Datorn startar om

[Megaman9]

Jag har en dator som startar om precis när man kommit in till skrivbordet. Den gör det nästan varje gång. Men ibland har man tur och kommer in och oftast så dyker detta felmeddelande upp då: Datorn har återställts efter ett allvarligt fel.

 

Det har nyligen varit en trojan i datorn men jag vet inte om det är den som har orsakat detta. Det går alltid bra att gå in i felsäkert läge. Hur ska jag lösa problemet?

 

Här kommer en HJT-logg och en SDFix-logg:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 00:31:59, on 2007-09-29

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\Program\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program\AntiVir PersonalEdition Classic\sched.exe

C:\Program\AntiVir PersonalEdition Classic\avguard.exe

C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe

D:\Program\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program\Java\jre1.6.0_02\bin\jusched.exe

D:\Program\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program\Torrent downloaders\Bitcomet\tools\BitCometBHO_1.1.4.29.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Program\Free Download Manager\iefdmcks.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [smcService] D:\Program\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [avgnt] "C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.6.0_02\bin\jusched.exe"

O8 - Extra context menu item: Download all links using BitComet - res://D:\Program\Torrent downloaders\Bitcomet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download all videos using BitComet - res://D:\Program\Torrent downloaders\Bitcomet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download link using &BitComet - res://D:\Program\Torrent downloaders\Bitcomet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\MICROS~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Ladda ner allt med Free Download Manager - file://D:\Program\Free Download Manager\dlall.htm

O8 - Extra context menu item: Ladda ner markerat med Free Download Mananger - file://D:\Program\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Ladda ner med Free Download Manager - file://D:\Program\Free Download Manager\dllink.htm

O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{7E5D84C0-9834-470F-9615-B657C4971B72}: NameServer = 217.75.96.11,217.75.96.12

O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll

O20 - Winlogon Notify: !SASWinLogon - D:\Program\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program\ewido anti-spyware 4.0\guard.exe

O23 - Service: NBService - Nero AG - D:\Program\Ahead\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program\Sygate\SPF\smc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

 

 

 

 

 

SDFix: Version 1.103

 

Run by Administrat”r on 2007-09-27 at 21:51

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

Trojan Files Found:

 

C:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted

 

 

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"D:\\Spel\\Codemasters\\MMV3\\micro.exe"="D:\\Spel\\Codemasters\\MMV3\\micro.exe:*:Enabled:micro"

"C:\\Program\\MSN Messenger\\msnmsgr.exe"="C:\\Program\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"

"D:\\Mina mottagna filer\\Torrent downloaders\\uTorrent\\utorrent.exe"="D:\\Mina mottagna filer\\Torrent downloaders\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"

"D:\\Mina mottagna filer\\Torrent downloaders\\utorrent.exe"="D:\\Mina mottagna filer\\Torrent downloaders\\utorrent.exe:*:Enabled:æTorrent"

"D:\\Program\\Pinnacle\\Studio 10\\programs\\RM.exe"="D:\\Program\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"

"D:\\Program\\Pinnacle\\Studio 10\\programs\\Studio.exe"="D:\\Program\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"

"D:\\Program\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="D:\\Program\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"

"D:\\Program\\Pinnacle\\Studio 10\\programs\\umi.exe"="D:\\Program\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"

"D:\\Program\\Torrent downloaders\\uTorrent\\utorrent.exe"="D:\\Program\\Torrent downloaders\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program\\MSN Messenger\\msnmsgr.exe"="C:\\Program\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"

 

Remaining Files:

---------------

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes:

 

C:\Program\Messenger\msmsgs.exe

C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

 

Finished!

 

 

 

 

 

[Cecilia]

Jag ser inget otrevligt i loggen, men Ewido har ju uppgraderats och bytt namn så avinstallera den du har och installera den nya versionen i stället. http://www.ewido.net/en/

 

Det låter som att omstarterna beror på systemfel så stäng av automatiska omstarter vid systemfel:

Högerklick på Den här datorn - Egenskaper - Avancerat - Start...Inställningar

så får du ut en blåskärm med felmeddelande om omstarterna beror på systemfel.

 

Den viktiga informationen på blåskärmen är följande:

Högt upp ett felmeddelande med stora bokstäver (t ex BAD_POOL)

Långt ner rad med mest siffror (STOP...)

Under det ibland ett filnamn

 

[Megaman9]

Idag fungerar den utan att jag har gjort något, antagligen var det något jag gjorde igår som fixade problemet.

 

5 ggr har jag testat och den har inte startat om någon gång.

 

Men tack ändå för svaret!

 

Jag återkommer om den skulle börja starta om igen.

 

 

[Cecilia]

SDFix tog ju bort en fil i alla fall. Det är nog bäst att kolla om det finns fler otrevliga filer i datorn. Ladda ner ComboFix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Kör den och följ anvisningarna som visas.

 

VIKTIGT! Klicka inte på Combofix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den här.

 

[Megaman9]

ComboFix 07-09-21.2 - "Administrat”r" 2007-09-29 13:46:19.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.239 [GMT 2:00]

* Created a new restore point

.

Rootkit driver pe386 is present. ... attempting disinfection

Rootkit driver msguard is present. ... attempting disinfection

Rootkit driver lzx32 is present. ... attempting disinfection

Rootkit driver huy32 is present. ... attempting disinfection

Rootkit driver xpdt is present. ... attempting disinfection

Rootkit driver pe386 is still present. A rootkit scan is required

Rootkit driver msguard is still present. A rootkit scan is required

Rootkit driver lzx32 is still present. A rootkit scan is required

Rootkit driver huy32 is still present. A rootkit scan is required

Rootkit driver xpdt is still present. A rootkit scan is required

 

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-29 )))))))))))))))))))))))))))))))

.

