"Hej dat-fil"

[Er8ik0]

Hej!

 

Har drabbats av ett virus eller spionprogram som heter "hej" och är en dat-fil. Körde Norton antivirus och detta kunde plocka bort den skadliga biten av filen. Men filen ligger kvar och när jag tar bort den hoppar den tillbaka till sin plats på hårddisken. Körde ad-aware och microsofts nya antispyware program med de senaste uppdateringarna. Men dessa kan inte hitta filen, eller ta bort den. Undrar om någon annan har drabbats av samma fil, eller klarat få bort den. Uppskattar om någon kunde hjälpa mig.

/E

 

[Cecilia]

Vi kan ju se om HijackThis avslöjar något.

http://www.spywareinfo.com/~merijn/downloads.html

Kör, skanna och spara loggen (inget annat).

 

Hittar Norton fortfarande någonting eller är Norton nöjd nu?

Om den hittar något så skriv i ditt svar exakt vad Norton rapporterar, både otrevlighetens namn och i vilken fil den finns.

 

I ditt svar här bifogar du loggen på detta sätt:

Tryck på LOG-knappen i Besvara-fönstret

Klistra in loggen

Tryck igen på LOG-knappen

 

[Er8ik0]

Hej Cecilia!

Tyvärr hittade Norton inte filen. Den ligger fortfarande kvar på C-disken. Men du ska ha tack ändå, och det var ju värt ett försök.

 

Erik

 

[Cecilia]

Ta ut en logg med HijackThis då, så får du hjälp att rensa datorn.

 

[Er8ik0]

Hej Cecilia!

 

Ett litet missförstånd. Här är loggen.

 

[log]Logfile of HijackThis v1.99.1

Scan saved at 20:11:25, on 2005-05-31

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\Program\Creative\SBLive\AudioHQ\AHQTB.EXE

C:\Program\ekort\ekort.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Bluffstopparen\Bluffstopparen.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\PROGRAM\WINZIP\winzip32.exe

C:\Documents and Settings\Erik\Lokala inställningar\Temp\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eniro.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: e-kort Browser Helper Object - {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D} - C:\WINDOWS\system32\Bhoekort.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [ekort] C:\Program\ekort\ekort.exe /dontopenmycards

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Bluffstopparen.lnk = C:\Program\Bluffstopparen\Bluffstopparen.exe

O9 - Extra button: e-kort - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program\ekort\ekort.exe

O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} (Installer Class) - http://www.foreningssparbanken.se/betala/ekort/oinstall.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{09722900-6C8E-49B6-BA61-08CF7B17E3FF}: NameServer = 195.129.12.76 195.129.12.83

O17 - HKLM\System\CS1\Services\Tcpip\..\{09722900-6C8E-49B6-BA61-08CF7B17E3FF}: NameServer = 195.129.12.76 195.129.12.83

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

 

[/log] Hoppas den säger något

/Erik

 

[Cecilia]

Det är lugnt.

 

Jag ser inga otrevligheter i den loggen under förutsättning att du har ställt in IP-adresserna 195.129.12.76 195.129.12.83 som DNS-servrar själv.

 

Men filen ligger kvar och när jag tar bort den hoppar den tillbaka till sin plats på hårddisken.

Vad är det för fil? Kan du skriva vad den heter och i vilken mapp den ligger.

 

[Er8ik0]

Jag kunde inte få svar på om dessa två Ip-adresser går till Universals (modemuppkoppling) DNS-servrar. De hade stängt kundsupporten för dagen när jag försökte ringa dom. Jag vet iaf att inte jag har gjort några inställningar själv. När det gäller filen ligger den direkt under C-disken, och heter "hej", och har filändelsen .dat

/Erik

 

[Cecilia]

Om du öppnar filen i Anteckningar, vad står det i den?

 

Du kan se om någon av dessa online-skanningar kan hitta något:

http://housecall.trendmicro.com/

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

 

Du menar att det går bra att ta bort filen, inga klagomål när du gör det?

 

[Er8ik0]

Hej!

