01DE    0000            ADD [BX+SI], AL   
0x01E0    0000            ADD [BX+SI], AL   
0x01E2    0000            ADD [BX+SI], AL   
0x01E4    0000            ADD [BX+SI], AL   
0x01E6    0000            ADD [BX+SI], AL   
0x01E8    0000            ADD [BX+SI], AL   
0x01EA    0000            ADD [BX+SI], AL   
0x01EC    0000            ADD [BX+SI], AL   
0x01EE    0000            ADD [BX+SI], AL   
0x01F0    0000            ADD [BX+SI], AL   
0x01F2    0000            ADD [BX+SI], AL   
0x01F4    0000            ADD [BX+SI], AL   
0x01F6    0000            ADD [BX+SI], AL   
0x01F8    0000            ADD [BX+SI], AL   
0x01FA    0000            ADD [BX+SI], AL   
0x01FC    0000            ADD [BX+SI], AL   
0x01FE    55              PUSH BP   
0x01FF    aa              STOSB
Přílohy
TDSSKiller_Quarantine.zip
(147.35 KiB) Staženo 46 x
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#3 Příspěvek od Dr.Honza »

Ještě dumpy:
Přílohy
ziskej.zip
(169.46 KiB) Staženo 39 x
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#4 Příspěvek od Dr.Honza »

Na starém disku byl před lety WIN XP SP1 a pak SP3. (od doby co existuje Sinoval a jiné rootkity neslouží jako systémový disk). Dosud jsem používal vždy jen XP.

Mám tam Daemon Tools, tedy ten atapi a taky
c:\windows\system32\drivers\sptd.sys který TDSSKiller hlásí je pravděpodobně od nich.

Mbr log přes příkaz "%userprofile%\plocha\mbr" -t -s

Dumpnuty a uplodovány sektory hlavního harddisku 976768065-8 (MBR hlásí 65, gmer 68).
U druhého disku (je fyzicky menší) uvedené sektory nejde najít a automaticky mi to
MBRscan přehodil na poslední sektor 586072368 - tedy dumpnuty asi zbytečně
poslední 586072365-8.
Děkuji za pomoc ...


Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKB-00H8A0 rev.05.04E05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spsb.sys >>UNKNOWN [0x8678D938]<<
spsb.sys
_asm { PUSH EBP; MOV EBP, ESP; JMP 0xfffffffff9d84afe; }
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x86733AB8]
3 CLASSPNP[0xF788EFD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\0000005d[0x86729F18]
5 ACPI[0xF76CD620] -> nt!IofCallDriver[0x804E37C5] -> \Device\Ide\IdeDeviceP0T0L0-4[0x8673FD98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user & kernel MBR OK
copy of MBR has been found in sector 976768065
Přílohy
ziskej 976768065-8.zip
(5.41 KiB) Staženo 47 x
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#5 Příspěvek od Dr.Honza »

Trpělivost mějte se mnou :)

sptd.sys je na 99% driver Deamon Tools 4.30.1.0 - našel jsem na toto téma včera
nějaké diskuse v AJ (např. na fóru Kaspersky), prohnali to www.virustotal.com a spol a čisté...

Napadá mne, že jsem kód viru řadou svých zásahů nevymazal ale jen nějak poškodil...

Také bych to fixl. Hrozí nějaká vyšší šance ztráty dat? Není to velký zásah...

Ještě je divná 1 věc - před 1. logickým diskem (F:) z 2.HDD mi Partitionmagic ukazuje
7,8MB místa Unallocated a až pak začíná to F:. Stejné to bylo tehdy na C: než jsem slučoval.
Nechápu co s tím ten firemní technik dělal, původně byly logické disky až do začátku.
Pokud ten 7MB sektor nechám bez povšimnutí je to OK? O 7MB mi samozřejmě nejde. Jinak na F: nemám žádná cenná data - šlo by i zlikvidovat.

Děkuji...
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#6 Příspěvek od Dr.Honza »

Screenshot přiložen. Ten nový Cidox... mám nepříjemný pocit, že by s mým PC udělali to samé jako teď...štěstí v mé smůle je, že jsem nechytil nějakou extra novinku.
Možná bych ten poslední sektor (je to ten hlášený 976768065-8?) přepsal, nechci se dožít nepříjemného překvápka... Jdu to fixnout a nahrát logy...

Zde záloha HDD1 sektor 0

Kód: Vybrat vše

33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C BF 1B 06 50 57 B9 E5 01 F3 A4 CB BE BE 07 B1 04 38 2C 7C 09 75 15 83 C6 10 E2 F5 CD 18 8B 14 8B EE 83 C6 10 49 74 16 38 2C 74 F6 BE 10 07 4E AC 3C 00 74 FA BB 07 00 B4 0E CD 10 EB F2 89 46 25 96 8A 46 04 B4 06 3C 0E 74 11 B4 0B 3C 0C 74 05 3A C4 75 2B 40 C6 46 25 06 75 24 BB AA 55 50 B4 41 CD 13 58 72 16 81 FB 55 AA 75 10 F6 C1 01 74 0B 8A E0 88 56 24 C7 06 A1 06 EB 1E 88 66 04 BF 0A 00 B8 01 02 8B DC 33 C9 83 FF 05 7F 03 8B 4E 25 03 4E 02 CD 13 72 29 BE 46 07 81 3E FE 7D 55 AA 74 5A 83 EF 05 7F DA 85 F6 75 83 BE 27 07 EB 8A 98 91 52 99 03 46 08 13 56 0A E8 12 00 5A EB D5 4F 74 E4 33 C0 CD 13 EB B8 00 00 00 00 00 00 56 33 F6 56 56 52 50 06 53 51 BE 10 00 56 8B F4 50 52 B8 00 42 8A 56 24 CD 13 5A 58 8D 64 10 72 0A 40 75 01 42 80 C7 02 E2 F7 F8 5E C3 EB 74 49 6E 76 61 6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8B FC 1E 57 8B F5 CB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5B 74 E1 FA 00 00 00 00 01 01 0F FE FF FF C1 3E 00 00 80 6E EE 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
Přílohy
Screenshot HxD Harddisk 2.JPG
Screenshot HxD Harddisk 2.JPG (105.75 KiB) Zobrazeno 1083 x
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#7 Příspěvek od Dr.Honza »

Fixnuto HDD1 sektor 0, HxD zkontrolováno - oo zapsány až po sektor 1B7, data bez újmy...:)
HDD0 sektor 0 tedy vyšel z testů jako čistý-netřeba zasahovat?... ESET Smart Security 5 nenachází na
C: a v bootech nic, 1 věc v Unlockeru 1.9.1.exe je BabylonToolbarApp.dll - varianta infiltrace Win32/Toolbar.Babylon - vím o tom, je v tom toolbar co stačí nenainstalovat a mělo by být čisté.
Nově stažený Kaspersky TDSSKiller - jen ten driver sptd jinak čisté. Přiloženy logy TDSKiller, gmer, mbr a mrrscan.
Gmer pořád hlásí: "\Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 976768068"
mbr: "copy of MBR has been found in sector 976768065"
Vyřešilo by to odmazání těch sektorů? Servis - a to jsem jim za to platil!, chodím k nim přes 10 let, zatím to bylo ok, nicméně šikovní a vstřícní původní zaměstnanci jsou pryč a teď... :shock:
BTW zajímavá zelená kostřička...