 

2007-09-29 13:10 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-27 22:00 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

2007-09-27 21:50 d-------- C:\WINDOWS\ERUNT

2007-09-21 23:07 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-09-15 14:40 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe

2007-09-15 14:40 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll

2007-09-15 14:40 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys

2007-09-15 14:38 d-------- C:\Program\MSXML 4.0

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-25 18:17 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-07-17 17:51 77824 --a------ C:\WINDOWS\zipexe_r.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31]

"SmcService"="D:\Program\Sygate\SPF\smc.exe" [2004-10-15 19:40]

"avgnt"="C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" [2007-09-15 14:23]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-12-15 06:01]

"NvMediaCenter"="NvMCTray.dll" [2004-12-15 06:01 C:\WINDOWS\system32\nvmctray.dll]

"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="" []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program\SUPERAntiSpyware\SASSEH.DLL [2007-09-21 23:07 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

D:\Program\SUPERAntiSpyware\SASWINLO.DLL 2007-09-21 23:07 294912 D:\Program\SUPERAntiSpyware\SASWINLO.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administratör^Start-meny^Program^Autostart^Adobe Gamma.lnk]

path=C:\Documents and Settings\Administratör\Start-meny\Program\Autostart\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administratör^Start-meny^Program^Autostart^MagicDisc.lnk]

path=C:\Documents and Settings\Administratör\Start-meny\Program\Autostart\MagicDisc.lnk

backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^BTTray.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\BTTray.lnk

backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^WinManager.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\WinManager.lnk

backup=C:\WINDOWS\pss\WinManager.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!ewido]

"D:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

"D:\Program\CloneCD\CloneCDTray.exe" /s

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csharpshell]

C:\Windows\System32\csharpshell.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]

C:\Program\dvd43\dvd43_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C62 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]

"D:\Program\Ahead\Nero BackItUp\NBJ.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

RunDLL32.exe NvMCTray.dll,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swcpshell]

C:\Windows\System32\csharpshell.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

%systemroot%\system32\dumprep 0 -u

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]

"D:\Program\VirtualCloneDrive\VCDDaemon.exe" /s

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

"C:\Program\Windows Defender\MSASCui.exe" -hide

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

AutoRun\command- F:\autorun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

AutoRun\command- H:\SETUP.EXE

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

AutoRun\command- J:\Launcher.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bb3d2ae-24cd-11db-bddb-000d56083f70}]

AutoRun\command- F:\launch.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bb3d2af-24cd-11db-bddb-000d56083f70}]

AutoRun\command- K:\setup.exe

 

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-29 13:50:01

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-09-29 13:51:26 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-09-29 13:51

.

--- E O F ---

 

 

 

[Cecilia]

Usch då, rootkits.

 

Ladda ner Gmer till Skrivbordet från en av dessa sidor:

http://www.gmer.net/

http://www.majorgeeks.com/GMER_d5198.html

Packa upp filen till Skrivbordet.

 

Dubbelklicka på programmet gmer.exe för att starta det.

Välj fliken rootkit, kontrollera att allt är förbockat till höger utom Show All. Tryck på Scan.

När den är klar, så högerklicka på den första av följande namn, välj Delete the service. Upprepa med nästa namn.

pe386

msguard

lzx32

huy32

xpdt

Starta sedan om datorn och lägg hit en ny ComboFix-logg.

 

[Megaman9]

Jag har sökt med Gmer nu men jag hittar inte dessa namnen i listan:

 

pe386

msguard

lzx32

huy32

xpdt

 

Jag skickar loggen från Gmer:

 

 

 

GMER 1.0.13.12551 - http://www.gmer.net

Rootkit scan 2007-09-29 15:20:43

Windows 5.1.2600 Service Pack 2

 

 

---- System - GMER 1.0.13 ----

 

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory

SSDT d347bus.sys ZwClose

SSDT d347bus.sys ZwCreateKey

SSDT d347bus.sys ZwCreatePagingFile

SSDT F8BED354 ZwCreateThread

SSDT d347bus.sys ZwEnumerateKey

SSDT d347bus.sys ZwEnumerateValueKey

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwMapViewOfSection

SSDT d347bus.sys ZwOpenKey

SSDT F8BED340 ZwOpenProcess

SSDT F8BED345 ZwOpenThread

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory

SSDT d347bus.sys ZwQueryKey

SSDT d347bus.sys ZwQueryValueKey

SSDT d347bus.sys ZwSetSystemPowerState

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwShutdownSystem

SSDT F8BED34F ZwTerminateProcess

SSDT F8BED34A ZwWriteVirtualMemory

 

---- Kernel code sections - GMER 1.0.13 ----

 

.text tcpip.sys!IPTransmit + 10BC F57F7CFA 6 Bytes CALL F82DCE50 Teefer.sys

.text tcpip.sys!IPTransmit + 2810 F57F944E 6 Bytes CALL F82DCE50 Teefer.sys

.text tcpip.sys!ARPRcv + 506D F57FE4E0 6 Bytes CALL F82DCE50 Teefer.sys

.text wanarp.sys F7BA23FD 7 Bytes CALL F82DCFA0 Teefer.sys

 

---- Kernel IAT/EAT - GMER 1.0.13 ----

 

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F82DDC70] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F82DDBD0] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F82DDB10] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F82DD8E0] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F82DD8E0] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F82DDBD0] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F82DDC70] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F82DDB10] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F82DDB10] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F82DD8E0] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F82DDBD0] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F82DDC70] Teefer.sys