 

Jag har varit i kontakt med supporten och konstaterat att de IP-adresser som fanns i datorn inte gick till deras DNS-servrar. När det gäller filen så innehåller den ingen info. Den är på 0 kb. Det går bra att kasta den i papperskorgen, men det blir bara en kopia på den, som lägger sig på sin ursprungliga plats. Det måste finnas ett annat program, som lägger dit den hela tiden. Ska prova de andra onlinescannarna som du skrev i förra inlägget.

/Erik

 

[Cecilia]

Kommer filen tillbaks bara vid omstarter eller redan innan dess?

I det senare fallet så kanske Filemon kan visa något:

http://www.sysinternals.com/Utilities/Filemon.html

eller Process Explorer:

http://www.sysinternals.com/Utilities/ProcessExplorer.html

 

Det finns program som visar en del som lyckas gömma sig för HijackThis. Jag är inte så hemma på dem men vi kan ju försöka se om det ger något.

Här har vi Findit:

http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443

Packa upp filen och lägg innehållet i en ny mapp.

Öppna sedan denna mapp och starta FindIts.bat.

Låt den jobba klart och kopiera sedan in loggen/resultatet i ditt svar.

 

[Er8ik0]

Hej!

Värkar inte gå att skicka loggen på "Filemon" till dig. Har du nån e-mail jag kan skicka filen istället till.

/Erik

 

[Cecilia]

Du kan väl se om du hittar något med Hej.dat i resultatet från Filemon. Jag har aldrig kört det själv så jag vet inte hur det ser ut.

 

[Er8ik0]

Detta var vad jag fick om Hej.dat med Filemon

[log]149 21:57:50 Bluffstopparen.:1076 OPEN C:\hej.dat SUCCESS Options: OpenIf Access: All

150 21:57:50 Bluffstopparen.:1076 OPEN C:\hej.dat SUCCESS Options: Open Access: All

151 21:57:50 Bluffstopparen.:1076 QUERY INFORMATION C:\hej.dat SUCCESS FileFsVolumeInformation

152 21:57:50 Bluffstopparen.:1076 QUERY INFORMATION C:\hej.dat SUCCESS FileInternalInformation

153 21:57:50 Bluffstopparen.:1076 OPEN C:\ SUCCESS Options: Open Directory Access: All

154 21:57:50 Bluffstopparen.:1076 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: hej.dat

155 21:57:50 Bluffstopparen.:1076 CLOSE C:\ SUCCESS

156 21:57:50 Bluffstopparen.:1076 QUERY INFORMATION C:\hej.dat SUCCESS Length: 0

157 21:57:50 Bluffstopparen.:1076 CLOSE C:\hej.dat SUCCESS

158 21:57:50 Bluffstopparen.:1076 CLOSE C:\hej.dat SUCCESS

159 21:57:50 csrss.exe:528 OPEN C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_sv-SE_18ba2679\ NOT FOUND Options: Open Directory Access: All

160 21:57:50 csrss.exe:528 OPEN C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\ PATH NOT FOUND Options: Open Directory Access: All

161 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\System32\sv-SE NOT FOUND Attributes: Error

162 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\System32\sv NOT FOUND Attributes: Error

163 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\System32\ SUCCESS Attributes: D

164 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\System32\ SUCCESS Attributes: D

165 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_sv-SE_5f7b4906.Manifest NOT FOUND Attributes: Error

166 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_sv-SE_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL PATH NOT FOUND Attributes: Error

167 21:57:50 csrss.exe:528 OPEN C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_sv_bc963860\ NOT FOUND Options: Open Directory Access: All

168 21:57:50 csrss.exe:528 OPEN C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\ PATH NOT FOUND Options: Open Directory Access: All

169 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_sv_c48ab0df.Manifest NOT FOUND Attributes: Error

170 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_sv_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL PATH NOT FOUND Attributes: Error

171 21:57:50 csrss.exe:528 OPEN C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\ SUCCESS Options: Open Directory Access: All

172 21:57:50 csrss.exe:528 DIRECTORY C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\ SUCCESS FileBothDirectoryInformation: *.policy

173 21:57:50 csrss.exe:528 DIRECTORY C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\ NO MORE FILES FileBothDirectoryInformation