19:00:19.0250 0288 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
19:00:19.0468 0288 ============================================================
19:00:19.0468 0288 Current date / time: 2012/06/03 19:00:19.0468
19:00:19.0468 0288 SystemInfo:
19:00:19.0468 0288
19:00:19.0468 0288 OS Version: 5.1.2600 ServicePack: 3.0
19:00:19.0468 0288 Product type: Workstation
19:00:19.0468 0288 ComputerName: DOMACI-PC
19:00:19.0468 0288 UserName: Honza
19:00:19.0468 0288 Windows directory: C:\WINDOWS
19:00:19.0468 0288 System windows directory: C:\WINDOWS
19:00:19.0468 0288 Processor architecture: Intel x86
19:00:19.0468 0288 Number of processors: 1
19:00:19.0468 0288 Page size: 0x1000
19:00:19.0468 0288 Boot type: Normal boot
19:00:19.0468 0288 ============================================================
19:00:21.0140 0288 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:00:21.0156 0288 Drive \Device\Harddisk1\DR1 - Size: 0x45DD826000 (279.46 Gb), SectorSize: 0x200, Cylinders: 0x8E81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:00:21.0171 0288 ============================================================
19:00:21.0171 0288 \Device\Harddisk0\DR0:
19:00:21.0171 0288 MBR partitions:
19:00:21.0171 0288 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4E1EDEC
19:00:21.0171 0288 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x4E1EE2B, BlocksNum 0x1A9C79CF
19:00:21.0171 0288 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1F7E67FA, BlocksNum 0x1AB9E447
19:00:21.0171 0288 \Device\Harddisk1\DR1:
19:00:21.0171 0288 MBR partitions:
19:00:21.0187 0288 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F00, BlocksNum 0x8BA619C
19:00:21.0203 0288 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x8BAA0DB, BlocksNum 0x8BA619C
19:00:21.0203 0288 \Device\Harddisk1\DR1\Partition2: MBR, Type 0x7, StartLBA 0x117502B6, BlocksNum 0xC35314E
19:00:21.0218 0288 \Device\Harddisk1\DR1\Partition3: MBR, Type 0x7, StartLBA 0x1DAA3443, BlocksNum 0x54478FE
19:00:21.0218 0288 ============================================================
19:00:21.0250 0288 C: <-> \Device\Harddisk0\DR0\Partition0
19:00:21.0328 0288 D: <-> \Device\Harddisk0\DR0\Partition1
19:00:21.0359 0288 E: <-> \Device\Harddisk0\DR0\Partition2
19:00:21.0406 0288 F: <-> \Device\Harddisk1\DR1\Partition0
19:00:21.0453 0288 G: <-> \Device\Harddisk1\DR1\Partition1
19:00:21.0484 0288 H: <-> \Device\Harddisk1\DR1\Partition2
19:00:21.0515 0288 I: <-> \Device\Harddisk1\DR1\Partition3
19:00:21.0515 0288 ============================================================
19:00:21.0515 0288 Initialize success
19:00:21.0515 0288 ============================================================
19:00:34.0750 3436 ============================================================
19:00:34.0750 3436 Scan started
19:00:34.0750 3436 Mode: Manual; TDLFS;
19:00:34.0750 3436 ============================================================
19:00:35.0203 3436 Abiosdsk - ok
19:00:35.0218 3436 abp480n5 - ok
19:00:35.0265 3436 ACPI (4fe34f1f3126b61fcc6b2043aa8112c9) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:00:35.0281 3436 ACPI - ok
19:00:35.0312 3436 ACPIEC (afdff022a01f0b11c776f0860c3b282f) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:00:35.0312 3436 ACPIEC - ok
19:00:35.0328 3436 adpu160m - ok
19:00:35.0359 3436 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:00:35.0375 3436 aec - ok
19:00:35.0406 3436 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
19:00:35.0421 3436 AFD - ok
19:00:35.0437 3436 Aha154x - ok
19:00:35.0453 3436 aic78u2 - ok
19:00:35.0453 3436 aic78xx - ok
19:00:35.0484 3436 Alerter (e0a6fa244b8624d78fe5ff6f56a33bae) C:\WINDOWS\system32\alrsvc.dll
19:00:35.0484 3436 Alerter - ok
19:00:35.0515 3436 ALG (88842de939a827577bf24243699ac80a) C:\WINDOWS\System32\alg.exe
19:00:35.0515 3436 ALG - ok
19:00:35.0578 3436 ALIEHCD (c5f267a1ea036a662e42691b790ca283) C:\WINDOWS\system32\Drivers\ALIEHCI.sys
19:00:35.0593 3436 ALIEHCD - ok
19:00:35.0609 3436 aligp (b97c3967939f0fc2c5739668174991ef) C:\WINDOWS\system32\DRIVERS\AliGP.sys
19:00:35.0609 3436 aligp - ok
19:00:35.0625 3436 AliIde - ok
19:00:35.0656 3436 aliroothub (8fae0ad01154140fa8e1da0eca833936) C:\WINDOWS\system32\DRIVERS\AliRtHub.sys
19:00:35.0656 3436 aliroothub - ok
19:00:35.0671 3436 amsint - ok
19:00:35.0703 3436 AppMgmt (6b8e7a90e576d4fe308f97c69060a171) C:\WINDOWS\System32\appmgmts.dll
19:00:35.0718 3436 AppMgmt - ok
19:00:35.0734 3436 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:00:35.0734 3436 Arp1394 - ok
19:00:35.0750 3436 asc - ok
19:00:35.0765 3436 asc3350p - ok
19:00:35.0781 3436 asc3550 - ok
19:00:35.0859 3436 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
19:00:35.0875 3436 aspnet_state - ok
19:00:35.0890 3436 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:00:35.0890 3436 AsyncMac - ok
19:00:35.0906 3436 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:00:35.0906 3436 atapi - ok
19:00:35.0937 3436 Atdisk - ok
19:00:35.0953 3436 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:00:35.0953 3436 Atmarpc - ok
19:00:35.0984 3436 AudioSrv (de31b88962a8645dba5a37b993e7b0f1) C:\WINDOWS\System32\audiosrv.dll
19:00:35.0984 3436 AudioSrv - ok
19:00:36.0015 3436 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:00:36.0015 3436 audstub - ok
19:00:36.0062 3436 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:00:36.0062 3436 Beep - ok
19:00:36.0125 3436 BITS (19395d092fd85ddc2d9c7729cf5a2ac8) C:\WINDOWS\system32\qmgr.dll
19:00:36.0156 3436 BITS - ok
19:00:36.0187 3436 Browser (249276d3ef1e74b992299cb96099e4d7) C:\WINDOWS\System32\browser.dll
19:00:36.0187 3436 Browser - ok
19:00:36.0218 3436 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:00:36.0218 3436 cbidf2k - ok
19:00:36.0250 3436 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
19:00:36.0250 3436 CCDECODE - ok
19:00:36.0265 3436 cd20xrnt - ok
19:00:36.0296 3436 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:00:36.0296 3436 Cdaudio - ok
19:00:36.0328 3436 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:00:36.0328 3436 Cdfs - ok
19:00:36.0359 3436 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:00:36.0359 3436 Cdrom - ok
19:00:36.0359 3436 Changer - ok
19:00:36.0390 3436 CiSvc (e390dc1d7c461d7d56ec53402f329928) C:\WINDOWS\system32\cisvc.exe
19:00:36.0390 3436 CiSvc - ok
19:00:36.0406 3436 ClipSrv (064507a8dfa8c5c7e2ffddd3e6f424fa) C:\WINDOWS\system32\clipsrv.exe
19:00:36.0406 3436 ClipSrv - ok
19:00:36.0453 3436 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
19:00:36.0453 3436 clr_optimization_v4.0.30319_32 - ok
19:00:36.0468 3436 CmdIde - ok
19:00:36.0484 3436 COMSysApp - ok
19:00:36.0531 3436 Cpqarray - ok
19:00:36.0562 3436 Creative Service for CDROM Access (3c8b6609712f4ff78e521f6dcfc4032b) C:\WINDOWS\system32\CTsvcCDA.EXE
19:00:36.0562 3436 Creative Service for CDROM Access - ok
19:00:36.0578 3436 CryptSvc (f3ab0933cbd166d271992f411c27ccaf) C:\WINDOWS\System32\cryptsvc.dll
19:00:36.0578 3436 CryptSvc - ok
19:00:36.0609 3436 ctac32k (08489a6fcc1ce1ef6ea2d290a169a3b3) C:\WINDOWS\system32\drivers\ctac32k.sys
19:00:36.0625 3436 ctac32k - ok
19:00:36.0640 3436 ctprxy2k (b493ec482fa7b4352694cc473d22d3b7) C:\WINDOWS\system32\drivers\ctprxy2k.sys
19:00:36.0640 3436 ctprxy2k - ok
19:00:36.0671 3436 ctsfm2k (7bb189da3f0e1e89d84a324b795c0350) C:\WINDOWS\system32\drivers\ctsfm2k.sys
19:00:36.0687 3436 ctsfm2k - ok
19:00:36.0703 3436 dac2w2k - ok
19:00:36.0718 3436 dac960nt - ok
19:00:36.0781 3436 DcomLaunch (c868f3ae15cf71a93f2aa3a32856d839) C:\WINDOWS\system32\rpcss.dll
19:00:36.0796 3436 DcomLaunch - ok
19:00:36.0828 3436 Dhcp (8c9a53e285ac5e6704844d0459ec85be) C:\WINDOWS\System32\dhcpcsvc.dll
19:00:36.0843 3436 Dhcp - ok
19:00:36.0859 3436 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:00:36.0859 3436 Disk - ok
19:00:36.0875 3436 dmadmin - ok
19:00:36.0953 3436 dmboot (db5fd2bf5b07dc54bfcb3664ff05bd7c) C:\WINDOWS\system32\drivers\dmboot.sys
19:00:36.0984 3436 dmboot - ok
19:00:37.0015 3436 dmio (fff1720af51171f32f1ead5cf71f2810) C:\WINDOWS\system32\drivers\dmio.sys
19:00:37.0015 3436 dmio - ok
19:00:37.0046 3436 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:00:37.0046 3436 dmload - ok
19:00:37.0062 3436 dmserver (2bfefe9e865655a76982f050450b9591) C:\WINDOWS\System32\dmserver.dll
19:00:37.0062 3436 dmserver - ok
19:00:37.0093 3436 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:00:37.0093 3436 DMusic - ok
19:00:37.0140 3436 Dnscache (0634b791684b84f4a331f3d3536feef8) C:\WINDOWS\System32\dnsrslvr.dll
19:00:37.0140 3436 Dnscache - ok
19:00:37.0187 3436 Dot3svc (4a3e2bd20157a0946751229e92eb8621) C:\WINDOWS\System32\dot3svc.dll
19:00:37.0187 3436 Dot3svc - ok
19:00:37.0203 3436 dpti2o - ok
19:00:37.0234 3436 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:00:37.0234 3436 drmkaud - ok
19:00:37.0281 3436 eamon (8c2b6bbc82ad12cd9a2e73e5dcbba705) C:\WINDOWS\system32\DRIVERS\eamon.sys
19:00:37.0281 3436 eamon - ok
19:00:37.0312 3436 EapHost (0887d9c2be8d940778cad1e3b85f2a41) C:\WINDOWS\System32\eapsvc.dll
19:00:37.0312 3436 EapHost - ok
19:00:37.0359 3436 ehdrv (5412ed24fffca64e2f0168399b86c952) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
19:00:37.0359 3436 ehdrv - ok
19:00:37.0515 3436 ekrn (ad4faade819e0da9933bea7c01d2c763) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
19:00:37.0546 3436 ekrn - ok
19:00:37.0671 3436 emu10kx (ef99d8dab9fce9b734b40d5e0dd6abb4) C:\WINDOWS\system32\drivers\e10kx2k.sys
19:00:37.0734 3436 emu10kx - ok
19:00:37.0828 3436 emupia (16f794ab0a5a0dcd45c69579b426a6e3) C:\WINDOWS\system32\drivers\emupia2k.sys
19:00:37.0828 3436 emupia - ok
19:00:37.0859 3436 epfw (774babcb1144513dc86992003740b774) C:\WINDOWS\system32\DRIVERS\epfw.sys
19:00:37.0875 3436 epfw - ok
19:00:37.0906 3436 Epfwndis (4b86da2c58063b647577cd669cffaeeb) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
19:00:37.0906 3436 Epfwndis - ok
19:00:37.0937 3436 epfwtdi (1b36748ea9e25549ebe5d8ea105bd981) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
19:00:37.0937 3436 epfwtdi - ok
19:00:37.0953 3436 ERSvc (a2a4912798f2be706abadd3d30800d16) C:\WINDOWS\System32\ersvc.dll
19:00:37.0968 3436 ERSvc - ok
19:00:38.0000 3436 Eventlog (f0d2ae69035092bf22dad6b50fab85c2) C:\WINDOWS\system32\services.exe
19:00:38.0015 3436 Eventlog - ok
19:00:38.0046 3436 EventSystem (260c69fd67687b0dc062fc3d31655857) C:\WINDOWS\system32\es.dll
19:00:38.0046 3436 EventSystem - ok
19:00:38.0093 3436 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:00:38.0093 3436 Fastfat - ok
19:00:38.0125 3436 FastUserSwitchingCompatibility (b927443008910b412bec72fc41c1bad0) C:\WINDOWS\System32\shsvcs.dll
19:00:38.0125 3436 FastUserSwitchingCompatibility - ok
19:00:38.0140 3436 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:00:38.0140 3436 Fdc - ok
19:00:38.0156 3436 Fips (ac366695a0796560aa37215ad5762aaf) C:\WINDOWS\system32\drivers\Fips.sys
19:00:38.0156 3436 Fips - ok
19:00:38.0171 3436 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
19:00:38.0171 3436 Flpydisk - ok
19:00:38.0218 3436 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
19:00:38.0218 3436 FltMgr - ok
19:00:38.0250 3436 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:00:38.0265 3436 Fs_Rec - ok
19:00:38.0281 3436 Ftdisk (4e664d8541db4a66b73a24257e322e1f) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:00:38.0281 3436 Ftdisk - ok
19:00:38.0328 3436 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
19:00:38.0328 3436 gameenum - ok
19:00:38.0328 3436 GMSIPCI - ok
19:00:38.0359 3436 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:00:38.0359 3436 Gpc - ok
19:00:38.0390 3436 helpsvc (fcfe31fb75f8a6295b6b0af87a626282) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
19:00:38.0390 3436 helpsvc - ok
19:00:38.0406 3436 HidServ - ok
19:00:38.0421 3436 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:00:38.0421 3436 hidusb - ok
19:00:38.0453 3436 hkmsvc (7a6b320928f86bc851530d63c82965d9) C:\WINDOWS\System32\kmsvc.dll
19:00:38.0453 3436 hkmsvc - ok
19:00:38.0468 3436 hpn - ok
19:00:38.0515 3436 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
19:00:38.0531 3436 HTTP - ok
19:00:38.0578 3436 HTTPFilter (58fe2f2da3bc5573f4a35b3760d3125f) C:\WINDOWS\System32\w3ssl.dll
19:00:38.0578 3436 HTTPFilter - ok
19:00:38.0593 3436 i2omgmt - ok
19:00:38.0609 3436 i2omp - ok
19:00:38.0625 3436 i8042prt (c528e27945367191e7bae364930b6932) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:00:38.0640 3436 i8042prt - ok
19:00:38.0687 3436 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:00:38.0687 3436 Imapi - ok
19:00:38.0718 3436 ImapiService (f7b93aafad33b2320954c17e26c8d361) C:\WINDOWS\system32\imapi.exe
19:00:38.0734 3436 ImapiService - ok
19:00:38.0750 3436 ini910u - ok
19:00:38.0781 3436 IntelIde - ok
19:00:38.0796 3436 intelppm (27b290d632af2cf3cf40bfddb7370985) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:00:38.0796 3436 intelppm - ok
19:00:38.0828 3436 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
19:00:38.0843 3436 Ip6Fw - ok
19:00:38.0859 3436 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:00:38.0859 3436 IpFilterDriver - ok
19:00:38.0875 3436 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:00:38.0875 3436 IpInIp - ok
19:00:38.0906 3436 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:00:38.0921 3436 IpNat - ok
19:00:38.0953 3436 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:00:38.0953 3436 IPSec - ok
19:00:38.0968 3436 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:00:38.0968 3436 IRENUM - ok
19:00:39.0000 3436 isapnp (cc9f8a2d60aed1a51a3ac34c59b987ae) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:00:39.0015 3436 isapnp - ok
19:00:39.0031 3436 Kbdclass (1b6162fe7f66b1a71a4b70f941c4aa9b) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:00:39.0031 3436 Kbdclass - ok
19:00:39.0062 3436 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:00:39.0062 3436 kmixer - ok
19:00:39.0093 3436 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
19:00:39.0093 3436 KSecDD - ok
19:00:39.0125 3436 LanmanServer (21920ac69594ab021237054fa728fe46) C:\WINDOWS\System32\srvsvc.dll
19:00:39.0140 3436 LanmanServer - ok
19:00:39.0171 3436 lanmanworkstation (5190783f51a2d7a8495202c664d7c963) C:\WINDOWS\System32\wkssvc.dll
19:00:39.0187 3436 lanmanworkstation - ok
19:00:39.0203 3436 lbrtfdc - ok
19:00:39.0234 3436 LmHosts (0ab159f536e3e8f7f07113702a07cca5) C:\WINDOWS\System32\lmhsvc.dll
19:00:39.0234 3436 LmHosts - ok
19:00:39.0296 3436 McciCMService (4f74184920b2d6e33024409b4c5c57c1) C:\Program Files\Common Files\Motive\McciCMService.exe
19:00:39.0296 3436 McciCMService - ok
19:00:39.0328 3436 Messenger (221cd1c815b8a6b79389c3f5d1018de8) C:\WINDOWS\System32\msgsvc.dll
19:00:39.0343 3436 Messenger - ok
19:00:39.0390 3436 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:00:39.0390 3436 mnmdd - ok
19:00:39.0421 3436 mnmsrvc (9a57d046f88f4b69751b11fd40088a61) C:\WINDOWS\system32\mnmsrvc.exe
19:00:39.0421 3436 mnmsrvc - ok
19:00:39.0453 3436 Modem (44032b0c6d9954d3fd26438330b99ee7) C:\WINDOWS\system32\drivers\Modem.sys
19:00:39.0453 3436 Modem - ok
19:00:39.0484 3436 Mouclass (4cb582831dbde63ce43b45d771218374) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:00:39.0484 3436 Mouclass - ok
19:00:39.0500 3436 mouhid (bb269eba740737ab749b214d568b6812) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:00:39.0500 3436 mouhid - ok
19:00:39.0515 3436 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:00:39.0515 3436 MountMgr - ok
19:00:39.0531 3436 mraid35x - ok
19:00:39.0562 3436 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
19:00:39.0562 3436 MREMP50 - ok
19:00:39.0578 3436 MREMP50a64 - ok
19:00:39.0593 3436 MREMPR5 - ok
19:00:39.0609 3436 MRENDIS5 - ok
19:00:39.0640 3436 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
19:00:39.0640 3436 MRESP50 - ok
19:00:39.0656 3436 MRESP50a64 - ok
19:00:39.0671 3436 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:00:39.0687 3436 MRxDAV - ok
19:00:39.0734 3436 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:00:39.0750 3436 MRxSmb - ok
19:00:39.0781 3436 MSDTC (6db4d1521caba9a5ffab54ade0ae867d) C:\WINDOWS\system32\msdtc.exe
19:00:39.0781 3436 MSDTC - ok
19:00:39.0796 3436 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:00:39.0796 3436 Msfs - ok
19:00:39.0812 3436 MSIServer - ok
19:00:39.0859 3436 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:00:39.0859 3436 MSKSSRV - ok
19:00:39.0875 3436 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:00:39.0875 3436 MSPCLOCK - ok
19:00:39.0890 3436 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:00:39.0890 3436 MSPQM - ok
19:00:39.0906 3436 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:00:39.0921 3436 mssmbios - ok
19:00:39.0953 3436 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
19:00:39.0953 3436 MSTEE - ok
19:00:39.0968 3436 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
19:00:39.0968 3436 Mup - ok
19:00:40.0000 3436 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
19:00:40.0000 3436 NABTSFEC - ok
19:00:40.0046 3436 napagent (6ea362e9db03d44f6b996f4d8be237e9) C:\WINDOWS\System32\qagentrt.dll
19:00:40.0062 3436 napagent - ok
19:00:40.0093 3436 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:00:40.0109 3436 NDIS - ok
19:00:40.0125 3436 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
19:00:40.0125 3436 NdisIP - ok