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F82DD8E0] Teefer.sys

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F82DDC70] Teefer.sys

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F82DDBD0] Teefer.sys

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F82DDB10] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F82DDC70] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F82DDBD0] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F82DD8E0] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F82DDB10] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F82DD8E0] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F82DDBD0] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F82DDC70] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F82DD8E0] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F82DDB10] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F82DDC70] Teefer.sys

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F82DDBD0] Teefer.sys

 

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 823CFDA0

 

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F85875A4] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F858A6BE] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F858AA5A] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F858752C] avgntmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F858752C] avgntmgr.sys

 

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 81D1FDB8

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F8767220] wpsdrvnt.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F8767480] wpsdrvnt.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F87675A0] wpsdrvnt.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F87675D0] wpsdrvnt.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F8767220] wpsdrvnt.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F8767480] wpsdrvnt.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F87675A0] wpsdrvnt.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F87675D0] wpsdrvnt.sys

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 81CC2BE8

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 81AFDE78

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 81CC2BE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 81AD8218

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 81AD8218

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_NAMED_PIPE 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLOSE 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_READ 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_WRITE 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_EA 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_EA 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FLUSH_BUFFERS 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_VOLUME_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_VOLUME_INFORMATION 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DIRECTORY_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FILE_SYSTEM_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SHUTDOWN 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_LOCK_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLEANUP 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_MAILSLOT 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_SECURITY 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_SECURITY 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_POWER 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SYSTEM_CONTROL 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CHANGE 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_QUOTA 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_QUOTA 81AD8218

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_PNP 81AD8218

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE_NAMED_PIPE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CLOSE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_READ 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_WRITE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_FLUSH_BUFFERS 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_VOLUME_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_VOLUME_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DIRECTORY_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_FILE_SYSTEM_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_INTERNAL_DEVICE_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SHUTDOWN 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_LOCK_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CLEANUP 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE_MAILSLOT 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_SECURITY 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_SECURITY 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_POWER 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SYSTEM_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CHANGE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_QUOTA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_QUOTA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_PNP 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE_NAMED_PIPE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CLOSE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_READ 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_WRITE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_FLUSH_BUFFERS 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_VOLUME_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_VOLUME_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DIRECTORY_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_FILE_SYSTEM_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DEVICE_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_INTERNAL_DEVICE_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SHUTDOWN 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_LOCK_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CLEANUP 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE_MAILSLOT 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_SECURITY 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_SECURITY 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_POWER 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SYSTEM_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DEVICE_CHANGE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_QUOTA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_QUOTA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_PNP 81CC2BE8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_CREATE 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_CREATE_NAMED_PIPE 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_CLOSE 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_READ 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_WRITE 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_QUERY_INFORMATION 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_SET_INFORMATION 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_QUERY_EA 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_SET_EA 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_FLUSH_BUFFERS 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_QUERY_VOLUME_INFORMATION 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_SET_VOLUME_INFORMATION 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_DIRECTORY_CONTROL 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_FILE_SYSTEM_CONTROL 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_DEVICE_CONTROL 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_SHUTDOWN 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_LOCK_CONTROL 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_CLEANUP 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_CREATE_MAILSLOT 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_QUERY_SECURITY 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_SET_SECURITY 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_POWER 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_SYSTEM_CONTROL 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_DEVICE_CHANGE 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_QUERY_QUOTA 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_SET_QUOTA 81A471F8

Device \Driver\mcdbus \Device\00000076 IRP_MJ_PNP 81A471F8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE_NAMED_PIPE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CLOSE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_READ 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_WRITE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_FLUSH_BUFFERS 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_VOLUME_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_VOLUME_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_DIRECTORY_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_FILE_SYSTEM_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_DEVICE_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_INTERNAL_DEVICE_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SHUTDOWN 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_LOCK_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CLEANUP 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE_MAILSLOT 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_SECURITY 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_SECURITY 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_POWER 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SYSTEM_CONTROL 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_DEVICE_CHANGE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_QUOTA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_QUOTA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_PNP 81CC2BE8

Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CREATE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CREATE_NAMED_PIPE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CLOSE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_READ 81CC2BE8

Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_WRITE 81CC2BE8

Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_QUERY_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SET_INFORMATION 81CC2BE8

Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_QUERY_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SET_EA 81CC2BE8

Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_FLUSH_BUFFERS 81CC2BE8

Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_QUERY_VOLUME_INFORMATION

[Cecilia]

Hmm, ComboFix brukar inte ha fel. Kör följande så får vi se vad de visar.

Ladda ner SDFix till Skrivbordet:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Dubbelklicka på SDFix.exe och en ny mapp skapas, C:\SDFix.

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Öppna den nya mappen C:\SDFix och dubbelklicka på RunThis.bat för att starta programmet.

Tryck Y för att fortsätta.

Det arbetar ett tag och när det är klart så kommer det upp en fråga om du vill starta om datorn.

Tryck på godtycklig tangent för att omstarten ska påbörjas.

Datorn kommer att ta lång tid på sig under uppstarten eftersom programmet kommer att gå igång och fixa till en massa.

När det är klart visas Finished.

Tryck på valfri tangent för att avsluta programmet.

 

Öppna mappen SDFix och öppna filen Report.txt i Anteckningar.

Klistra in innehållet i filen i ditt svar här.

 

Skanna datorn med Blacklight:

http://www.f-secure.com/blacklight/try_blacklight.html

Klistra in loggen därifrån om den hittar något.

 

[Megaman9]

Blacklight hittade inget.

 

 

 

SDFix: Version 1.103

 

Run by Administrat”r on 2007-09-29 at 20:44

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

No Trojan Files Found

 

 

 

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

Remaining Files:

---------------

 

 

Files with Hidden Attributes:

 

C:\Program\Messenger\msmsgs.exe

C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

C:\WINDOWS\system32\config\SAM.tmp.LOG

C:\WINDOWS\system32\config\SECURITY.tmp.LOG

 

Finished!