174 21:57:50 csrss.exe:528 CLOSE C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\ SUCCESS

175 21:57:50 csrss.exe:528 OPEN C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy SUCCESS Options: Open Sequential Access: All

176 21:57:50 csrss.exe:528 OPEN C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy SUCCESS Options: Open Access: All

177 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy SUCCESS FileFsVolumeInformation

178 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy SUCCESS FileInternalInformation

179 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy SUCCESS Length: 621

180 21:57:50 csrss.exe:528 CLOSE C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy SUCCESS

181 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy SUCCESS FileFsVolumeInformation

182 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy BUFFER OVERFLOW FileAllInformation

183 21:57:50 csrss.exe:528 READ C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy SUCCESS Offset: 0 Length: 4095

184 21:57:50 csrss.exe:528 READ C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy END OF FILE Offset: 621 Length: 8178

185 21:57:50 csrss.exe:528 CLOSE C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy SUCCESS

186 21:57:50 csrss.exe:528 OPEN C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\ PATH NOT FOUND Options: Open Directory Access: All

187 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS Attributes: A

188 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS Attributes: A

189 21:57:50 csrss.exe:528 OPEN C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_sv-SE_d9146e66\ NOT FOUND Options: Open Directory Access: All

190 21:57:50 csrss.exe:528 OPEN C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\ PATH NOT FOUND Options: Open Directory Access: All

191 21:57:50 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.2600.2180_sv-SE_f9adb348.Manifest NOT FOUND Attributes: Error

192 21:57:51 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.2600.2180_sv-SE_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL PATH NOT FOUND Attributes: Error

193 21:57:51 csrss.exe:528 OPEN C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_sv_7cf0804d\ NOT FOUND Options: Open Directory Access: All

194 21:57:51 csrss.exe:528 OPEN C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\ PATH NOT FOUND Options: Open Directory Access: All

195 21:57:51 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.2600.2180_sv_5ebd1b21.Manifest NOT FOUND Attributes: Error

196 21:57:51 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.2600.2180_sv_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL PATH NOT FOUND Attributes: Error

197 21:57:51 csrss.exe:528 OPEN C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS Options: Open Sequential Access: All

198 21:57:51 csrss.exe:528 OPEN C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS Options: Open Access: All

199 21:57:51 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS FileFsVolumeInformation

200 21:57:51 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS FileInternalInformation

201 21:57:51 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS Length: 1862

202 21:57:51 csrss.exe:528 CLOSE C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS

203 21:57:51 csrss.exe:528 READ C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS Offset: 0 Length: 2

204 21:57:51 csrss.exe:528 CLOSE C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS

205 21:57:51 csrss.exe:528 OPEN C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS Options: Open Sequential Access: All

206 21:57:51 csrss.exe:528 OPEN C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS Options: Open Access: All

207 21:57:51 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS FileFsVolumeInformation

208 21:57:51 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS FileInternalInformation

209 21:57:51 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS Length: 1862

210 21:57:51 csrss.exe:528 CLOSE C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS

211 21:57:51 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS FileFsVolumeInformation

212 21:57:51 csrss.exe:528 QUERY INFORMATION C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest BUFFER OVERFLOW FileAllInformation

213 21:57:51 csrss.exe:528 READ C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS Offset: 0 Length: 4095

214 21:57:51 csrss.exe:528 READ C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest END OF FILE Offset: 1862 Length: 8178

215 21:57:51 csrss.exe:528 CLOSE C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest SUCCESS

216 21:57:51 explorer.exe:1308 QUERY INFORMATION C:\Program\Bluffstopparen\Bluffstopparen.exe SUCCESS Attributes: A

217 21:57:51 explorer.exe:1308 OPEN C:\Program\Bluffstopparen\Bluffstopparen.exe SUCCESS Options: Open Access: Execute

218 21:57:51 explorer.exe:1308 OPEN C:\Program\Bluffstopparen\Bluffstopparen.exe SUCCESS Options: Open Access: All

219 21:57:51 explorer.exe:1308 QUERY INFORMATION C:\Program\Bluffstopparen\Bluffstopparen.exe SUCCESS FileFsVolumeInformation