19:00:40.0156 3436 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:00:40.0156 3436 NdisTapi - ok
19:00:40.0171 3436 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:00:40.0171 3436 Ndisuio - ok
19:00:40.0187 3436 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:00:40.0203 3436 NdisWan - ok
19:00:40.0218 3436 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
19:00:40.0218 3436 NDProxy - ok
19:00:40.0234 3436 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:00:40.0281 3436 NetBIOS - ok
19:00:40.0312 3436 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:00:40.0312 3436 NetBT - ok
19:00:40.0343 3436 NetDDE (933de774986ec85e48210c44ab431de6) C:\WINDOWS\system32\netdde.exe
19:00:40.0359 3436 NetDDE - ok
19:00:40.0375 3436 NetDDEdsdm (933de774986ec85e48210c44ab431de6) C:\WINDOWS\system32\netdde.exe
19:00:40.0375 3436 NetDDEdsdm - ok
19:00:40.0390 3436 Netlogon (ed0a176354487ceed65b80a7148ab739) C:\WINDOWS\system32\lsass.exe
19:00:40.0390 3436 Netlogon - ok
19:00:40.0421 3436 Netman (72e1e9e2977be08bdeedb6d8fd9d4d40) C:\WINDOWS\System32\netman.dll
19:00:40.0437 3436 Netman - ok
19:00:40.0500 3436 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
19:00:40.0531 3436 NetTcpPortSharing - ok
19:00:40.0562 3436 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:00:40.0562 3436 NIC1394 - ok
19:00:40.0593 3436 Nla (aac97dab5f8a0573cf10e0eac42a7724) C:\WINDOWS\System32\mswsock.dll
19:00:40.0593 3436 Nla - ok
19:00:40.0625 3436 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:00:40.0625 3436 Npfs - ok
19:00:40.0734 3436 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:00:40.0750 3436 Ntfs - ok
19:00:40.0765 3436 NtLmSsp (ed0a176354487ceed65b80a7148ab739) C:\WINDOWS\system32\lsass.exe
19:00:40.0765 3436 NtLmSsp - ok
19:00:40.0828 3436 NtmsSvc (023dd70573d644f3d9c8b1258a7bfd08) C:\WINDOWS\system32\ntmssvc.dll
19:00:40.0843 3436 NtmsSvc - ok
19:00:40.0890 3436 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:00:40.0890 3436 Null - ok
19:00:41.0046 3436 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:00:41.0093 3436 nv - ok
19:00:41.0187 3436 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:00:41.0187 3436 NwlnkFlt - ok
19:00:41.0203 3436 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:00:41.0203 3436 NwlnkFwd - ok
19:00:41.0296 3436 odserv (84de1dd996b48b05ace31ad015fa108a) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
19:00:41.0312 3436 odserv - ok
19:00:41.0343 3436 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:00:41.0343 3436 ohci1394 - ok
19:00:41.0406 3436 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
19:00:41.0437 3436 ose - ok
19:00:41.0500 3436 ossrv (d653f455b176529f0427b24361139619) C:\WINDOWS\system32\drivers\ctoss2k.sys
19:00:41.0500 3436 ossrv - ok
19:00:41.0562 3436 PAC207 (16ea91ac88c700a3632ddb91c62834ec) C:\WINDOWS\system32\DRIVERS\PFC027.SYS
19:00:41.0593 3436 PAC207 - ok
19:00:41.0625 3436 Parport (46f8db73b4a53e543f8e371dc7c75bae) C:\WINDOWS\system32\DRIVERS\parport.sys
19:00:41.0625 3436 Parport - ok
19:00:41.0656 3436 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:00:41.0656 3436 PartMgr - ok
19:00:41.0671 3436 ParVdm (1fae19d0457176318bba4a8795656ebc) C:\WINDOWS\system32\drivers\ParVdm.sys
19:00:41.0671 3436 ParVdm - ok
19:00:41.0703 3436 PCI (6ce351d149cb4befc702951e471e1730) C:\WINDOWS\system32\DRIVERS\pci.sys
19:00:41.0703 3436 PCI - ok
19:00:41.0718 3436 PCIDump - ok
19:00:41.0734 3436 PCIIde (2da4ec85e0ea7a45c6b2a05820492d5a) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:00:41.0734 3436 PCIIde - ok
19:00:41.0765 3436 Pcmcia (4fc31e6c19a5ce5198b1abff94cae758) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:00:41.0781 3436 Pcmcia - ok
19:00:41.0796 3436 PDCOMP - ok
19:00:41.0812 3436 PDFRAME - ok
19:00:41.0843 3436 PDRELI - ok
19:00:41.0859 3436 PDRFRAME - ok
19:00:41.0875 3436 perc2 - ok
19:00:41.0906 3436 perc2hib - ok
19:00:41.0953 3436 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\system32\PfModNT.sys
19:00:41.0968 3436 PfModNT - ok
19:00:42.0000 3436 PlugPlay (f0d2ae69035092bf22dad6b50fab85c2) C:\WINDOWS\system32\services.exe
19:00:42.0000 3436 PlugPlay - ok
19:00:42.0015 3436 PolicyAgent (ed0a176354487ceed65b80a7148ab739) C:\WINDOWS\system32\lsass.exe
19:00:42.0031 3436 PolicyAgent - ok
19:00:42.0046 3436 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:00:42.0046 3436 PptpMiniport - ok
19:00:42.0078 3436 PQNTDrv (4228630829c0e521c43d882a00533374) C:\WINDOWS\system32\drivers\PQNTDrv.sys
19:00:42.0078 3436 PQNTDrv - ok
19:00:42.0093 3436 ProtectedStorage (ed0a176354487ceed65b80a7148ab739) C:\WINDOWS\system32\lsass.exe
19:00:42.0093 3436 ProtectedStorage - ok
19:00:42.0109 3436 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:00:42.0109 3436 PSched - ok
19:00:42.0140 3436 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:00:42.0140 3436 Ptilink - ok
19:00:42.0140 3436 ql1080 - ok
19:00:42.0156 3436 Ql10wnt - ok
19:00:42.0171 3436 ql12160 - ok
19:00:42.0187 3436 ql1240 - ok
19:00:42.0203 3436 ql1280 - ok
19:00:42.0218 3436 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:00:42.0218 3436 RasAcd - ok
19:00:42.0250 3436 RasAuto (2b5e44ea009f2f374b980e1e9a70635d) C:\WINDOWS\System32\rasauto.dll
19:00:42.0265 3436 RasAuto - ok
19:00:42.0296 3436 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:00:42.0296 3436 Rasl2tp - ok
19:00:42.0328 3436 RasMan (d57554c664b64604bd1ee13ea2c07e77) C:\WINDOWS\System32\rasmans.dll
19:00:42.0328 3436 RasMan - ok
19:00:42.0359 3436 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:00:42.0359 3436 RasPppoe - ok
19:00:42.0375 3436 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:00:42.0375 3436 Raspti - ok
19:00:42.0406 3436 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:00:42.0421 3436 Rdbss - ok
19:00:42.0437 3436 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:00:42.0453 3436 RDPCDD - ok
19:00:42.0484 3436 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:00:42.0484 3436 rdpdr - ok
19:00:42.0546 3436 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
19:00:42.0546 3436 RDPWD - ok
19:00:42.0578 3436 RDSessMgr (c0d9d9711cb74ee9bc66353d8cbdab0e) C:\WINDOWS\system32\sessmgr.exe
19:00:42.0593 3436 RDSessMgr - ok
19:00:42.0625 3436 redbook (611bfd220305be3a85ae876ea47d4aa5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:00:42.0625 3436 redbook - ok
19:00:42.0656 3436 RemoteAccess (127c26b5371651043450e52542099aba) C:\WINDOWS\System32\mprdim.dll
19:00:42.0656 3436 RemoteAccess - ok
19:00:42.0687 3436 RemoteRegistry (8f31505484a190d5b22274708799f4ec) C:\WINDOWS\system32\regsvc.dll
19:00:42.0703 3436 RemoteRegistry - ok
19:00:42.0734 3436 RpcLocator (718b3bdc0bc3c2f7d065a53d26202af9) C:\WINDOWS\system32\locator.exe
19:00:42.0734 3436 RpcLocator - ok
19:00:42.0781 3436 RpcSs (c868f3ae15cf71a93f2aa3a32856d839) C:\WINDOWS\system32\rpcss.dll
19:00:42.0796 3436 RpcSs - ok
19:00:42.0828 3436 RSUSBCCID (aea02865b8fecd6fcab10910a950d39a) C:\WINDOWS\system32\DRIVERS\RtsUCcid.sys
19:00:42.0828 3436 RSUSBCCID - ok
19:00:42.0859 3436 RSVP (09ab2e71e58b078038e3bfdba7ffc984) C:\WINDOWS\system32\rsvp.exe
19:00:42.0859 3436 RSVP - ok
19:00:42.0890 3436 rtl8139 (8be348f9aeeb4da0005b7f500f46f6ad) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
19:00:42.0890 3436 rtl8139 - ok
19:00:42.0921 3436 SamSs (ed0a176354487ceed65b80a7148ab739) C:\WINDOWS\system32\lsass.exe
19:00:42.0921 3436 SamSs - ok
19:00:42.0953 3436 SCardSvr (410046e401eb11e1e6749e9deea41d4a) C:\WINDOWS\System32\SCardSvr.exe
19:00:42.0953 3436 SCardSvr - ok
19:00:43.0000 3436 Schedule (3ff232a7731621b8902d81d42418c93c) C:\WINDOWS\system32\schedsvc.dll
19:00:43.0000 3436 Schedule - ok
19:00:43.0031 3436 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:00:43.0031 3436 Secdrv - ok
19:00:43.0046 3436 seclogon (477e2c3cc5e4a0d635bcb0ea8dcac3c6) C:\WINDOWS\System32\seclogon.dll
19:00:43.0046 3436 seclogon - ok
19:00:43.0078 3436 SENS (a530b75c10c23c9ab28fdb6ce719e21f) C:\WINDOWS\system32\sens.dll
19:00:43.0078 3436 SENS - ok
19:00:43.0109 3436 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
19:00:43.0109 3436 serenum - ok
19:00:43.0125 3436 Serial (b842729337c9b921615c40d3c1a1af96) C:\WINDOWS\system32\DRIVERS\serial.sys
19:00:43.0125 3436 Serial - ok
19:00:43.0171 3436 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:00:43.0171 3436 Sfloppy - ok
19:00:43.0218 3436 SharedAccess (f58faca9621d2db01bd0927d9a0a208e) C:\WINDOWS\System32\ipnathlp.dll
19:00:43.0218 3436 SharedAccess - ok
19:00:43.0265 3436 ShellHWDetection (b927443008910b412bec72fc41c1bad0) C:\WINDOWS\System32\shsvcs.dll
19:00:43.0265 3436 ShellHWDetection - ok
19:00:43.0281 3436 Simbad - ok
19:00:43.0312 3436 sisagp (c729eb60dd40948e5eb3fb53dc9cad44) C:\WINDOWS\system32\DRIVERS\sisagp.sys
19:00:43.0312 3436 sisagp - ok
19:00:43.0343 3436 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
19:00:43.0343 3436 SLIP - ok
19:00:43.0359 3436 Sparrow - ok
19:00:43.0421 3436 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:00:43.0421 3436 splitter - ok
19:00:43.0453 3436 Spooler (cb1090bca0e7b40d0b5b4e4d66531809) C:\WINDOWS\system32\spoolsv.exe
19:00:43.0453 3436 Spooler - ok
19:00:43.0531 3436 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
19:00:43.0531 3436 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
19:00:43.0531 3436 sptd ( LockedFile.Multi.Generic ) - warning
19:00:43.0531 3436 sptd - detected LockedFile.Multi.Generic (1)
19:00:43.0562 3436 sr (94610c8653635e4459316a0050d55ce7) C:\WINDOWS\system32\DRIVERS\sr.sys
19:00:43.0562 3436 sr - ok
19:00:43.0593 3436 srservice (35b91147124f64ac8081a2edb9ea4dee) C:\WINDOWS\system32\srsvc.dll
19:00:43.0593 3436 srservice - ok
19:00:43.0640 3436 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
19:00:43.0640 3436 Srv - ok
19:00:43.0671 3436 SSDPSRV (becd5271dc4e3b7c3d035f790fcbc1e5) C:\WINDOWS\System32\ssdpsrv.dll
19:00:43.0687 3436 SSDPSRV - ok
19:00:43.0734 3436 stisvc (c1cdd9275f6a115bb0ae1d55d8d27ba6) C:\WINDOWS\system32\wiaservc.dll
19:00:43.0750 3436 stisvc - ok
19:00:43.0765 3436 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
19:00:43.0765 3436 streamip - ok
19:00:43.0796 3436 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:00:43.0796 3436 swenum - ok
19:00:43.0828 3436 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:00:43.0828 3436 swmidi - ok
19:00:43.0843 3436 SwPrv - ok
19:00:43.0859 3436 symc810 - ok
19:00:43.0875 3436 symc8xx - ok
19:00:43.0890 3436 sym_hi - ok
19:00:43.0906 3436 sym_u3 - ok
19:00:43.0937 3436 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:00:43.0937 3436 sysaudio - ok
19:00:43.0968 3436 SysmonLog (ce06f01b88ace199a1bf460cac29c110) C:\WINDOWS\system32\smlogsvc.exe
19:00:43.0984 3436 SysmonLog - ok
19:00:44.0031 3436 TapiSrv (c2546cd7a398476f9df5614b2ae160e8) C:\WINDOWS\System32\tapisrv.dll
19:00:44.0046 3436 TapiSrv - ok
19:00:44.0078 3436 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:00:44.0093 3436 Tcpip - ok
19:00:44.0125 3436 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:00:44.0125 3436 TDPIPE - ok
19:00:44.0140 3436 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:00:44.0156 3436 TDTCP - ok
19:00:44.0187 3436 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:00:44.0187 3436 TermDD - ok
19:00:44.0234 3436 TermService (a75dd6fc3dbee4fff5ebc9f2c28bb66e) C:\WINDOWS\System32\termsrv.dll
19:00:44.0250 3436 TermService - ok
19:00:44.0281 3436 Themes (b927443008910b412bec72fc41c1bad0) C:\WINDOWS\System32\shsvcs.dll
19:00:44.0296 3436 Themes - ok
19:00:44.0328 3436 TlntSvr (cd0cc7b167d78043a41c98d4921efb54) C:\WINDOWS\system32\tlntsvr.exe
19:00:44.0343 3436 TlntSvr - ok
19:00:44.0359 3436 TosIde - ok
19:00:44.0390 3436 TrkWks (38853304ccb938d30e0c4cde8d2c2a8a) C:\WINDOWS\system32\trkwks.dll
19:00:44.0390 3436 TrkWks - ok
19:00:44.0421 3436 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:00:44.0421 3436 Udfs - ok
19:00:44.0437 3436 ultra - ok
19:00:44.0500 3436 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys
19:00:44.0500 3436 UnlockerDriver5 - ok
19:00:44.0546 3436 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:00:44.0546 3436 Update - ok
19:00:44.0593 3436 upnphost (651bd90dcee5b7bdc74a2eb7c9266f9e) C:\WINDOWS\System32\upnphost.dll
19:00:44.0593 3436 upnphost - ok
19:00:44.0609 3436 UPS (20a0f6a11959e92908717d09e87d670d) C:\WINDOWS\System32\ups.exe
19:00:44.0625 3436 UPS - ok
19:00:44.0640 3436 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:00:44.0640 3436 usbehci - ok
19:00:44.0656 3436 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:00:44.0656 3436 usbhub - ok
19:00:44.0671 3436 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
19:00:44.0671 3436 usbohci - ok
19:00:44.0703 3436 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:00:44.0718 3436 USBSTOR - ok
19:00:44.0734 3436 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:00:44.0734 3436 VgaSave - ok
19:00:44.0750 3436 ViaIde - ok
19:00:44.0781 3436 VolSnap (28a4b296b47782173c346e376cb374d1) C:\WINDOWS\system32\drivers\VolSnap.sys
19:00:44.0781 3436 VolSnap - ok
19:00:44.0812 3436 VSS (d6ba1a63d9e00933f1cd2a885573afb2) C:\WINDOWS\System32\vssvc.exe
19:00:44.0828 3436 VSS - ok
19:00:44.0859 3436 W32Time (fa4e1cdba256787f2149f4aad07bc91f) C:\WINDOWS\system32\w32time.dll
19:00:44.0875 3436 W32Time - ok
19:00:44.0906 3436 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:00:44.0906 3436 Wanarp - ok
19:00:44.0921 3436 WDICA - ok
19:00:44.0984 3436 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:00:45.0000 3436 wdmaud - ok
19:00:45.0015 3436 WebClient (47ae51048a82dfa1cd6b51d369f7e169) C:\WINDOWS\System32\webclnt.dll
19:00:45.0031 3436 WebClient - ok
19:00:45.0078 3436 winmgmt (e488332126e3b1182d2b8a0c35408ec6) C:\WINDOWS\system32\wbem\WMIsvc.dll
19:00:45.0093 3436 winmgmt - ok
19:00:45.0140 3436 WMDM PMSP Service (581176f60885aef8f78c6e38dcc3cdf9) C:\WINDOWS\system32\MsPMSPSv.exe
19:00:45.0140 3436 WMDM PMSP Service - ok
19:00:45.0171 3436 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\mspmsnsv.dll
19:00:45.0171 3436 WmdmPmSN - ok
19:00:45.0250 3436 Wmi (6538d6bde04b56737fe743c24d4ce83d) C:\WINDOWS\System32\advapi32.dll
19:00:45.0281 3436 Wmi - ok
19:00:45.0312 3436 WmiApSrv (23f6f03272f7e5679f1f050aed5acee6) C:\WINDOWS\system32\wbem\wmiapsrv.exe
19:00:45.0312 3436 WmiApSrv - ok
19:00:45.0437 3436 WMPNetworkSvc (3739866d20abd42f26a7b85f9e2560af) C:\Program Files\Windows Media Player\WMPNetwk.exe
19:00:45.0468 3436 WMPNetworkSvc - ok
19:00:45.0609 3436 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
19:00:45.0640 3436 WPFFontCache_v0400 - ok
19:00:45.0734 3436 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:00:45.0734 3436 WS2IFSL - ok
19:00:45.0765 3436 wscsvc (4c86d5faf78194995af9cc1075f65dd3) C:\WINDOWS\system32\wscsvc.dll
19:00:45.0781 3436 wscsvc - ok
19:00:45.0812 3436 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
19:00:45.0812 3436 WSTCODEC - ok
19:00:45.0828 3436 wuauserv (c1364564800ee9784192145324a23308) C:\WINDOWS\system32\wuauserv.dll
19:00:45.0828 3436 wuauserv - ok
19:00:45.0859 3436 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:00:45.0859 3436 WudfPf - ok
19:00:45.0890 3436 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:00:45.0890 3436 WudfRd - ok
19:00:45.0906 3436 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
19:00:45.0906 3436 WudfSvc - ok
19:00:45.0968 3436 WZCSVC (a27d4ba7264c0bf52f32d10405bea1d4) C:\WINDOWS\System32\wzcsvc.dll
19:00:46.0015 3436 WZCSVC - ok
19:00:46.0046 3436 xmlprov (eaa4bb9edb3fb10cf8979fe65e63658f) C:\WINDOWS\System32\xmlprov.dll
19:00:46.0062 3436 xmlprov - ok
19:00:46.0109 3436 MBR (0x1B8) (413fc2a0c716421b3158746d63736515) \Device\Harddisk0\DR0
19:00:46.0843 3436 \Device\Harddisk0\DR0 - ok
19:00:46.0859 3436 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR1
19:00:46.0937 3436 \Device\Harddisk1\DR1 - ok
19:00:46.0937 3436 Boot (0x1200) (e53bbfb43a1a7d155fc2f9529affd814) \Device\Harddisk0\DR0\Partition0
19:00:46.0953 3436 \Device\Harddisk0\DR0\Partition0 - ok
19:00:46.0984 3436 Boot (0x1200) (e631e98ede6c871997ba041e66a246ed) \Device\Harddisk0\DR0\Partition1
19:00:46.0984 3436 \Device\Harddisk0\DR0\Partition1 - ok
19:00:47.0015 3436 Boot (0x1200) (38128683195653d78d4e296c1886fba2) \Device\Harddisk0\DR0\Partition2
19:00:47.0015 3436 \Device\Harddisk0\DR0\Partition2 - ok
19:00:47.0015 3436 Boot (0x1200) (570d283aec0daaa232a8e8bca08643c3) \Device\Harddisk1\DR1\Partition0
19:00:47.0031 3436 \Device\Harddisk1\DR1\Partition0 - ok
19:00:47.0046 3436 Boot (0x1200) (e914101121217a84e6da7051ab9762c6) \Device\Harddisk1\DR1\Partition1
19:00:47.0046 3436 \Device\Harddisk1\DR1\Partition1 - ok
19:00:47.0078 3436 Boot (0x1200) (3764d93264adf5625722a58950a93954) \Device\Harddisk1\DR1\Partition2
19:00:47.0078 3436 \Device\Harddisk1\DR1\Partition2 - ok
19:00:47.0109 3436 Boot (0x1200) (ad93ca5ab9bb4d971c11ca926c3e4d5d) \Device\Harddisk1\DR1\Partition3
19:00:47.0109 3436 \Device\Harddisk1\DR1\Partition3 - ok
19:00:47.0109 3436 ============================================================
19:00:47.0109 3436 Scan finished
19:00:47.0109 3436 ============================================================
19:00:47.0140 0908 Detected object count: 1
19:00:47.0140 0908 Actual detected object count: 1
19:00:52.0843 0908 sptd ( LockedFile.Multi.Generic ) - skipped by user
19:00:52.0843 0908 sptd ( LockedFile.Multi.Generic ) - User select action: Skip