 

 

 

[927]

 

det är en gammal sdfix du använder, antingen tar du programmet och mappen eller så ersätter dom gamla filerna med den nya versionen

 

hämta detta program >spara på skrivbordet> klicka på filen.

hittas problem så kommer datorn att starta om.

när allt är klart så kommer minst en loggfil öppnas, kopiera in den

http://www.uploads.ejvindh.net/rustbfix.exe

 

[Megaman9]

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************

2007-09-29 23:02:38,70

 

No Rustock.b-rootkits found

 

******************************* End of Logfile ********************************

 

 

 

[Cecilia]

Samt detta:

Gå till http://www.virustotal.com/ klistra in följande filnamn i rutan, tryck på Send File och vänta tills resultatet är klart (Current status blir Finished). Klistra in resultatet från de olika antivirusprogrammen samt File size här.

C:\WINDOWS\zipexe_r.exe

 

 

[927]

 

kör combofix igen, kolla om du ser att det står rootkit is present eller så i den loggen

 

[Megaman9]

Rootkit driver pe386 is present. ... attempting disinfection

Rootkit driver msguard is present. ... attempting disinfection

Rootkit driver lzx32 is present. ... attempting disinfection

Rootkit driver huy32 is present. ... attempting disinfection

Rootkit driver xpdt is present. ... attempting disinfection

Rootkit driver pe386 is still present. A rootkit scan is required

Rootkit driver msguard is still present. A rootkit scan is required

Rootkit driver lzx32 is still present. A rootkit scan is required

Rootkit driver huy32 is still present. A rootkit scan is required

Rootkit driver xpdt is still present. A rootkit scan is required

 

 

 

 

Antivirus Version Senaste Uppdatering Resultat

AhnLab-V3 2007.9.29.0 2007.09.28 -

AntiVir 7.6.0.18 2007.09.28 -

Authentium 4.93.8 2007.09.29 -

Avast 4.7.1043.0 2007.09.29 -

AVG 7.5.0.488 2007.09.29 -

BitDefender 7.2 2007.09.29 -

CAT-QuickHeal 9.00 2007.09.29 -

ClamAV 0.91.2 2007.09.29 -

DrWeb 4.33 2007.09.29 -

eSafe 7.0.15.0 2007.09.29 -

eTrust-Vet 31.2.5169 2007.09.27 -

Ewido 4.0 2007.09.29 -

FileAdvisor 1 2007.09.29 -

Fortinet 3.11.0.0 2007.09.29 -

F-Prot 4.3.2.48 2007.09.29 -

F-Secure 6.70.13030.0 2007.09.29 -

Ikarus T3.1.1.12 2007.09.29 -

Kaspersky 7.0.0.125 2007.09.29 -

McAfee 5130 2007.09.28 -

Microsoft 1.2803 2007.09.29 -

NOD32v2 2559 2007.09.29 -

Norman 5.80.02 2007.09.28 -

Panda 9.0.0.4 2007.09.29 -

Prevx1 V2 2007.09.29 -

Rising 19.42.50.00 2007.09.29 -

Sophos 4.21.0 2007.09.29 -

Sunbelt 2.2.907.0 2007.09.28 -

Symantec 10 2007.09.29 -

TheHacker 6.2.6.073 2007.09.28 -

VBA32 3.12.2.4 2007.09.29 -

VirusBuster 4.3.26:9 2007.09.29 -

Webwasher-Gateway 6.0.1 2007.09.28 -

Övrig information

File size: 77824 bytes

MD5: 4f9ff96c8aa0516f8f9dfed021885170

SHA1: fa14349e6aa6e7a68f7461bbc5a3b15978fce062

packers: PE_Patch

 

 

 

[Cecilia]

Har du Gmer på Skrivbordet?

I så fall försök med detta:

Start - Program - Tillbehör - Kommandotolken

Skriv in:

cd Skrivbord

gmer -del service pe386

gmer -del service msguard

gmer -del service lzx32

gmer -del service xpdt

gmer -del service huy32

 

Starta om datorn och kolla med ComboFix igen.

 

 

[Megaman9]

Det kommer upp ett felmeddelande från gmer där det står:

 

DeleteService: Felaktig parameter.

 

 

 

 

[inlägget ändrat 2007-09-30 00:45:32 av Megaman9]

[Cecilia]

För alla raderna?

 

Ladda ner följande fil till Skrivbordet.

http://www.uploads.ejvindh.net/rootchk.exe

Kör den.

Om du får frågor från brandväggen så svara ja/ok så att filen får gå ut på internet.

Efter en stund visas en logg som du klistrar in i ditt svar.

 

 

[Megaman9]

Ja, samma felmdeddelande för alla raderna.

 

Nu upptäckte jag att min bästa dator har också drabbats av exakt samma rootkits. Men jag vet inte hur länge det har varit där.

 

 

********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh

2007-09-30 1:10:34,34

 

The rootkits that are detected by this tool were not found.

 

********************************* ROOTCHK-LOG-end

 

 

catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-30 01:10:35

Windows 5.1.2600 Service Pack 2

scanning hidden processes ...

 

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000ea13420b9]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]

"khjeh"=hex:20,02,00,00,f7,56,69,38,43,3e,74,36,3a,9b,d5,ff,05,14,1f,41,84,..

"hj34z0"=hex:6a,ac,4f,34,94,4b,ca,4f,a2,42,84,4a,e3,07,e9,e0,91,82,f3,21,f5,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]

"khjeh"=hex:20,02,00,00,70,55,69,38,ce,19,52,9c,59,45,93,a5,88,7f,b2,90,8b,..