220 21:57:51 explorer.exe:1308 QUERY INFORMATION C:\Program\Bluffstopparen\Bluffstopparen.exe SUCCESS FileInternalInformation

221 21:57:51 explorer.exe:1308 QUERY INFORMATION C:\Program\Bluffstopparen\Bluffstopparen.exe SUCCESS Length: 86016

222 21:57:51 explorer.exe:1308 CLOSE C:\Program\Bluffstopparen\Bluffstopparen.exe SUCCESS

223 21:57:51 explorer.exe:1308 QUERY INFORMATION C:\Program\Bluffstopparen\Bluffstopparen.exe SUCCESS Length: 86016

224 21:57:51 explorer.exe:1308 CLOSE C:\Program\Bluffstopparen\Bluffstopparen.exe SUCCESS

225 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ SUCCESS Options: Open Directory Access: All

226 21:57:51 Bluffstopparen.:1076 DIRECTORY C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ SUCCESS FileBothDirectoryInformation: *.pbk

227 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ SUCCESS Options: Open Directory Access: All

228 21:57:51 Bluffstopparen.:1076 DIRECTORY C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ SUCCESS FileBothDirectoryInformation: rasphone.pbk

229 21:57:51 Bluffstopparen.:1076 CLOSE C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ SUCCESS

230 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS Options: Open Access: All

231 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS Options: Open Access: All

232 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS FileFsVolumeInformation

233 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS FileInternalInformation

234 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS Length: 1716

235 21:57:51 Bluffstopparen.:1076 CLOSE C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS

236 21:57:51 Bluffstopparen.:1076 READ C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS Offset: 0 Length: 2048

237 21:57:51 Bluffstopparen.:1076 CLOSE C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS

238 21:57:51 Bluffstopparen.:1076 DIRECTORY C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ NO MORE FILES FileBothDirectoryInformation

239 21:57:51 Bluffstopparen.:1076 CLOSE C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ SUCCESS

240 21:57:51 Bluffstopparen.:1076 OPEN C:\WINDOWS\system32\Ras\ SUCCESS Options: Open Directory Access: All

241 21:57:51 Bluffstopparen.:1076 DIRECTORY C:\WINDOWS\system32\Ras\ NO SUCH FILE FileBothDirectoryInformation: *.pbk

242 21:57:51 Bluffstopparen.:1076 CLOSE C:\WINDOWS\system32\Ras\ SUCCESS

243 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\WINDOWS\TEMP SUCCESS Attributes: D

244 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\WINDOWS\TEMP SUCCESS Attributes: D

245 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\autoexec.bat SUCCESS Attributes: A

246 21:57:51 Bluffstopparen.:1076 OPEN C:\autoexec.bat SUCCESS Options: Open Access: All

247 21:57:51 Bluffstopparen.:1076 OPEN C:\autoexec.bat SUCCESS Options: Open Access: All

248 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\autoexec.bat SUCCESS FileFsVolumeInformation

249 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\autoexec.bat SUCCESS FileInternalInformation

250 21:57:51 Bluffstopparen.:1076 OPEN C:\ SUCCESS Options: Open Directory Access: All

251 21:57:51 Bluffstopparen.:1076 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: autoexec.bat

252 21:57:51 Bluffstopparen.:1076 CLOSE C:\ SUCCESS

253 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\autoexec.bat SUCCESS Length: 0

254 21:57:51 Bluffstopparen.:1076 CLOSE C:\autoexec.bat SUCCESS

255 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\autoexec.bat SUCCESS Length: 0

256 21:57:51 Bluffstopparen.:1076 READ C:\autoexec.bat SUCCESS Offset: 0 Length: 0

257 21:57:51 Bluffstopparen.:1076 CLOSE C:\autoexec.bat SUCCESS

258 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\Documents and Settings\Erik\Lokala inställningar\Temp SUCCESS Attributes: D

259 21:57:51 Bluffstopparen.:1076 OPEN C:\ SUCCESS Options: Open Directory Access: All

260 21:57:51 Bluffstopparen.:1076 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: Documents and Settings

261 21:57:51 Bluffstopparen.:1076 CLOSE C:\ SUCCESS

262 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\Erik\ SUCCESS Options: Open Directory Access: All