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-06-03 18:23:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD5000AAKB-00H8A0 rev.05.04E05
Running: gmer.exe; Driver: C:\DOCUME~1\Honza\LOCALS~1\Temp\pxlyrpow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 976768068

---- System - GMER 1.0.15 ----

SSDT spve.sys ZwEnumerateKey [0xF772CCA2]
SSDT spve.sys ZwEnumerateValueKey [0xF772D030]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\aysz2xy7 \Device\Scsi\aysz2xy71 8646B500
Device \Driver\aysz2xy7 \Device\Scsi\aysz2xy71Port2Path0Target0Lun0 8646B500
Device \FileSystem\Ntfs \Ntfs 867D81F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

---- EOF - GMER 1.0.15 ----



Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKB-00H8A0 rev.05.04E05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spve.sys >>UNKNOWN [0x8678D938]<<
spve.sys
_asm { PUSH EBP; MOV EBP, ESP; JMP 0xfffffffff9d84afe; }
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x86733AB8]
3 CLASSPNP[0xF788EFD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\0000005d[0x86729F18]
5 ACPI[0xF76CD620] -> nt!IofCallDriver[0x804E37C5] -> \Device\Ide\IdeDeviceP0T0L0-4[0x8673FD98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user & kernel MBR OK
copy of MBR has been found in sector 976768065

Kód: Vybrat vše

MBRScan v1.1.1

OS             : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR      : x86 Family 15 Model 2 Stepping 4, GenuineIntel
BOOT           : Normal Boot
DATE           : 2012/06/03 (ISO 8601) at 18:29:27
________________________________________________________________________________

DISK           : Device\Harddisk0\DR0 __WDC WD5000AAKB-00H8A0 (05.04E05)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

DISK           : Device\Harddisk1\DR1 __ST3300622A (3.AAH)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

Device\Harddisk0\DR0	465.8 Go  [Fixed] ==> XP MBR Code

MBR_MD5   : 86A438E548C157B4A11CAA6EBE95596A
MBR_SHA1  : D7713C070CE27FCA9421CB62BD62FBF95369BAFC

Device\Harddisk0\Partition1	39.06 Go  	0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2	212.9 Go  	0x07 NTFS / HPFS
Device\Harddisk0\Partition3	213.8 Go  	0x07 NTFS / HPFS
________________________________________________________________________________

Device\Harddisk1\DR1	279.5 Go  [Fixed] ==> Unknown MBR Code

MBR_MD5   : AA1886618D5530BBF5B3C63A0E513369
MBR_SHA1  : BB5405E56504AAA00D037658E6FC3B095744195F

Device\Harddisk1\Partition1	69.82 Go  	0x07 NTFS / HPFS
Device\Harddisk1\Partition2	69.82 Go  	0x07 NTFS / HPFS
Device\Harddisk1\Partition3	97.66 Go  	0x07 NTFS / HPFS
Device\Harddisk1\Partition4	42.14 Go  	0x07 NTFS / HPFS
________________________________________________________________________________

############################### Additional scan ################################

DRIVER  : C:\DOCUME~1\Honza\LOCALS~1\Temp\pxlyrpow.sys => Invisible on the disk
ADDRESS : 0xF22D8000
SIZE    : 100.0 Ko

SystemStartOptions : NOEXECUTE=OPTIN  FASTDETECT

________________________________________________________________________________

_______MBR   \Device\Harddisk0\DR0  

0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3À.м.|ûP.P.ü¾.|
0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ¿..PW¹å.ó¤Ë½¾.±.
0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u..Å.âôÍ..õ
0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   .Æ.It.8,tö.µ.´..
0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   ð¬<.tü»..´.Í.ëò.
0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.èF.s*þF..~..t.
0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t..¶.uÒ.F...
0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..è!.s..¶.ë
0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   ¼.>þ}Uªt..~..tÈ.
0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ·.ë©.ü.W.õË¿...V
0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   .´.Í.r#.Á$?..Þ.ü
0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C÷ã.Ñ.Ö±.ÒîB÷â9V
0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s.¸..».|
0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V.Í.sQOtN2ä.
0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V.Í.ëä.V.`»ªU´AÍ
0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.ûUªu0öÁ.t+a`
0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j
0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.´B.ôÍ.aas.Ot.
0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 4E 65 70 6C   2ä.V.Í.ëÖaùÃNepl
0x00000130   61 74 6E A0 20 74 61 62 75 6C 6B 61 20 6F 64 64   atn. tabulka odd
0x00000140   A1 6C 85 00 43 68 79 62 61 20 70 FD 69 20 6E 61   ¡l..Chyba pýi na
0x00000150   9F A1 74 A0 6E A1 20 6F 70 65 72 61 9F 6E A1 68   .¡t.n¡ opera.n¡h
0x00000160   6F 20 73 79 73 74 82 6D 75 00 4F 70 65 72 61 9F   o syst.mu.Opera.
0x00000170   6E A1 20 73 79 73 74 82 6D 20 6E 65 6E 61 6C 65   n¡ syst.m nenale
0x00000180   7A 65 6E 00 00 00 00 00 00 00 00 00 00 00 00 00   zen.............
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 2C 44 6A 4C 06 3D 8C 00 00 80 01   .....,DjL.=.....
0x000001C0   01 00 07 FE FF FF 3F 00 00 00 EC ED E1 04 00 FE   ...þ..?...ìíá..þ
0x000001D0   FF FF 07 FE FF FF 2B EE E1 04 CF 79 9C 1A 00 FE   ...þ..+îá.Ïy...þ
0x000001E0   FF FF 07 FE FF FF FA 67 7E 1F 47 E4 B9 1A 00 00   ...þ..úg~.Gä¹...
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