"hj34z0"=hex:ea,a9,4f,34,14,49,ca,4f,a2,42,8c,4a,e3,07,e9,e0,91,82,f3,21,77,..

"hj34z1"=hex:aa,fe,4b,34,fc,4a,ca,4f,a3,42,85,4a,e2,07,e9,e0,91,82,f3,21,38,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42]

"khjeh"=hex:20,02,00,00,28,54,69,38,a6,45,0e,8e,d1,ae,a4,ca,a0,97,ae,59,43,..

"hj34z0"=hex:6a,ac,4f,34,94,4b,ca,4f,a2,42,84,4a,e3,07,e9,e0,91,82,f3,21,43,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43]

"khjeh"=hex:20,02,00,00,b1,52,69,38,11,c8,62,95,e0,76,51,28,83,0e,9d,69,7a,..

"hj34z0"=hex:6b,ac,4f,34,94,4b,ca,4f,a2,42,84,4a,e3,07,e9,e0,91,82,f3,21,56,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]

"ujdew"=hex:20,02,00,00,20,56,7f,d9,f8,53,28,91,68,ed,f8,ee,d4,ec,eb,37,9f,..

"ljej40"=hex:90,11,28,76,c7,b0,ee,9a,cf,a1,fc,43,0c,05,e6,d5,04,25,0b,92,b1,..

"ljej41"=hex:08,11,28,76,bf,b0,ee,9a,ce,a1,fd,43,0d,05,e6,d5,04,25,0b,92,0b,..

"ljej42"=hex:08,11,28,76,bf,b0,ee,9a,ce,a1,fd,43,0d,05,e6,d5,04,25,0b,92,0b,..

"ljej43"=hex:08,11,28,76,bf,b0,ee,9a,ce,a1,fd,43,0d,05,e6,d5,04,25,0b,92,0b,..

"ljej44"=hex:08,11,28,76,bf,b0,ee,9a,ce,a1,fd,43,0d,05,e6,d5,04,25,0b,92,0b,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42]

"ujdew"=hex:20,02,00,00,20,56,7f,d9,74,2c,c7,51,68,ed,f8,ee,88,fd,eb,37,9f,..

"ljej40"=hex:98,10,28,76,d7,b1,ee,9a,cf,a1,fc,43,0c,05,e6,d5,04,25,0b,92,5e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg43]

"ujdew"=hex:20,02,00,00,20,56,7f,d9,59,8f,29,6e,68,ed,f8,ee,97,fd,eb,37,9f,..

"ljej40"=hex:87,10,28,76,d7,b1,ee,9a,cf,a1,fc,43,0c,05,e6,d5,04,25,0b,92,c6,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg44]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg45]

"ujdew"=hex:20,02,00,00,d0,55,7f,d9,73,e3,55,d4,38,2c,46,57,e7,bf,33,b6,2f,..

"ljej40"=hex:f7,5b,c4,1e,07,72,50,23,3f,e6,2c,c2,bc,fe,08,11,f4,70,30,d4,74,..

"ljej41"=hex:b7,0c,c0,1e,ef,71,50,23,3e,e6,25,c2,bd,fe,08,11,f4,70,30,d4,3b,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg46]

"ujdew"=hex:20,02,00,00,d0,55,7f,d9,44,b5,82,67,38,2c,46,57,3b,ba,33,b6,2f,..

"ljej40"=hex:77,5e,c4,1e,87,70,50,23,3f,e6,24,c2,bc,fe,08,11,f4,70,30,d4,40,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000ea13420b9]

 

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]

"DisplayName"="Alcohol 120%"

 

scanning hidden files ...

 

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

 

[Cecilia]

Jag börjar undra om det är falsklarm från ComboFix eftersom inga andra program upptäcker dem. Vad tror du, 927?

 

[927]

 

ja det verkar ju så, antagligen kan combofix inte ta bort nåt som inte finns.

 

jag tror inte detta ger nåt men om man kör senaste sdfix. sen säger man åt comboxfix att specifikt ta bort (men det lär väl inte funka nu heller)

pe386

msguard

lzx32

xpdt

huy32

 

 

[Megaman9]

Efter senaste gången jag körde SDDFix så ser ser det bra ut i combofix loggen.

 

Även i min bästa dator som hade de där rootkits inatt. Verkar väldigt konstigt jag har ju inte gjort något med den datorn. Kan det hänga ihop genom nätverket?

 

Här kommer först Combofix och SDFix loggarna från den första datorn och sen Combofix loggen från min bästa dator:

 

 

ComboFix 07-09-21.2 - "Administrat”r" 2007-09-30 12:02:35.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.262 [GMT 2:00]

.

 

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))

.

 

2007-09-30 12:02 d-------- C:\CF

2007-09-29 13:10 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-27 22:00 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

2007-09-27 21:50 d-------- C:\WINDOWS\ERUNT

2007-09-21 23:07 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-09-15 14:40 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe

2007-09-15 14:40 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll

2007-09-15 14:40 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys

2007-09-15 14:38 d-------- C:\Program\MSXML 4.0

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-25 18:17 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-22 11:32 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll

2007-07-22 11:32 60273 --a------ C:\WINDOWS\system32\pthreadGC2.dll

2007-07-17 17:51 77824 --a------ C:\WINDOWS\zipexe_r.exe

2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-13 15:23 1033728 --a------ C:\WINDOWS\explorer.exe

.

 

((((((((((((((((((((((((((((( snapshot_2007-09-29_135056.07 )))))))))))))))))))))))))))))))))))))))))

.