263 21:57:51 Bluffstopparen.:1076 DIRECTORY C:\Documents and Settings\Erik\ SUCCESS FileBothDirectoryInformation: Lokala inställningar

264 21:57:51 Bluffstopparen.:1076 CLOSE C:\Documents and Settings\Erik\ SUCCESS

265 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\Documents and Settings\Erik\Lokala inställningar\Temp SUCCESS Attributes: D

266 21:57:51 Bluffstopparen.:1076 OPEN C:\ SUCCESS Options: Open Directory Access: All

267 21:57:51 Bluffstopparen.:1076 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: Documents and Settings

268 21:57:51 Bluffstopparen.:1076 CLOSE C:\ SUCCESS

269 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\Erik\ SUCCESS Options: Open Directory Access: All

270 21:57:51 Bluffstopparen.:1076 DIRECTORY C:\Documents and Settings\Erik\ SUCCESS FileBothDirectoryInformation: Lokala inställningar

271 21:57:51 Bluffstopparen.:1076 CLOSE C:\Documents and Settings\Erik\ SUCCESS

272 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\Documents and Settings\Erik\Application Data SUCCESS Attributes: DRH

273 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\Erik\Application Data\Microsoft\Network\Connections\Pbk\ PATH NOT FOUND Options: Open Directory Access: All

274 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ SUCCESS Options: Open Directory Access: All

275 21:57:51 Bluffstopparen.:1076 DIRECTORY C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ SUCCESS FileBothDirectoryInformation: rasphone.pbk

276 21:57:51 Bluffstopparen.:1076 CLOSE C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ SUCCESS

277 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS Options: Open Access: All

278 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS Options: Open Access: All

279 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS FileFsVolumeInformation

280 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS FileInternalInformation

281 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS Length: 1716

282 21:57:51 Bluffstopparen.:1076 CLOSE C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS

283 21:57:51 Bluffstopparen.:1076 READ C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS Offset: 0 Length: 2048

284 21:57:51 Bluffstopparen.:1076 CLOSE C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS

285 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ SUCCESS Options: Open Directory Access: All

286 21:57:51 Bluffstopparen.:1076 DIRECTORY C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ SUCCESS FileBothDirectoryInformation: rasphone.pbk

287 21:57:51 Bluffstopparen.:1076 CLOSE C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\ SUCCESS

288 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS Options: Open Access: All

289 21:57:51 Bluffstopparen.:1076 OPEN C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS Options: Open Access: All

290 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS FileFsVolumeInformation

291 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS FileInternalInformation

292 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS Length: 1716

293 21:57:51 Bluffstopparen.:1076 CLOSE C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS

294 21:57:51 Bluffstopparen.:1076 READ C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS Offset: 0 Length: 2048

295 21:57:51 Bluffstopparen.:1076 CLOSE C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk SUCCESS

296 21:57:51 Bluffstopparen.:1076 OPEN C:\hej.dat SUCCESS Options: OpenIf Access: All

297 21:57:51 Bluffstopparen.:1076 OPEN C:\hej.dat SUCCESS Options: Open Access: All

298 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\hej.dat SUCCESS FileFsVolumeInformation

299 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\hej.dat SUCCESS FileInternalInformation

300 21:57:51 Bluffstopparen.:1076 OPEN C:\ SUCCESS Options: Open Directory Access: All

301 21:57:51 Bluffstopparen.:1076 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: hej.dat

302 21:57:51 Bluffstopparen.:1076 CLOSE C:\ SUCCESS

303 21:57:51 Bluffstopparen.:1076 QUERY INFORMATION C:\hej.dat SUCCESS Length: 0

304 21:57:51 Bluffstopparen.:1076 CLOSE C:\hej.dat SUCCESS

305 21:57:51 Bluffstopparen.:1076 CLOSE C:\hej.dat SUCCESS

[/log]/Erik

 

[Cecilia]

Tydligen är Hej.dat någon fil som Bluffstopparen använder sig av. Och eftersom Bluffstopparen är ett mycket bra och önskvärt program, så verkar ju allt vara lugnt med den filen.