__________________________16_BIT_ASM_CODE
   
0x0000    33c0            XOR AX, AX   
0x0002    8ed0            MOV SS, AX   
0x0004    bc 007c         MOV SP, 0x7c00   
0x0007    fb              STI   
0x0008    50              PUSH AX   
0x0009    07              POP ES   
0x000A    50              PUSH AX   
0x000B    1f              POP DS   
0x000C    fc              CLD   
0x000D    be 1b7c         MOV SI, 0x7c1b   
0x0010    bf 1b06         MOV DI, 0x61b   
0x0013    50              PUSH AX   
0x0014    57              PUSH DI   
0x0015    b9 e501         MOV CX, 0x1e5   
0x0018    f3 a4           REP MOVSB   
0x001A    cb              RETF   
0x001B    bd be07         MOV BP, 0x7be   
0x001E    b1 04           MOV CL, 0x4   
0x0020    386e 00         CMP [BP+0x0], CH   
0x0023    7c 09           JL 0x2e   
0x0025    75 13           JNZ 0x3a   
0x0027    83c5 10         ADD BP, 0x10   
0x002A    e2 f4           LOOP 0x20   
0x002C    cd 18           INT 0x18   
0x002E    8bf5            MOV SI, BP   
0x0030    83c6 10         ADD SI, 0x10   
0x0033    49              DEC CX   
0x0034    74 19           JZ 0x4f   
0x0036    382c            CMP [SI], CH   
0x0038    74 f6           JZ 0x30   
0x003A    a0 b507         MOV AL, [0x7b5]   
0x003D    b4 07           MOV AH, 0x7   
0x003F    8bf0            MOV SI, AX   
0x0041    ac              LODSB   
0x0042    3c 00           CMP AL, 0x0   
0x0044    74 fc           JZ 0x42   
0x0046    bb 0700         MOV BX, 0x7   
0x0049    b4 0e           MOV AH, 0xe   
0x004B    cd 10           INT 0x10   
0x004D    eb f2           JMP 0x41   
0x004F    884e 10         MOV [BP+0x10], CL   
0x0052    e8 4600         CALL 0x9b   
0x0055    73 2a           JAE 0x81   
0x0057    fe46 10         INC BYTE [BP+0x10]   
0x005A    807e 04 0b      CMP BYTE [BP+0x4], 0xb   
0x005E    74 0b           JZ 0x6b   
0x0060    807e 04 0c      CMP BYTE [BP+0x4], 0xc   
0x0064    74 05           JZ 0x6b   
0x0066    a0 b607         MOV AL, [0x7b6]   
0x0069    75 d2           JNZ 0x3d   
0x006B    8046 02 06      ADD BYTE [BP+0x2], 0x6   
0x006F    8346 08 06      ADD WORD [BP+0x8], 0x6   
0x0073    8356 0a 00      ADC WORD [BP+0xa], 0x0   
0x0077    e8 2100         CALL 0x9b   
0x007A    73 05           JAE 0x81   
0x007C    a0 b607         MOV AL, [0x7b6]   
0x007F    eb bc           JMP 0x3d   
0x0081    813e fe7d 55aa  CMP WORD [0x7dfe], 0xaa55   
0x0087    74 0b           JZ 0x94   
0x0089    807e 10 00      CMP BYTE [BP+0x10], 0x0   
0x008D    74 c8           JZ 0x57   
0x008F    a0 b707         MOV AL, [0x7b7]   
0x0092    eb a9           JMP 0x3d   
0x0094    8bfc            MOV DI, SP   
0x0096    1e              PUSH DS   
0x0097    57              PUSH DI   
0x0098    8bf5            MOV SI, BP   
0x009A    cb              RETF   
0x009B    bf 0500         MOV DI, 0x5   
0x009E    8a56 00         MOV DL, [BP+0x0]   
0x00A1    b4 08           MOV AH, 0x8   
0x00A3    cd 13           INT 0x13   
0x00A5    72 23           JB 0xca   
0x00A7    8ac1            MOV AL, CL   
0x00A9    24 3f           AND AL, 0x3f   
0x00AB    98              CBW   
0x00AC    8ade            MOV BL, DH   
0x00AE    8afc            MOV BH, AH   
0x00B0    43              INC BX   
0x00B1    f7e3            MUL BX   
0x00B3    8bd1            MOV DX, CX   
0x00B5    86d6            XCHG DH, DL   
0x00B7    b1 06           MOV CL, 0x6   
0x00B9    d2ee            SHR DH, CL   
0x00BB    42              INC DX   
0x00BC    f7e2            MUL DX   
0x00BE    3956 0a         CMP [BP+0xa], DX   
0x00C1    77 23           JA 0xe6   
0x00C3    72 05           JB 0xca   
0x00C5    3946 08         CMP [BP+0x8], AX   
0x00C8    73 1c           JAE 0xe6   
0x00CA    b8 0102         MOV AX, 0x201   
0x00CD    bb 007c         MOV BX, 0x7c00   
0x00D0    8b4e 02         MOV CX, [BP+0x2]   
0x00D3    8b56 00         MOV DX, [BP+0x0]   
0x00D6    cd 13           INT 0x13   
0x00D8    73 51           JAE 0x12b   
0x00DA    4f              DEC DI   
0x00DB    74 4e           JZ 0x12b   
0x00DD    32e4            XOR AH, AH   
0x00DF    8a56 00         MOV DL, [BP+0x0]   
0x00E2    cd 13           INT 0x13   
0x00E4    eb e4           JMP 0xca   
0x00E6    8a56 00         MOV DL, [BP+0x0]   
0x00E9    60              PUSHA   
0x00EA    bb aa55         MOV BX, 0x55aa   
0x00ED    b4 41           MOV AH, 0x41   
0x00EF    cd 13           INT 0x13   
0x00F1    72 36           JB 0x129   
0x00F3    81fb 55aa       CMP BX, 0xaa55   
0x00F7    75 30           JNZ 0x129   
0x00F9    f6c1 01         TEST CL, 0x1   
0x00FC    74 2b           JZ 0x129   
0x00FE    61              POPA   
0x00FF    60              PUSHA   
0x0100    6a 00           PUSH 0x0   
0x0102    6a 00           PUSH 0x0   
0x0104    ff76 0a         PUSH WORD [BP+0xa]   
0x0107    ff76 08         PUSH WORD [BP+0x8]   
0x010A    6a 00           PUSH 0x0   
0x010C    68 007c         PUSH 0x7c00   
0x010F    6a 01           PUSH 0x1   
0x0111    6a 10           PUSH 0x10   
0x0113    b4 42           MOV AH, 0x42   
0x0115    8bf4            MOV SI, SP   
0x0117    cd 13           INT 0x13   
0x0119    61              POPA   
0x011A    61              POPA   
0x011B    73 0e           JAE 0x12b   
0x011D    4f              DEC DI   
0x011E    74 0b           JZ 0x12b   
0x0120    32e4            XOR AH, AH   
0x0122    8a56 00         MOV DL, [BP+0x0]   
0x0125    cd 13           INT 0x13   
0x0127    eb d6           JMP 0xff   
0x0129    61              POPA   
0x012A    f9              STC   
0x012B    c3              RET   
0x012C    4e              DEC SI   
0x012D    65              DB 0x65   
0x012D    65 70 6c        JO 0x19c   
0x0130    61              POPA   
0x0131    74 6e           JZ 0x1a1   
0x0133    a0 2074         MOV AL, [0x7420]   
0x0136    61              POPA   
0x0137    6275 6c         BOUND SI, [DI+0x6c]   
0x013A    6b61 20 6f      IMUL SP, [BX+DI+0x20], 0x6f   
0x013E    64              DB 0x64   
0x013F    64 a1 6c85      MOV AX, FS:[0x856c]   
0x0143    0043 68         ADD [BP+DI+0x68], AL   
0x0146    79 62           JNS 0x1aa   
0x0148    61              POPA   
0x0149    2070 fd         AND [BX+SI-0x3], DH   
0x014C    6920 6e61       IMUL SP, [BX+SI], 0x616e   
0x0150    9f              LAHF   
0x0151    a1 74a0         MOV AX, [0xa074]   
0x0154    6e              OUTSB   
0x0155    a1 206f         MOV AX, [0x6f20]   
0x0158    70 65           JO 0x1bf   
0x015A    72 61           JB 0x1bd   
0x015C    9f              LAHF   
0x015D    6e              OUTSB   
0x015E    a1 686f         MOV AX, [0x6f68]   
0x0161    2073 79         AND [BP+DI+0x79], DH   
0x0164    73 74           JAE 0x1da   
0x0166    826d 75 00      SUB BYTE [DI+0x75], 0x0   
0x016A    4f              DEC DI   
0x016B    70 65           JO 0x1d2   
0x016D    72 61           JB 0x1d0   
0x016F    9f              LAHF   
0x0170    6e              OUTSB   
0x0171    a1 2073         MOV AX, [0x7320]   
0x0174    79 73           JNS 0x1e9   
0x0176    74 82           JZ 0xfa   
0x0178    6d              INSW   
0x0179    206e 65         AND [BP+0x65], CH   
0x017C    6e              OUTSB   
0x017D    61              POPA   
0x017E    6c              INSB   
0x017F    65              DB 0x65   
0x017F    65 7a 65        JP 0x1e7   
0x0182    6e              OUTSB   
0x0183    0000            ADD [BX+SI], AL   
0x0185    0000            ADD [BX+SI], AL   
0x0187    0000            ADD [BX+SI], AL   
0x0189    0000            ADD [BX+SI], AL   
0x018B    0000            ADD [BX+SI], AL   
0x018D    0000            ADD [BX+SI], AL   
0x018F    0000            ADD [BX+SI], AL   
0x0191    0000            ADD [BX+SI], AL   
0x0193    0000            ADD [BX+SI], AL   
0x0195    0000            ADD [BX+SI], AL   
0x0197    0000            ADD [BX+SI], AL   
0x0199    0000            ADD [BX+SI], AL   
0x019B    0000            ADD [BX+SI], AL   
0x019D    0000            ADD [BX+SI], AL   
0x019F    0000            ADD [BX+SI], AL   
0x01A1    0000            ADD [BX+SI], AL   
0x01A3    0000            ADD [BX+SI], AL   
0x01A5    0000            ADD [BX+SI], AL   
0x01A7    0000            ADD [BX+SI], AL   
0x01A9    0000            ADD [BX+SI], AL   
0x01AB    0000            ADD [BX+SI], AL   
0x01AD    0000            ADD [BX+SI], AL   
0x01AF    0000            ADD [BX+SI], AL   
0x01B1    0000            ADD [BX+SI], AL   
0x01B3    0000            ADD [BX+SI], AL   
0x01B5    2c 44           SUB AL, 0x44   
0x01B7    6a 4c           PUSH 0x4c   
0x01B9    06              PUSH ES   
0x01BA    3d 8c00         CMP AX, 0x8c   
0x01BD    0080 0101       ADD [BX+SI+0x101], AL   
0x01C1    0007            ADD [BX], AL   
0x01C3    fe              DB 0xfe   
0x01C4    ff              DB 0xff   
0x01C5    ff              DB 0xff   
0x01C6    3f              AAS   
0x01C7    0000            ADD [BX+SI], AL   
0x01C9    00ec            ADD AH, CH   
0x01CB    ed              IN AX, DX   
0x01CC    e1 04           LOOPZ 0x1d2   
0x01CE    00fe            ADD DH, BH   
0x01D0    ff              DB 0xff   
0x01D1    ff07            INC WORD [BX]   
0x01D3    fe              DB 0xfe   
0x01D4    ff              DB 0xff   
0x01D5    ff2b            JMP FAR WORD [BP+DI]   
0x01D7    ee              OUT DX, AL   
0x01D8    e1 04           LOOPZ 0x1de   
0x01DA    cf              IRET   
0x01DB    79 9c           JNS 0x179   
0x01DD    1a00            SBB AL, [BX+SI]   
0x01DF    fe              DB 0xfe   
0x01E0    ff              DB 0xff   
0x01E1    ff07            INC WORD [BX]   
0x01E3    fe              DB 0xfe   
0x01E4    ff              DB 0xff   
0x01E5    ff              DB 0xff   
0x01E6    fa              CLI   
0x01E7    67              DB 0x67   
0x01E7    67 7e 1f        JLE 0x209   
0x01EA    47              INC DI   
0x01EB    e4 b9           IN AL, 0xb9   
0x01ED    1a00            SBB AL, [BX+SI]   
0x01EF    0000            ADD [BX+SI], AL   
0x01F1    0000            ADD [BX+SI], AL   
0x01F3    0000            ADD [BX+SI], AL   
0x01F5    0000            ADD [BX+SI], AL   
0x01F7    0000            ADD [BX+SI], AL   
0x01F9    0000            ADD [BX+SI], AL   
0x01FB    0000            ADD [BX+SI], AL   
0x01FD    0055 aa         ADD [DI-0x56], DL   


_______MBR   \Device\Harddisk1\DR1  

0x00000000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000010   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000C0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000100   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000110   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000120   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000130   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000140   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000150   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000160   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000170   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 00 00 00 5B 74 E1 FA 00 00 00 00   ........[táú....
0x000001C0   01 01 0F FE FF FF C1 3E 00 00 80 6E EE 22 00 00   ...þ..Á>...nî"..
0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

__________________________16_BIT_ASM_CODE
   
0x0000    0000            ADD [BX+SI], AL   
0x0002    0000            ADD [BX+SI], AL   
0x0004    0000            ADD [BX+SI], AL   
0x0006    0000            ADD [BX+SI], AL   
0x0008    0000            ADD [BX+SI], AL   
0x000A    0000            ADD [BX+SI], AL   
0x000C    0000            ADD [BX+SI], AL   
0x000E    0000            ADD [BX+SI], AL   
0x0010    0000            ADD [BX+SI], AL   
0x0012    0000            ADD [BX+SI], AL   
0x0014    0000            ADD [BX+SI], AL   
0x0016    0000            ADD [BX+SI], AL   
0x0018    0000            ADD [BX+SI], AL   
0x001A    0000            ADD [BX+SI], AL   
0x001C    0000            ADD [BX+SI], AL   
0x001E    0000            ADD [BX+SI], AL   
0x0020    0000            ADD [BX+SI], AL   
0x0022    0000            ADD [BX+SI], AL   
0x0024    0000            ADD [BX+SI], AL   
0x0026    0000            ADD [BX+SI], AL   
0x0028    0000            ADD [BX+SI], AL   
0x002A    0000            ADD [BX+SI], AL   
0x002C    0000            ADD [BX+SI], AL   
0x002E    0000            ADD [BX+SI], AL   
0x0030    0000            ADD [BX+SI], AL   
0x0032    0000            ADD [BX+SI], AL   
0x0034    0000            ADD [BX+SI], AL   
0x0036    0000            ADD [BX+SI], AL   
0x0038    0000            ADD [BX+SI], AL   
0x003A    0000            ADD [BX+SI], AL   
0x003C    0000            ADD [BX+SI], AL   
0x003E    0000            ADD [BX+SI], AL   
0x0040    0000            ADD [BX+SI], AL   
0x0042    0000            ADD [BX+SI], AL   
0x0044    0000            ADD [BX+SI], AL   
0x0046    0000            ADD [BX+SI], AL   
0x0048    0000            ADD [BX+SI], AL   
0x004A    0000            ADD [BX+SI], AL   
0x004C    0000            ADD [BX+SI], AL   
0x004E    0000            ADD [BX+SI], AL   
0x0050    0000            ADD [BX+SI], AL   
0x0052    0000            ADD [BX+SI], AL   
0x0054    0000            ADD [BX+SI], AL   
0x0056    0000            ADD [BX+SI], AL   
0x0058    0000            ADD [BX+SI], AL   
0x005A    0000            ADD [BX+SI], AL   
0x005C    0000            ADD [BX+SI], AL   
0x005E    0000            ADD [BX+SI], AL   
0x0060    0000            ADD [BX+SI], AL   
0x0062    0000            ADD [BX+SI], AL   
0x0064    0000            ADD [BX+SI], AL   
0x0066    0000            ADD [BX+SI], AL   
0x0068    0000            ADD [BX+SI], AL   
0x006A    0000            ADD [BX+SI], AL   
0x006C    0000            ADD [BX+SI], AL   
0x006E    0000            ADD [BX+SI], AL   
0x0070    0000            ADD [BX+SI], AL   
0x0072    0000            ADD [BX+SI], AL   
0x0074    0000            ADD [BX+SI], AL   
0x0076    0000            ADD [BX+SI], AL   
0x0078    0000            ADD [BX+SI], AL   
0x007A    0000            ADD [BX+SI], AL   
0x007C    0000            ADD [BX+SI], AL   
0x007E    0000            ADD [BX+SI], AL   
0x0080    0000            ADD [BX+SI], AL   
0x0082    0000            ADD [BX+SI], AL   
0x0084    0000            ADD [BX+SI], AL   
0x0086    0000            ADD [BX+SI], AL   
0x0088    0000            ADD [BX+SI], AL   
0x008A    0000            ADD [BX+SI], AL   
0x008C    0000            ADD [BX+SI], AL   
0x008E    0000            ADD [BX+SI], AL   
0x0090    0000            ADD [BX+SI], AL   
0x0092    0000            ADD [BX+SI], AL   
0x0094    0000            ADD [BX+SI], AL   
0x0096    0000            ADD [BX+SI], AL   
0x0098    0000            ADD [BX+SI], AL   
0x009A    0000            ADD [BX+SI], AL   
0x009C    0000            ADD [BX+SI], AL   
0x009E    0000            ADD [BX+SI], AL   
0x00A0    0000            ADD [BX+SI], AL   
0x00A2    0000            ADD [BX+SI], AL   
0x00A4    0000            ADD [BX+SI], AL   
0x00A6    0000            ADD [BX+SI], AL   
0x00A8    0000            ADD [BX+SI], AL   
0x00AA    0000            ADD [BX+SI], AL   
0x00AC    0000            ADD [BX+SI], AL   
0x00AE    0000            ADD [BX+SI], AL   
0x00B0    0000            ADD [BX+SI], AL   
0x00B2    0000            ADD [BX+SI], AL   
0x00B4    0000            ADD [BX+SI], AL   
0x00B6    0000            ADD [BX+SI], AL   
0x00B8    0000            ADD [BX+SI], AL   
0x00BA    0000            ADD [BX+SI], AL   
0x00BC    0000            ADD [BX+SI], AL   
0x00BE    0000            ADD [BX+SI], AL   
0x00C0    0000            ADD [BX+SI], AL   
0x00C2    0000            ADD [BX+SI], AL   
0x00C4    0000            ADD [BX+SI], AL   
0x00C6    0000            ADD [BX+SI], AL   
0x00C8    0000            ADD [BX+SI], AL   
0x00CA    0000            ADD [BX+SI], AL   
0x00CC    0000            ADD [BX+SI], AL   
0x00CE    0000            ADD [BX+SI], AL   
0x00D0    0000            ADD [BX+SI], AL   
0x00D2    0000            ADD [BX+SI], AL   
0x00D4    0000            ADD [BX+SI], AL   
0x00D6    0000            ADD [BX+SI], AL   
0x00D8    0000            ADD [BX+SI], AL   
0x00DA    0000            ADD [BX+SI], AL   
0x00DC    0000            ADD [BX+SI], AL   
0x00DE    0000            ADD [BX+SI], AL   
0x00E0    0000            ADD [BX+SI], AL   
0x00E2    0000            ADD [BX+SI], AL   
0x00E4    0000            ADD [BX+SI], AL   
0x00E6    0000            ADD [BX+SI], AL   
0x00E8    0000            ADD [BX+SI], AL   
0x00EA    0000            ADD [BX+SI], AL   
0x00EC    0000            ADD [BX+SI], AL   
0x00EE    0000            ADD [BX+SI], AL   
0x00F0    0000            ADD [BX+SI], AL   
0x00F2    0000            ADD [BX+SI], AL   
0x00F4    0000            ADD [BX+SI], AL   
0x00F6    0000            ADD [BX+SI], AL   
0x00F8    0000            ADD [BX+SI], AL   
0x00FA    0000            ADD [BX+SI], AL   
0x00FC    0000            ADD [BX+SI], AL   
0x00FE    0000            ADD [BX+SI], AL   
0x0100    0000            ADD [BX+SI], AL   
0x0102    0000            ADD [BX+SI], AL   
0x0104    0000            ADD [BX+SI], AL   
0x0106    0000            ADD [BX+SI], AL   
0x0108    0000            ADD [BX+SI], AL   
0x010A    0000            ADD [BX+SI], AL   
0x010C    0000            ADD [BX+SI], AL   
0x010E    0000            ADD [BX+SI], AL   
0x0110    0000            ADD [BX+SI], AL   
0x0112    0000            ADD [BX+SI], AL   
0x0114    0000            ADD [BX+SI], AL   
0x0116    0000            ADD [BX+SI], AL   
0x0118    0000            ADD [BX+SI], AL   
0x011A    0000            ADD [BX+SI], AL   
0x011C    0000            ADD [BX+SI], AL   
0x011E    0000            ADD [BX+SI], AL   
0x0120    0000            ADD [BX+SI], AL   
0x0122    0000            ADD [BX+SI], AL   
0x0124    0000            ADD [BX+SI], AL   
0x0126    0000            ADD [BX+SI], AL   
0x0128    0000            ADD [BX+SI], AL   
0x012A    0000            ADD [BX+SI], AL   
0x012C    0000            ADD [BX+SI], AL   
0x012E    0000            ADD [BX+SI], AL   
0x0130    0000            ADD [BX+SI], AL   
0x0132    0000            ADD [BX+SI], AL   
0x0134    0000            ADD [BX+SI], AL   
0x0136    0000            ADD [BX+SI], AL   
0x0138    0000            ADD [BX+SI], AL   
0x013A    0000            ADD [BX+SI], AL   
0x013C    0000            ADD [BX+SI], AL   
0x013E    0000            ADD [BX+SI], AL   
0x0140    0000            ADD [BX+SI], AL   
0x0142    0000            ADD [BX+SI], AL   
0x0144    0000            ADD [BX+SI], AL   
0x0146    0000            ADD [BX+SI], AL   
0x0148    0000            ADD [BX+SI], AL   
0x014A    0000            ADD [BX+SI], AL   
0x014C    0000            ADD [BX+SI], AL   
0x014E    0000            ADD [BX+SI], AL   
0x0150    0000            ADD [BX+SI], AL   
0x0152    0000            ADD [BX+SI], AL   
0x0154    0000            ADD [BX+SI], AL   
0x0156    0000            ADD [BX+SI], AL   
0x0158    0000            ADD [BX+SI], AL   
0x015A    0000            ADD [BX+SI], AL   
0x015C    0000            ADD [BX+SI], AL   
0x015E    0000            ADD [BX+SI], AL   
0x0160    0000            ADD [BX+SI], AL   
0x0162    0000            ADD [BX+SI], AL   
0x0164    0000            ADD [BX+SI], AL   
0x0166    0000            ADD [BX+SI], AL   
0x0168    0000            ADD [BX+SI], AL   
0x016A    0000            ADD [BX+SI], AL   
0x016C    0000            ADD [BX+SI], AL   
0x016E    0000            ADD [BX+SI], AL   
0x0170    0000            ADD [BX+SI], AL   
0x0172    0000            ADD [BX+SI], AL   
0x0174    0000            ADD [BX+SI], AL   
0x0176    0000            ADD [BX+SI], AL   
0x0178    0000            ADD [BX+SI], AL   
0x017A    0000            ADD [BX+SI], AL   
0x017C    0000            ADD [BX+SI], AL   
0x017E    0000            ADD [BX+SI], AL   
0x0180    0000            ADD [BX+SI], AL   
0x0182    0000            ADD [BX+SI], AL   
0x0184    0000            ADD [BX+SI], AL   
0x0186    0000            ADD [BX+SI], AL   
0x0188    0000            ADD [BX+SI], AL   
0x018A    0000            ADD [BX+SI], AL   
0x018C    0000            ADD [BX+SI], AL   
0x018E    0000            ADD [BX+SI], AL   
0x0190    0000            ADD [BX+SI], AL   
0x0192    0000            ADD [BX+SI], AL   
0x0194    0000            ADD [BX+SI], AL   
0x0196    0000            ADD [BX+SI], AL   
0x0198    0000            ADD [BX+SI], AL   
0x019A    0000            ADD [BX+SI], AL   
0x019C    0000            ADD [BX+SI], AL   
0x019E    0000            ADD [BX+SI], AL   
0x01A0    0000            ADD [BX+SI], AL   
0x01A2    0000            ADD [BX+SI], AL   
0x01A4    0000            ADD [BX+SI], AL   
0x01A6    0000            ADD [BX+SI], AL   
0x01A8    0000            ADD [BX+SI], AL   
0x01AA    0000            ADD [BX+SI], AL   
0x01AC    0000            ADD [BX+SI], AL   
0x01AE    0000            ADD [BX+SI], AL   
0x01B0    0000            ADD [BX+SI], AL   
0x01B2    0000            ADD [BX+SI], AL   
0x01B4    0000            ADD [BX+SI], AL   
0x01B6    0000            ADD [BX+SI], AL   
0x01B8    5b              POP BX   
0x01B9    74 e1           JZ 0x19c   
0x01BB    fa              CLI   
0x01BC    0000            ADD [BX+SI], AL   
0x01BE    0000            ADD [BX+SI], AL   
0x01C0    0101            ADD [BX+DI], AX   
0x01C2    0ffeff          PADDD MM7, MM7   
0x01C5    ffc1            INC CX   
0x01C7    3e 0000         ADD DS:[BX+SI], AL   
0x01CA    806e ee 22      SUB BYTE [BP-0x12], 0x22   
0x01CE    0000            ADD [BX+SI], AL   
0x01D0    0000            ADD [BX+SI], AL   
0x01D2    0000            ADD [BX+SI], AL   
0x01D4    0000            ADD [BX+SI], AL   
0x01D6    0000            ADD [BX+SI], AL   
0x01D8    0000            ADD [BX+SI], AL   
0x01DA    0000            ADD [BX+SI], AL   
0x01DC    0000            ADD [BX+SI], AL   
0x01DE    0000            ADD [BX+SI], AL   
0x01E0    0000            ADD [BX+SI], AL   
0x01E2    0000            ADD [BX+SI], AL   
0x01E4    0000            ADD [BX+SI], AL   
0x01E6    0000            ADD [BX+SI], AL   
0x01E8    0000            ADD [BX+SI], AL   
0x01EA    0000            ADD [BX+SI], AL   
0x01EC    0000            ADD [BX+SI], AL   
0x01EE    0000            ADD [BX+SI], AL   
0x01F0    0000            ADD [BX+SI], AL   
0x01F2    0000            ADD [BX+SI], AL   
0x01F4    0000            ADD [BX+SI], AL   
0x01F6    0000            ADD [BX+SI], AL   
0x01F8    0000            ADD [BX+SI], AL   
0x01FA    0000            ADD [BX+SI], AL   
0x01FC    0000            ADD [BX+SI], AL   
0x01FE    55              PUSH BP   
0x01FF    aa              STOSB
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#8 Příspěvek od Dr.Honza »