----a-w 585,791 2007-09-29 12:52:40 C:\WINDOWS\gmer.dll

----a-w 581,632 2007-06-29 07:38:00 C:\WINDOWS\gmer.exe

----a-w 163,328 2007-09-27 20:03:23 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

----a-w 15,933,440 2007-09-30 09:27:10 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT

----a-w 294,912 2007-09-30 09:27:10 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

----a-w 70,001 2007-09-29 12:52:40 C:\WINDOWS\system32\drivers\gmer.sys

.

----a-w 163,328 2007-09-09 05:32:57 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

----a-w 15,933,440 2007-09-27 19:50:45 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT

----a-w 294,912 2007-09-27 19:50:46 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31]

"SmcService"="D:\Program\Sygate\SPF\smc.exe" [2004-10-15 19:40]

"avgnt"="C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" [2007-09-15 14:23]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-12-15 06:01]

"NvMediaCenter"="NvMCTray.dll" [2004-12-15 06:01 C:\WINDOWS\system32\nvmctray.dll]

"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="" []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program\SUPERAntiSpyware\SASSEH.DLL [2007-09-21 23:07 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

D:\Program\SUPERAntiSpyware\SASWINLO.DLL 2007-09-21 23:07 294912 D:\Program\SUPERAntiSpyware\SASWINLO.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administratör^Start-meny^Program^Autostart^Adobe Gamma.lnk]

path=C:\Documents and Settings\Administratör\Start-meny\Program\Autostart\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administratör^Start-meny^Program^Autostart^MagicDisc.lnk]

path=C:\Documents and Settings\Administratör\Start-meny\Program\Autostart\MagicDisc.lnk

backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^BTTray.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\BTTray.lnk

backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^WinManager.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\WinManager.lnk

backup=C:\WINDOWS\pss\WinManager.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!ewido]

"D:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

"D:\Program\CloneCD\CloneCDTray.exe" /s

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csharpshell]

C:\Windows\System32\csharpshell.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]

C:\Program\dvd43\dvd43_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C62 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]

"D:\Program\Ahead\Nero BackItUp\NBJ.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

RunDLL32.exe NvMCTray.dll,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program\Java\jre1.5.0_06\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swcpshell]

C:\Windows\System32\csharpshell.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

%systemroot%\system32\dumprep 0 -u

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]

"D:\Program\VirtualCloneDrive\VCDDaemon.exe" /s

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

"C:\Program\Windows Defender\MSASCui.exe" -hide

 

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys

R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys

R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys

R3 insektxp;insektxp;C:\WINDOWS\system32\Drivers\InsektXp.sys

R3 WinDriver;WinDriver Kernel Module;C:\WINDOWS\system32\Drivers\windrvr.sys

S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys

S3 AUD;DTV-DVB 3054 Analog Audio Capture;C:\WINDOWS\system32\DRIVERS\3054AudCap.sys

S3 CX23880;DTV-DVB 3054 Video Capture;C:\WINDOWS\system32\drivers\3054VidCap.sys

S3 CXAVSTS;DTV-DVB 3054 Digital TS Capture;C:\WINDOWS\system32\drivers\3054BDACap.sys

S3 THAVXBar;DTV-DVB 3054 Analog AVStream Crossbar;C:\WINDOWS\system32\drivers\3054AVXBar.sys

S3 THBDATUNE;DTV-DVB 3054 Digital Tuner/Demod;C:\WINDOWS\system32\drivers\3054BDATune.sys

S3 THIR;DTV-DVB 3054 IR Decoder;C:\WINDOWS\system32\drivers\3054IR.sys

S3 THTUNE;DTV-DVB 3054 Analog Tuner;C:\WINDOWS\system32\drivers\3054Tune.sys

S3 VICHW00;VICHW00;\??\C:\WINDOWS\SYSTEM32\DRIVERS\VICHW00.SYS

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

AutoRun\command- F:\autorun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

AutoRun\command- H:\SETUP.EXE

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

AutoRun\command- J:\Launcher.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bb3d2ae-24cd-11db-bddb-000d56083f70}]

AutoRun\command- F:\launch.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bb3d2af-24cd-11db-bddb-000d56083f70}]

AutoRun\command- K:\setup.exe

 

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net'>http://www.gmer.net

Rootkit scan 2007-09-30 12:03:11

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-09-30 12:03:54

C:\ComboFix-quarantined-files.txt ... 2007-09-30 12:03

.

--- E O F ---

 

 

 

 

 

 

SDFix: Version 1.107

 

Run by Administrat”r on 2007-09-30 at 11:28

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

No Trojan Files Found

 

 

 

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

Remaining Files:

---------------

 

 

Files with Hidden Attributes:

 

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program\Messenger\msmsgs.exe"

Wed 11 Jan 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Wed 25 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

 

Finished!

 

 

 

 

 

 

 

ComboFix 07-09-21.2 - "Andreas" 2007-09-30 12:07:04.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.687 [GMT 2:00]

.

 

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))

.