Odzálohováno. Přepíšu sektory 976768065 a 976768068 (na konci HDD0).
Mám je přepsat 00 celé nebo také jen do pozice B7?
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#9 Příspěvek od Dr.Honza »

Zkontrolováno v HxD - sektory 976768065 a 976768068 fixnuty na 00. Data na HDD0 OK.
ESET 5, EMebRemover, TDSS killer - čisté. Logy z MbrScan, Gmer a mbr přiloženy (zdají se čisté!).
Je po boji?

Ještě mě napadá, jak zabránit abych to event. nechytl zpátky z flashdisků a externího disku?
Tedy za předpokladu, že se to na tom šíří...
Zformátovat se mi je nechce, mám tam data a práce, které jinde nemám...moc se v tom nevyznám,
ale předpokládám, že když flashdisky za chodu XP SP3 s novým ESET 5 a event. Kaspersky
připojím a zkontroluji, mělo by to Sinoval najít a zničit. Otázka jak s diskem, ten má VBR...
fixnout HxD stejně od 0 do 1B7? Moc děkuji!

BTW Doporučujete ke koupi spíše ESET 5 nebo Kaspersky Internet Security 2012?-nevím,
zda se sem ta otázka hodí.

Kód: Vybrat vše

MBRScan v1.1.1

OS             : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR      : x86 Family 15 Model 2 Stepping 4, GenuineIntel
BOOT           : Normal Boot
DATE           : 2012/06/03 (ISO 8601) at 21:27:03
________________________________________________________________________________

DISK           : Device\Harddisk0\DR0 __WDC WD5000AAKB-00H8A0 (05.04E05)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

DISK           : Device\Harddisk1\DR1 __ST3300622A (3.AAH)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

Device\Harddisk0\DR0	465.8 Go  [Fixed] ==> XP MBR Code

MBR_MD5   : 86A438E548C157B4A11CAA6EBE95596A
MBR_SHA1  : D7713C070CE27FCA9421CB62BD62FBF95369BAFC

Device\Harddisk0\Partition1	39.06 Go  	0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2	212.9 Go  	0x07 NTFS / HPFS
Device\Harddisk0\Partition3	213.8 Go  	0x07 NTFS / HPFS
________________________________________________________________________________

Device\Harddisk1\DR1	279.5 Go  [Fixed] ==> Unknown MBR Code

MBR_MD5   : AA1886618D5530BBF5B3C63A0E513369
MBR_SHA1  : BB5405E56504AAA00D037658E6FC3B095744195F

Device\Harddisk1\Partition1	69.82 Go  	0x07 NTFS / HPFS
Device\Harddisk1\Partition2	69.82 Go  	0x07 NTFS / HPFS
Device\Harddisk1\Partition3	97.66 Go  	0x07 NTFS / HPFS
Device\Harddisk1\Partition4	42.14 Go  	0x07 NTFS / HPFS
________________________________________________________________________________

############################### Additional scan ################################

SystemStartOptions : NOEXECUTE=OPTIN  FASTDETECT

________________________________________________________________________________

_______MBR   \Device\Harddisk0\DR0  

0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3À.м.|ûP.P.ü¾.|
0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ¿..PW¹å.ó¤Ë½¾.±.
0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u..Å.âôÍ..õ
0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   .Æ.It.8,tö.µ.´..
0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   ð¬<.tü»..´.Í.ëò.
0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.èF.s*þF..~..t.
0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t..¶.uÒ.F...
0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..è!.s..¶.ë
0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   ¼.>þ}Uªt..~..tÈ.
0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ·.ë©.ü.W.õË¿...V
0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   .´.Í.r#.Á$?..Þ.ü
0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C÷ã.Ñ.Ö±.ÒîB÷â9V
0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s.¸..».|
0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V.Í.sQOtN2ä.
0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V.Í.ëä.V.`»ªU´AÍ
0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.ûUªu0öÁ.t+a`
0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j
0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.´B.ôÍ.aas.Ot.
0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 4E 65 70 6C   2ä.V.Í.ëÖaùÃNepl
0x00000130   61 74 6E A0 20 74 61 62 75 6C 6B 61 20 6F 64 64   atn. tabulka odd
0x00000140   A1 6C 85 00 43 68 79 62 61 20 70 FD 69 20 6E 61   ¡l..Chyba pýi na
0x00000150   9F A1 74 A0 6E A1 20 6F 70 65 72 61 9F 6E A1 68   .¡t.n¡ opera.n¡h
0x00000160   6F 20 73 79 73 74 82 6D 75 00 4F 70 65 72 61 9F   o syst.mu.Opera.
0x00000170   6E A1 20 73 79 73 74 82 6D 20 6E 65 6E 61 6C 65   n¡ syst.m nenale
0x00000180   7A 65 6E 00 00 00 00 00 00 00 00 00 00 00 00 00   zen.............
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 2C 44 6A 4C 06 3D 8C 00 00 80 01   .....,DjL.=.....
0x000001C0   01 00 07 FE FF FF 3F 00 00 00 EC ED E1 04 00 FE   ...þ..?...ìíá..þ
0x000001D0   FF FF 07 FE FF FF 2B EE E1 04 CF 79 9C 1A 00 FE   ...þ..+îá.Ïy...þ
0x000001E0   FF FF 07 FE FF FF FA 67 7E 1F 47 E4 B9 1A 00 00   ...þ..úg~.Gä¹...
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

__________________________16_BIT_ASM_CODE
   
0x0000    33c0            XOR AX, AX   
0x0002    8ed0            MOV SS, AX   
0x0004    bc 007c         MOV SP, 0x7c00   
0x0007    fb              STI   
0x0008    50              PUSH AX   
0x0009    07              POP ES   
0x000A    50              PUSH AX   
0x000B    1f              POP DS   
0x000C    fc              CLD   
0x000D    be 1b7c         MOV SI, 0x7c1b   
0x0010    bf 1b06         MOV DI, 0x61b   
0x0013    50              PUSH AX   
0x0014    57              PUSH DI   
0x0015    b9 e501         MOV CX, 0x1e5   
0x0018    f3 a4           REP MOVSB   
0x001A    cb              RETF   
0x001B    bd be07         MOV BP, 0x7be   
0x001E    b1 04           MOV CL, 0x4   
0x0020    386e 00         CMP [BP+0x0], CH   
0x0023    7c 09           JL 0x2e   
0x0025    75 13           JNZ 0x3a   
0x0027    83c5 10         ADD BP, 0x10   
0x002A    e2 f4           LOOP 0x20   
0x002C    cd 18           INT 0x18   
0x002E    8bf5            MOV SI, BP   
0x0030    83c6 10         ADD SI, 0x10   
0x0033    49              DEC CX   
0x0034    74 19           JZ 0x4f   
0x0036    382c            CMP [SI], CH   
0x0038    74 f6           JZ 0x30   
0x003A    a0 b507         MOV AL, [0x7b5]   
0x003D    b4 07           MOV AH, 0x7   
0x003F    8bf0            MOV SI, AX   
0x0041    ac              LODSB   
0x0042    3c 00           CMP AL, 0x0   
0x0044    74 fc           JZ 0x42   
0x0046    bb 0700         MOV BX, 0x7   
0x0049    b4 0e           MOV AH, 0xe   
0x004B    cd 10           INT 0x10   
0x004D    eb f2           JMP 0x41   
0x004F    884e 10         MOV [BP+0x10], CL   
0x0052    e8 4600         CALL 0x9b   
0x0055    73 2a           JAE 0x81   
0x0057    fe46 10         INC BYTE [BP+0x10]   
0x005A    807e 04 0b      CMP BYTE [BP+0x4], 0xb   
0x005E    74 0b           JZ 0x6b   
0x0060    807e 04 0c      CMP BYTE [BP+0x4], 0xc   
0x0064    74 05           JZ 0x6b   
0x0066    a0 b607         MOV AL, [0x7b6]   
0x0069    75 d2           JNZ 0x3d   
0x006B    8046 02 06      ADD BYTE [BP+0x2], 0x6   
0x006F    8346 08 06      ADD WORD [BP+0x8], 0x6   
0x0073    8356 0a 00      ADC WORD [BP+0xa], 0x0   
0x0077    e8 2100         CALL 0x9b   
0x007A    73 05           JAE 0x81   
0x007C    a0 b607         MOV AL, [0x7b6]   
0x007F    eb bc           JMP 0x3d   
0x0081    813e fe7d 55aa  CMP WORD [0x7dfe], 0xaa55   
0x0087    74 0b           JZ 0x94   
0x0089    807e 10 00      CMP BYTE [BP+0x10], 0x0   
0x008D    74 c8           JZ 0x57   
0x008F    a0 b707         MOV AL, [0x7b7]   
0x0092    eb a9           JMP 0x3d   
0x0094    8bfc            MOV DI, SP   
0x0096    1e              PUSH DS   
0x0097    57              PUSH DI   
0x0098    8bf5            MOV SI, BP   
0x009A    cb              RETF   
0x009B    bf 0500         MOV DI, 0x5   
0x009E    8a56 00         MOV DL, [BP+0x0]   
0x00A1    b4 08           MOV AH, 0x8   
0x00A3    cd 13           INT 0x13   
0x00A5    72 23           JB 0xca   
0x00A7    8ac1            MOV AL, CL   
0x00A9    24 3f           AND AL, 0x3f   
0x00AB    98              CBW   
0x00AC    8ade            MOV BL, DH   
0x00AE    8afc            MOV BH, AH   
0x00B0    43              INC BX   
0x00B1    f7e3            MUL BX   
0x00B3    8bd1            MOV DX, CX   
0x00B5    86d6            XCHG DH, DL   
0x00B7    b1 06           MOV CL, 0x6   
0x00B9    d2ee            SHR DH, CL   
0x00BB    42              INC DX   
0x00BC    f7e2            MUL DX   
0x00BE    3956 0a         CMP [BP+0xa], DX   
0x00C1    77 23           JA 0xe6   
0x00C3    72 05           JB 0xca   
0x00C5    3946 08         CMP [BP+0x8], AX   
0x00C8    73 1c           JAE 0xe6   
0x00CA    b8 0102         MOV AX, 0x201   
0x00CD    bb 007c         MOV BX, 0x7c00   
0x00D0    8b4e 02         MOV CX, [BP+0x2]   
0x00D3    8b56 00         MOV DX, [BP+0x0]   
0x00D6    cd 13           INT 0x13   
0x00D8    73 51           JAE 0x12b   
0x00DA    4f              DEC DI   
0x00DB    74 4e           JZ 0x12b   
0x00DD    32e4            XOR AH, AH   
0x00DF    8a56 00         MOV DL, [BP+0x0]   
0x00E2    cd 13           INT 0x13   
0x00E4    eb e4           JMP 0xca   
0x00E6    8a56 00         MOV DL, [BP+0x0]   
0x00E9    60              PUSHA   
0x00EA    bb aa55         MOV BX, 0x55aa   
0x00ED    b4 41           MOV AH, 0x41   
0x00EF    cd 13           INT 0x13   
0x00F1    72 36           JB 0x129   
0x00F3    81fb 55aa       CMP BX, 0xaa55   
0x00F7    75 30           JNZ 0x129   
0x00F9    f6c1 01         TEST CL, 0x1   
0x00FC    74 2b           JZ 0x129   
0x00FE    61              POPA   
0x00FF    60              PUSHA   
0x0100    6a 00           PUSH 0x0   
0x0102    6a 00           PUSH 0x0   
0x0104    ff76 0a         PUSH WORD [BP+0xa]   
0x0107    ff76 08         PUSH WORD [BP+0x8]   
0x010A    6a 00           PUSH 0x0   
0x010C    68 007c         PUSH 0x7c00   
0x010F    6a 01           PUSH 0x1   
0x0111    6a 10           PUSH 0x10   
0x0113    b4 42           MOV AH, 0x42   
0x0115    8bf4            MOV SI, SP   
0x0117    cd 13           INT 0x13   
0x0119    61              POPA   
0x011A    61              POPA   
0x011B    73 0e           JAE 0x12b   
0x011D    4f              DEC DI   
0x011E    74 0b           JZ 0x12b   
0x0120    32e4            XOR AH, AH   
0x0122    8a56 00         MOV DL, [BP+0x0]   
0x0125    cd 13           INT 0x13   
0x0127    eb d6           JMP 0xff   
0x0129    61              POPA   
0x012A    f9              STC   
0x012B    c3              RET   
0x012C    4e              DEC SI   
0x012D    65              DB 0x65   
0x012D    65 70 6c        JO 0x19c   
0x0130    61              POPA   
0x0131    74 6e           JZ 0x1a1   
0x0133    a0 2074         MOV AL, [0x7420]   
0x0136    61              POPA   
0x0137    6275 6c         BOUND SI, [DI+0x6c]   
0x013A    6b61 20 6f      IMUL SP, [BX+DI+0x20], 0x6f   
0x013E    64              DB 0x64   
0x013F    64 a1 6c85      MOV AX, FS:[0x856c]   
0x0143    0043 68         ADD [BP+DI+0x68], AL   
0x0146    79 62           JNS 0x1aa   
0x0148    61              POPA   
0x0149    2070 fd         AND [BX+SI-0x3], DH   
0x014C    6920 6e61       IMUL SP, [BX+SI], 0x616e   
0x0150    9f              LAHF   
0x0151    a1 74a0         MOV AX, [0xa074]   
0x0154    6e              OUTSB   
0x0155    a1 206f         MOV AX, [0x6f20]   
0x0158    70 65           JO 0x1bf   
0x015A    72 61           JB 0x1bd   
0x015C    9f              LAHF   
0x015D    6e              OUTSB   
0x015E    a1 686f         MOV AX, [0x6f68]   
0x0161    2073 79         AND [BP+DI+0x79], DH   
0x0164    73 74           JAE 0x1da   
0x0166    826d 75 00      SUB BYTE [DI+0x75], 0x0   
0x016A    4f              DEC DI   
0x016B    70 65           JO 0x1d2   
0x016D    72 61           JB 0x1d0   
0x016F    9f              LAHF   
0x0170    6e              OUTSB   
0x0171    a1 2073         MOV AX, [0x7320]   
0x0174    79 73           JNS 0x1e9   
0x0176    74 82           JZ 0xfa   
0x0178    6d              INSW   
0x0179    206e 65         AND [BP+0x65], CH   
0x017C    6e              OUTSB   
0x017D    61              POPA   
0x017E    6c              INSB   
0x017F    65              DB 0x65   
0x017F    65 7a 65        JP 0x1e7   
0x0182    6e              OUTSB   
0x0183    0000            ADD [BX+SI], AL   
0x0185    0000            ADD [BX+SI], AL   
0x0187    0000            ADD [BX+SI], AL   
0x0189    0000            ADD [BX+SI], AL   
0x018B    0000            ADD [BX+SI], AL   
0x018D    0000            ADD [BX+SI], AL   
0x018F    0000            ADD [BX+SI], AL   
0x0191    0000            ADD [BX+SI], AL   
0x0193    0000            ADD [BX+SI], AL   
0x0195    0000            ADD [BX+SI], AL   
0x0197    0000            ADD [BX+SI], AL   
0x0199    0000            ADD [BX+SI], AL   
0x019B    0000            ADD [BX+SI], AL   
0x019D    0000            ADD [BX+SI], AL   
0x019F    0000            ADD [BX+SI], AL   
0x01A1    0000            ADD [BX+SI], AL   
0x01A3    0000            ADD [BX+SI], AL   
0x01A5    0000            ADD [BX+SI], AL   
0x01A7    0000            ADD [BX+SI], AL   
0x01A9    0000            ADD [BX+SI], AL   
0x01AB    0000            ADD [BX+SI], AL   
0x01AD    0000            ADD [BX+SI], AL   
0x01AF    0000            ADD [BX+SI], AL   
0x01B1    0000            ADD [BX+SI], AL   
0x01B3    0000            ADD [BX+SI], AL   
0x01B5    2c 44           SUB AL, 0x44   
0x01B7    6a 4c           PUSH 0x4c   
0x01B9    06              PUSH ES   
0x01BA    3d 8c00         CMP AX, 0x8c   
0x01BD    0080 0101       ADD [BX+SI+0x101], AL   
0x01C1    0007            ADD [BX], AL   
0x01C3    fe              DB 0xfe   
0x01C4    ff              DB 0xff   
0x01C5    ff              DB 0xff   
0x01C6    3f              AAS   
0x01C7    0000            ADD [BX+SI], AL   
0x01C9    00ec            ADD AH, CH   
0x01CB    ed              IN AX, DX   
0x01CC    e1 04           LOOPZ 0x1d2   
0x01CE    00fe            ADD DH, BH   
0x01D0    ff              DB 0xff   
0x01D1    ff07            INC WORD [BX]   
0x01D3    fe              DB 0xfe   
0x01D4    ff              DB 0xff   
0x01D5    ff2b            JMP FAR WORD [BP+DI]   
0x01D7    ee              OUT DX, AL   
0x01D8    e1 04           LOOPZ 0x1de   
0x01DA    cf              IRET   
0x01DB    79 9c           JNS 0x179   
0x01DD    1a00            SBB AL, [BX+SI]   
0x01DF    fe              DB 0xfe   
0x01E0    ff              DB 0xff   
0x01E1    ff07            INC WORD [BX]   
0x01E3    fe              DB 0xfe   
0x01E4    ff              DB 0xff   
0x01E5    ff              DB 0xff   
0x01E6    fa              CLI   
0x01E7    67              DB 0x67   
0x01E7    67 7e 1f        JLE 0x209   
0x01EA    47              INC DI   
0x01EB    e4 b9           IN AL, 0xb9   
0x01ED    1a00            SBB AL, [BX+SI]   
0x01EF    0000            ADD [BX+SI], AL   
0x01F1    0000            ADD [BX+SI], AL   
0x01F3    0000            ADD [BX+SI], AL   
0x01F5    0000            ADD [BX+SI], AL   
0x01F7    0000            ADD [BX+SI], AL   
0x01F9    0000            ADD [BX+SI], AL   
0x01FB    0000            ADD [BX+SI], AL   
0x01FD    0055 aa         ADD [DI-0x56], DL   


_______MBR   \Device\Harddisk1\DR1  

0x00000000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000010   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000C0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000100   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000110   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000120   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000130   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000140   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000150   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000160   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000170   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 00 00 00 5B 74 E1 FA 00 00 00 00   ........[táú....
0x000001C0   01 01 0F FE FF FF C1 3E 00 00 80 6E EE 22 00 00   ...þ..Á>...nî"..
0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