 

2007-09-15 12:04 d-------- C:\Program\MSXML 4.0

2007-09-14 21:35 d-------- C:\WINDOWS\ERUNT

2007-09-14 14:27 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll

2007-09-14 14:27 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL

2007-09-13 19:56 d-------- C:\Images

2007-09-11 21:55 5,248 --a------ C:\WINDOWS\system32\drivers\Vax347s.sys

2007-09-11 21:55 159,616 --a------ C:\WINDOWS\system32\drivers\Vax347b.sys

2007-09-09 22:16 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll

2007-09-09 22:16 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys

2007-09-09 22:16 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys

2007-09-09 22:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys

2007-09-09 22:16 d-------- C:\Program\Sygate

2007-09-09 22:07 d-------- C:\Program\Avira

2007-09-09 22:07 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avira

2007-09-09 18:40 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-09 15:07 11,776 --a--c--- C:\WINDOWS\system32\dllcache\chkdsk.exe

2007-09-09 15:07 11,776 --a------ C:\WINDOWS\system32\chkdsk.exe

2007-09-09 13:14 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-09-08 01:19 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2007-09-08 01:18 d-------- C:\DOCUME~1\Andreas\.housecall6.6

2007-09-07 23:26 962,612 --a------ C:\WINDOWS\system32\mfc42d.dll

2007-09-07 23:26 94,285 --a------ C:\WINDOWS\system32\MSVCIRTD.DLL

2007-09-07 23:26 827,445 --a------ C:\WINDOWS\system32\mfco42d.dll

2007-09-07 23:26 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll

2007-09-07 23:26 516,173 --a------ C:\WINDOWS\system32\msvcp60d.dll

2007-09-07 23:26 434,252 --a------ C:\WINDOWS\system32\msvcrtd.dll

2007-09-07 23:26 d-------- C:\WINDOWS\system32\ixchange

2007-09-07 22:08 d-------- C:\3gptemp

2007-09-07 21:56 d-------- C:\Program\MIKSOFT

2007-09-01 00:49 d-------- C:\Program\Delade filer\MainConcept

2007-08-30 18:47 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Canopus

2007-08-30 18:12 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems

2007-08-30 18:11 d-------- C:\Program\Delade filer\Adobe Systems Shared

2007-08-28 06:21 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll

2007-08-28 06:21 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll

2007-08-28 06:21 41,984 --a------ C:\WINDOWS\system32\cacheX.dll

2007-08-28 06:21 32,768 --------- C:\WINDOWS\system32\MLPagAx.dll

2007-08-28 06:21 233,472 --------- C:\WINDOWS\system32\DiskIO.dll

2007-08-28 06:21 184,320 --------- C:\WINDOWS\system32\RALMain.dll

2007-08-28 06:21 126,976 --------- C:\WINDOWS\system32\AVIPrAx.dll

2007-08-28 06:19 57,856 --a------ C:\WINDOWS\system32\masd32.dll

2007-08-28 06:19 27,648 --a------ C:\WINDOWS\system32\ma32.dll

2007-08-28 06:19 196,096 --a------ C:\WINDOWS\system32\macd32.dll

2007-08-28 06:19 138,752 --a------ C:\WINDOWS\system32\mase32.dll

2007-08-28 06:19 136,192 --a------ C:\WINDOWS\system32\mamc32.dll

2007-08-28 06:18 41,219 --a------ C:\WINDOWS\RSETPATH.exe

2007-08-28 06:17 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll

2007-08-28 06:10 d-------- C:\DOCUME~1\Andreas\APPLIC~1\InstallShield

2007-08-27 20:45 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pinnacle Studio

2007-08-27 20:43 d-------- C:\Program\Pinnacle

2007-08-19 21:51 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll

2007-08-19 21:51 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll

2007-08-19 21:51 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll

2007-08-19 21:51 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll

2007-08-19 21:51 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll

2007-08-19 21:51 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll

2007-08-19 21:51 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll

2007-08-19 21:51 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll

2007-08-19 14:56 d-------- C:\Program\MSBuild

2007-08-19 14:56 d-------- C:\Program\Microsoft Works

2007-08-19 14:55 d-------- C:\Program\Microsoft.NET

2007-08-19 14:53 d-------- C:\Program\Microsoft Visual Studio 8

2007-08-19 14:52 d-------- C:\WINDOWS\SHELLNEW

2007-08-18 17:29 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys

2007-08-18 17:29 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys

2007-08-18 17:29 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys

2007-08-15 20:22 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet

2007-08-15 20:14 d-------- C:\Program\Bonjour

2007-08-15 20:07 d-------- C:\Program\Delade filer\Macrovision Shared

2007-08-15 19:42 43,602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe

2007-08-15 19:24 d-------- C:\DOCUME~1\Andreas\.divx

2007-08-15 19:14 d-------- C:\DOCUME~1\Andreas\.drdivx2

2007-08-04 23:52 d-------- C:\DOCUME~1\Andreas\APPLIC~1\DaFiTech

2007-08-02 22:41 d-------- C:\Program\Delade filer\iulab

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-30 01:42 --------- d-------- C:\DOCUME~1\Andreas\APPLIC~1\uTorrent

2007-09-29 22:44 --------- d-------- C:\DOCUME~1\Andreas\APPLIC~1\dvdcss

2007-09-18 06:03 --------- d-------- C:\DOCUME~1\Andreas\APPLIC~1\Free Download Manager

2007-09-16 12:18 --------- d-------- C:\DOCUME~1\Andreas\APPLIC~1\VideoReDoPlus

2007-09-16 12:12 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

2007-09-14 17:06 --------- d-------- C:\Program\ScanSoft

2007-09-14 17:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft

2007-09-14 14:27 --------- d--h----- C:\Program\InstallShield Installation Information

2007-09-09 00:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help

2007-08-31 18:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ulead Systems

2007-08-31 18:26 --------- d-------- C:\DOCUME~1\Andreas\APPLIC~1\LimeWire

2007-08-19 00:17 --------- d-------- C:\DOCUME~1\Andreas\APPLIC~1\Skype

2007-08-16 22:55 --------- d-------- C:\Program\Windows Media Connect 2

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-28 16:08 --------- d-------- C:\DOCUME~1\Andreas\APPLIC~1\Azureus