__________________________16_BIT_ASM_CODE
   
0x0000    0000            ADD [BX+SI], AL   
0x0002    0000            ADD [BX+SI], AL   
0x0004    0000            ADD [BX+SI], AL   
0x0006    0000            ADD [BX+SI], AL   
0x0008    0000            ADD [BX+SI], AL   
0x000A    0000            ADD [BX+SI], AL   
0x000C    0000            ADD [BX+SI], AL   
0x000E    0000            ADD [BX+SI], AL   
0x0010    0000            ADD [BX+SI], AL   
0x0012    0000            ADD [BX+SI], AL   
0x0014    0000            ADD [BX+SI], AL   
0x0016    0000            ADD [BX+SI], AL   
0x0018    0000            ADD [BX+SI], AL   
0x001A    0000            ADD [BX+SI], AL   
0x001C    0000            ADD [BX+SI], AL   
0x001E    0000            ADD [BX+SI], AL   
0x0020    0000            ADD [BX+SI], AL   
0x0022    0000            ADD [BX+SI], AL   
0x0024    0000            ADD [BX+SI], AL   
0x0026    0000            ADD [BX+SI], AL   
0x0028    0000            ADD [BX+SI], AL   
0x002A    0000            ADD [BX+SI], AL   
0x002C    0000            ADD [BX+SI], AL   
0x002E    0000            ADD [BX+SI], AL   
0x0030    0000            ADD [BX+SI], AL   
0x0032    0000            ADD [BX+SI], AL   
0x0034    0000            ADD [BX+SI], AL   
0x0036    0000            ADD [BX+SI], AL   
0x0038    0000            ADD [BX+SI], AL   
0x003A    0000            ADD [BX+SI], AL   
0x003C    0000            ADD [BX+SI], AL   
0x003E    0000            ADD [BX+SI], AL   
0x0040    0000            ADD [BX+SI], AL   
0x0042    0000            ADD [BX+SI], AL   
0x0044    0000            ADD [BX+SI], AL   
0x0046    0000            ADD [BX+SI], AL   
0x0048    0000            ADD [BX+SI], AL   
0x004A    0000            ADD [BX+SI], AL   
0x004C    0000            ADD [BX+SI], AL   
0x004E    0000            ADD [BX+SI], AL   
0x0050    0000            ADD [BX+SI], AL   
0x0052    0000            ADD [BX+SI], AL   
0x0054    0000            ADD [BX+SI], AL   
0x0056    0000            ADD [BX+SI], AL   
0x0058    0000            ADD [BX+SI], AL   
0x005A    0000            ADD [BX+SI], AL   
0x005C    0000            ADD [BX+SI], AL   
0x005E    0000            ADD [BX+SI], AL   
0x0060    0000            ADD [BX+SI], AL   
0x0062    0000            ADD [BX+SI], AL   
0x0064    0000            ADD [BX+SI], AL   
0x0066    0000            ADD [BX+SI], AL   
0x0068    0000            ADD [BX+SI], AL   
0x006A    0000            ADD [BX+SI], AL   
0x006C    0000            ADD [BX+SI], AL   
0x006E    0000            ADD [BX+SI], AL   
0x0070    0000            ADD [BX+SI], AL   
0x0072    0000            ADD [BX+SI], AL   
0x0074    0000            ADD [BX+SI], AL   
0x0076    0000            ADD [BX+SI], AL   
0x0078    0000            ADD [BX+SI], AL   
0x007A    0000            ADD [BX+SI], AL   
0x007C    0000            ADD [BX+SI], AL   
0x007E    0000            ADD [BX+SI], AL   
0x0080    0000            ADD [BX+SI], AL   
0x0082    0000            ADD [BX+SI], AL   
0x0084    0000            ADD [BX+SI], AL   
0x0086    0000            ADD [BX+SI], AL   
0x0088    0000            ADD [BX+SI], AL   
0x008A    0000            ADD [BX+SI], AL   
0x008C    0000            ADD [BX+SI], AL   
0x008E    0000            ADD [BX+SI], AL   
0x0090    0000            ADD [BX+SI], AL   
0x0092    0000            ADD [BX+SI], AL   
0x0094    0000            ADD [BX+SI], AL   
0x0096    0000            ADD [BX+SI], AL   
0x0098    0000            ADD [BX+SI], AL   
0x009A    0000            ADD [BX+SI], AL   
0x009C    0000            ADD [BX+SI], AL   
0x009E    0000            ADD [BX+SI], AL   
0x00A0    0000            ADD [BX+SI], AL   
0x00A2    0000            ADD [BX+SI], AL   
0x00A4    0000            ADD [BX+SI], AL   
0x00A6    0000            ADD [BX+SI], AL   
0x00A8    0000            ADD [BX+SI], AL   
0x00AA    0000            ADD [BX+SI], AL   
0x00AC    0000            ADD [BX+SI], AL   
0x00AE    0000            ADD [BX+SI], AL   
0x00B0    0000            ADD [BX+SI], AL   
0x00B2    0000            ADD [BX+SI], AL   
0x00B4    0000            ADD [BX+SI], AL   
0x00B6    0000            ADD [BX+SI], AL   
0x00B8    0000            ADD [BX+SI], AL   
0x00BA    0000            ADD [BX+SI], AL   
0x00BC    0000            ADD [BX+SI], AL   
0x00BE    0000            ADD [BX+SI], AL   
0x00C0    0000            ADD [BX+SI], AL   
0x00C2    0000            ADD [BX+SI], AL   
0x00C4    0000            ADD [BX+SI], AL   
0x00C6    0000            ADD [BX+SI], AL   
0x00C8    0000            ADD [BX+SI], AL   
0x00CA    0000            ADD [BX+SI], AL   
0x00CC    0000            ADD [BX+SI], AL   
0x00CE    0000            ADD [BX+SI], AL   
0x00D0    0000            ADD [BX+SI], AL   
0x00D2    0000            ADD [BX+SI], AL   
0x00D4    0000            ADD [BX+SI], AL   
0x00D6    0000            ADD [BX+SI], AL   
0x00D8    0000            ADD [BX+SI], AL   
0x00DA    0000            ADD [BX+SI], AL   
0x00DC    0000            ADD [BX+SI], AL   
0x00DE    0000            ADD [BX+SI], AL   
0x00E0    0000            ADD [BX+SI], AL   
0x00E2    0000            ADD [BX+SI], AL   
0x00E4    0000            ADD [BX+SI], AL   
0x00E6    0000            ADD [BX+SI], AL   
0x00E8    0000            ADD [BX+SI], AL   
0x00EA    0000            ADD [BX+SI], AL   
0x00EC    0000            ADD [BX+SI], AL   
0x00EE    0000            ADD [BX+SI], AL   
0x00F0    0000            ADD [BX+SI], AL   
0x00F2    0000            ADD [BX+SI], AL   
0x00F4    0000            ADD [BX+SI], AL   
0x00F6    0000            ADD [BX+SI], AL   
0x00F8    0000            ADD [BX+SI], AL   
0x00FA    0000            ADD [BX+SI], AL   
0x00FC    0000            ADD [BX+SI], AL   
0x00FE    0000            ADD [BX+SI], AL   
0x0100    0000            ADD [BX+SI], AL   
0x0102    0000            ADD [BX+SI], AL   
0x0104    0000            ADD [BX+SI], AL   
0x0106    0000            ADD [BX+SI], AL   
0x0108    0000            ADD [BX+SI], AL   
0x010A    0000            ADD [BX+SI], AL   
0x010C    0000            ADD [BX+SI], AL   
0x010E    0000            ADD [BX+SI], AL   
0x0110    0000            ADD [BX+SI], AL   
0x0112    0000            ADD [BX+SI], AL   
0x0114    0000            ADD [BX+SI], AL   
0x0116    0000            ADD [BX+SI], AL   
0x0118    0000            ADD [BX+SI], AL   
0x011A    0000            ADD [BX+SI], AL   
0x011C    0000            ADD [BX+SI], AL   
0x011E    0000            ADD [BX+SI], AL   
0x0120    0000            ADD [BX+SI], AL   
0x0122    0000            ADD [BX+SI], AL   
0x0124    0000            ADD [BX+SI], AL   
0x0126    0000            ADD [BX+SI], AL   
0x0128    0000            ADD [BX+SI], AL   
0x012A    0000            ADD [BX+SI], AL   
0x012C    0000            ADD [BX+SI], AL   
0x012E    0000            ADD [BX+SI], AL   
0x0130    0000            ADD [BX+SI], AL   
0x0132    0000            ADD [BX+SI], AL   
0x0134    0000            ADD [BX+SI], AL   
0x0136    0000            ADD [BX+SI], AL   
0x0138    0000            ADD [BX+SI], AL   
0x013A    0000            ADD [BX+SI], AL   
0x013C    0000            ADD [BX+SI], AL   
0x013E    0000            ADD [BX+SI], AL   
0x0140    0000            ADD [BX+SI], AL   
0x0142    0000            ADD [BX+SI], AL   
0x0144    0000            ADD [BX+SI], AL   
0x0146    0000            ADD [BX+SI], AL   
0x0148    0000            ADD [BX+SI], AL   
0x014A    0000            ADD [BX+SI], AL   
0x014C    0000            ADD [BX+SI], AL   
0x014E    0000            ADD [BX+SI], AL   
0x0150    0000            ADD [BX+SI], AL   
0x0152    0000            ADD [BX+SI], AL   
0x0154    0000            ADD [BX+SI], AL   
0x0156    0000            ADD [BX+SI], AL   
0x0158    0000            ADD [BX+SI], AL   
0x015A    0000            ADD [BX+SI], AL   
0x015C    0000            ADD [BX+SI], AL   
0x015E    0000            ADD [BX+SI], AL   
0x0160    0000            ADD [BX+SI], AL   
0x0162    0000            ADD [BX+SI], AL   
0x0164    0000            ADD [BX+SI], AL   
0x0166    0000            ADD [BX+SI], AL   
0x0168    0000            ADD [BX+SI], AL   
0x016A    0000            ADD [BX+SI], AL   
0x016C    0000            ADD [BX+SI], AL   
0x016E    0000            ADD [BX+SI], AL   
0x0170    0000            ADD [BX+SI], AL   
0x0172    0000            ADD [BX+SI], AL   
0x0174    0000            ADD [BX+SI], AL   
0x0176    0000            ADD [BX+SI], AL   
0x0178    0000            ADD [BX+SI], AL   
0x017A    0000            ADD [BX+SI], AL   
0x017C    0000            ADD [BX+SI], AL   
0x017E    0000            ADD [BX+SI], AL   
0x0180    0000            ADD [BX+SI], AL   
0x0182    0000            ADD [BX+SI], AL   
0x0184    0000            ADD [BX+SI], AL   
0x0186    0000            ADD [BX+SI], AL   
0x0188    0000            ADD [BX+SI], AL   
0x018A    0000            ADD [BX+SI], AL   
0x018C    0000            ADD [BX+SI], AL   
0x018E    0000            ADD [BX+SI], AL   
0x0190    0000            ADD [BX+SI], AL   
0x0192    0000            ADD [BX+SI], AL   
0x0194    0000            ADD [BX+SI], AL   
0x0196    0000            ADD [BX+SI], AL   
0x0198    0000            ADD [BX+SI], AL   
0x019A    0000            ADD [BX+SI], AL   
0x019C    0000            ADD [BX+SI], AL   
0x019E    0000            ADD [BX+SI], AL   
0x01A0    0000            ADD [BX+SI], AL   
0x01A2    0000            ADD [BX+SI], AL   
0x01A4    0000            ADD [BX+SI], AL   
0x01A6    0000            ADD [BX+SI], AL   
0x01A8    0000            ADD [BX+SI], AL   
0x01AA    0000            ADD [BX+SI], AL   
0x01AC    0000            ADD [BX+SI], AL   
0x01AE    0000            ADD [BX+SI], AL   
0x01B0    0000            ADD [BX+SI], AL   
0x01B2    0000            ADD [BX+SI], AL   
0x01B4    0000            ADD [BX+SI], AL   
0x01B6    0000            ADD [BX+SI], AL   
0x01B8    5b              POP BX   
0x01B9    74 e1           JZ 0x19c   
0x01BB    fa              CLI   
0x01BC    0000            ADD [BX+SI], AL   
0x01BE    0000            ADD [BX+SI], AL   
0x01C0    0101            ADD [BX+DI], AX   
0x01C2    0ffeff          PADDD MM7, MM7   
0x01C5    ffc1            INC CX   
0x01C7    3e 0000         ADD DS:[BX+SI], AL   
0x01CA    806e ee 22      SUB BYTE [BP-0x12], 0x22   
0x01CE    0000            ADD [BX+SI], AL   
0x01D0    0000            ADD [BX+SI], AL   
0x01D2    0000            ADD [BX+SI], AL   
0x01D4    0000            ADD [BX+SI], AL   
0x01D6    0000            ADD [BX+SI], AL   
0x01D8    0000            ADD [BX+SI], AL   
0x01DA    0000            ADD [BX+SI], AL   
0x01DC    0000            ADD [BX+SI], AL   
0x01DE    0000            ADD [BX+SI], AL   
0x01E0    0000            ADD [BX+SI], AL   
0x01E2    0000            ADD [BX+SI], AL   
0x01E4    0000            ADD [BX+SI], AL   
0x01E6    0000            ADD [BX+SI], AL   
0x01E8    0000            ADD [BX+SI], AL   
0x01EA    0000            ADD [BX+SI], AL   
0x01EC    0000            ADD [BX+SI], AL   
0x01EE    0000            ADD [BX+SI], AL   
0x01F0    0000            ADD [BX+SI], AL   
0x01F2    0000            ADD [BX+SI], AL   
0x01F4    0000            ADD [BX+SI], AL   
0x01F6    0000            ADD [BX+SI], AL   
0x01F8    0000            ADD [BX+SI], AL   
0x01FA    0000            ADD [BX+SI], AL   
0x01FC    0000            ADD [BX+SI], AL   
0x01FE    55              PUSH BP   
0x01FF    aa              STOSB

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-06-03 21:29:13
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD5000AAKB-00H8A0 rev.05.04E05
Running: gmer.exe; Driver: C:\DOCUME~1\Honza\LOCALS~1\Temp\pxlyrpow.sys


---- System - GMER 1.0.15 ----

SSDT spwe.sys ZwEnumerateKey [0xF772CCA2]
SSDT spwe.sys ZwEnumerateValueKey [0xF772D030]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [F7662B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\a7iqn4ev \Device\Scsi\a7iqn4ev1 864771F8
Device \Driver\a7iqn4ev \Device\Scsi\a7iqn4ev1Port2Path0Target0Lun0 864771F8
Device \FileSystem\Ntfs \Ntfs 867D81F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

---- EOF - GMER 1.0.15 ----



Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKB-00H8A0 rev.05.04E05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spwe.sys >>UNKNOWN [0x8678D938]<<
spwe.sys
_asm { PUSH EBP; MOV EBP, ESP; JMP 0xfffffffff9d84afe; }
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x86733AB8]
3 CLASSPNP[0xF788EFD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\0000005d[0x86729F18]
5 ACPI[0xF76CD620] -> nt!IofCallDriver[0x804E37C5] -> \Device\Ide\IdeDeviceP0T0L0-4[0x8673FD98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user & kernel MBR OK
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#10 Příspěvek od Dr.Honza »

Pravda. ...0 sektor HDD0 jsi zkontroloval a OK, následovalo fixnutí 0 sektoru HDD1 a dvou koncových sektorů (kde se nacházely pravděpodobně dle logů zbytky viru). TDSSKiller ani ESET už nákazu nehlásí, v předchozím komentáři jsem dával aktuální logy programů po tomto po fixnutí. Přikládám screenshot Partition magicu - zásah technika mi vyrobil před diskem F: Unallocated oddíl 7,8MB ...to místo nepotřebuji, pokud nepředstavuje riziko klidně to nechám...
Přílohy
Screenshoty Partitionmagic.zip
(66.79 KiB) Staženo 21 x
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#11 Příspěvek od Dr.Honza »

To jsem rád, děkuji.
1. Tímto je předpokládám můj problém Sinoval uzavřen.
2. Jak mám zajistit abych vir nechytl znova ze svých flashdisků a externího disku?
Stačí kontrola/odvirování ESET 5 (Kaspersky), nebo mám raději fixnout 0 sektor ext. disku?
3. Doporučujete ke koupi spíše ESET 5 nebo Kaspersky Internet Security 2012?
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#12 Příspěvek od Dr.Honza »

Omlouvám se za zpoždění, nebyl jsem tu. Děkuji moc za pomoc a řešení mého problému se Sinovalem.

Otestoval jsem svá přenosná zařízení a vše OK.

Před chvílí mi ale vznikl ještě jeden problém - Postupoval jsem přesně dle návodu a fixnul 0 sektor přenosného disku v HxD (udělal si zálohu nultého). Bohužel po fixnutí Win hlásí disk jako nenaformátovaný a HxD ho vůbec nenačte abych vrátil původní hodnoty co mám uložené jako zálohu, v čem se do nultého sektoru můžu znovu dostat a vrátit ho do původního tvaru? Děkuji.
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#13 Příspěvek od Dr.Honza »

Tak se mi disk podařilo načíst jako Harddisk 3 - nenaformátovaný, a zkopíroval jsem sektor 0 do původního (odzálohovaného) stavu. Výsledek: disk pro Win není čitelný, v Partition magicu se píše Partition type BAD...
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#14 Příspěvek od Dr.Honza »

Záloha 0 sektoru před fixnutím:

Kód: Vybrat vše

 EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00 00 00 00 00 80 00 80 00 81 37 F9 0D 00 00 00 00 00 00 0C 00 00 00 00 00 78 93 DF 00 00 00 00 00 F6 00 00 00 01 00 00 00 85 C8 72 5C DA 72 5C 82 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07 8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00 10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4 08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66 0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A 16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01 74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66 03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A 00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00 0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00 B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07 66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00 66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36 1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8 01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66 FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61 C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10 EB F2 C3 0D 0A 41 20 64 69 73 6B 20 72 65 61 64 20 65 72 72 6F 72 20 6F 63 63 75 72 72 65 64 00 0D 0A 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69 6E 67 00 0D 0A 4E 54 4C 44 52 20 69 73 20 63 6F 6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73 73 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 6F 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 83 A0 B3 C9 00 00 55 AA

Současný stav 0 sektoru:

Kód: Vybrat vše

  EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00 00 00 00 00 80 00 80 00 81 37 F9 0D 00 00 00 00 00 00 0C 00 00 00 00 00 78 93 DF 00 00 00 00 00 F6 00 00 00 01 00 00 00 85 C8 72 5C DA 72 5C 82 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07 8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00 10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4 08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66 0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A 16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01 74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66 03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A 00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00 0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00 B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07 66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00 66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36 1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8 01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66 FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61 C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10 EB F2 C3 0D 0A 41 20 64 69 73 6B 20 72 65 61 64 20 65 72 72 6F 72 20 6F 63 63 75 72 72 65 64 00 0D 0A 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69 6E 67 00 0D 0A 4E 54 4C 44 52 20 69 73 20 63 6F 6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73 73 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 6F 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 83 A0 B3 C9 00 00 55 AA
Disk je SeagateFreeAgent Go 120GB, systém souborů NTFS. Zkoušel jsem nástroje WinXP a
vůbec se nechytají, stejně tak Partitionmagic. Mezitím jsem ale zjistil, že Seagate má docela dobré utility na záchranu dat ze svých zařízení:
Konkrétně Seagate File Recovery mi disk projede a najde soubory (lze i např. prohlížet fotky a tak),
bohužel demo soubory nezkopíruje, ostrá stojí pouhých 99USD. Jejich DiskWizard by prý měl umět vykopírovat data a poté co disk načte tak mi nabízí, že na disku udělá novou partition...
Nahoru
Dr.Honza
Návštěvník
Návštěvník
Příspěvky: 28
Registrován: 20 zář 2006 22:40

Re: Backdoor.Win32.Sinowal i po placeném odvirování

#15 Příspěvek od Dr.Honza »

Je mi mírně řečeno trapno...
Alespoň vím co se stalo, už to vidím. Přikládám screenshot.Můžu poprosit o trochu bližší navigaci v TestDisk?
Přílohy
Screenshot prepis Seagate.jpg
Screenshot prepis Seagate.jpg (114.92 KiB) Zobrazeno 502 x
Nahoru
Odpovědět

Zpět na „Řešení problémů, logy“