2007-07-28 11:30 --------- d-------- C:\DOCUME~1\Andreas\APPLIC~1\.BitTornado

2007-07-19 17:10 77824 --a------ C:\WINDOWS\zipexe_r.exe

2007-06-30 13:52 47104 --a------ C:\WINDOWS\system32\KMVIDC32.DLL

2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-22 13:58 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-15 15:46 73728 --a------ C:\WINDOWS\ALCFDRTM.EXE

2007-06-13 15:23 1033728 --a------ C:\WINDOWS\explorer.exe

2005-12-05 00:12 20640 --a------ C:\WINDOWS\inf\pxhelp20.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="C:\Program\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25]

"SmcService"="C:\Program\Sygate\SPF\smc.exe" [2004-10-15 19:40]

"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:34]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program\SUPERAntiSpyware\SASSEH.DLL [2007-03-31 13:45 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

D:\Program\SUPERAntiSpyware\SASWINLO.DLL 2007-05-13 20:50 294912 D:\Program\SUPERAntiSpyware\SASWINLO.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^InterVideo WinCinema Manager.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\InterVideo WinCinema Manager.lnk

backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^WinManager.lnk]

path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\WinManager.lnk

backup=C:\WINDOWS\pss\WinManager.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Andreas^Start-meny^Program^Autostart^Adobe Gamma.lnk]

path=C:\Documents and Settings\Andreas\Start-meny\Program\Autostart\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Andreas^Start-meny^Program^Autostart^MagicDisc.lnk]

path=C:\Documents and Settings\Andreas\Start-meny\Program\Autostart\MagicDisc.lnk

backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

ALCMTR.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]

-ALCWZRD.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

-"C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" /min

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]

C:\Program\Brother\ControlCenter2\brctrcen.exe /autorun

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

"D:\Program\D-Tools\daemon.exe" -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]

C:\Program\dvd43\dvd43_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

"D:\Program\Microsoft Office\Office12\GrooveMonitor.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

-HDAShCut.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]

C:\Program\ScanSoft\PaperPort\IndexSearch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList]

D:\Program\Pinnacle\Studio 11\LaunchList2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer]

"C:\Program\Delade filer\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]

C:\Program\ScanSoft\PaperPort\pptd40nt.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF3 Registry Controller]

"D:\Program\ScanSoft\PDF Converter 3.0\\RegistryController.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

C:\WINDOWS\system32\\PSDrvCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

D:\Program\PowerISO\PWRISOVM.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]

D:\Program\Brother\Brmfl05a\BrStDvPt.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]

-C:\Program\Sygate\SPF\smc.exe -startgui

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]

"C:\Program\Delade filer\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program\Java\jre1.5.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

C:\DOCUME~1\Andreas\LOKALA~1\Temp\SSUPDATE.EXE Software\SUPERAntiSpyware.com\SUPERAntiSpyware

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinRemote]

D:\Program\InterVideo\WinDVR\WinRemote.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINSCHEDULER]

D:\Program\INTERV~1\WinDVR\WINSCH~1.EXE

 

R3 AUD;DTV-DVB 3054 Analog Audio Capture;C:\WINDOWS\system32\DRIVERS\3054AudCap.sys

R3 CX23880;DTV-DVB 3054 Video Capture;C:\WINDOWS\system32\drivers\3054VidCap.sys

R3 CXAVSTS;DTV-DVB 3054 Digital TS Capture;C:\WINDOWS\system32\drivers\3054BDACap.sys

R3 THAVXBar;DTV-DVB 3054 Analog AVStream Crossbar;C:\WINDOWS\system32\drivers\3054AVXBar.sys

R3 THBDATUNE;DTV-DVB 3054 Digital Tuner/Demod;C:\WINDOWS\system32\drivers\3054BDATune.sys

R3 THIR;DTV-DVB 3054 IR Decoder;C:\WINDOWS\system32\drivers\3054IR.sys

R3 THTUNE;DTV-DVB 3054 Analog Tuner;C:\WINDOWS\system32\drivers\3054Tune.sys

S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys

S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

S3 VPNET;DTVNet Ethernet Controller;C:\WINDOWS\system32\DRIVERS\DTVNet.sys

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

AutoRun\command- E:\AUTORUN.EXE

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12267be8-6532-11db-8b75-00112f4a4738}]

AutoRun\command- G:\Launcher.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12267be9-6532-11db-8b75-00112f4a4738}]

AutoRun\command- H:\Launcher.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12267bea-6532-11db-8b75-00112f4a4738}]

AutoRun\command- I:\setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ba57364-8545-11db-8bd5-00112f4a4738}]

AutoRun\command- M:\autorun.exe

dinstall\command- M:\Directx\dxsetup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95739bdc-5810-11dc-9ee5-00112f4a4738}]

AutoRun\command- G:\Launcher.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95739bdd-5810-11dc-9ee5-00112f4a4738}]

AutoRun\command- H:\Launcher.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95739bde-5810-11dc-9ee5-00112f4a4738}]

AutoRun\command- I:\autorun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95739bdf-5810-11dc-9ee5-00112f4a4738}]

AutoRun\command- J:\setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95739be0-5810-11dc-9ee5-00112f4a4738}]

AutoRun\command- K:\Startup.exe

directx\command- K:\dx61core.exe

gamespy\command- K:\gamespy\GameSpyInstaller207.exe

indeo\command- K:\iv5play.exe

machines\command- K:\machines\setup.exe

mindspring\command- K:\mindspring\setup.exe

speechapi\command- K:\spchapi.exe

text2speech\command- K:\msttsl.exe

turok2\command- K:\setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95739be1-5810-11dc-9ee5-00112f4a4738}]

AutoRun\command- L:\autorun.exe

dinstall\command- L:\Directx\dxsetup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95739be2-5810-11dc-9ee5-00112f4a4738}]

AutoRun\command- M:\Autorun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a20a41a8-7c78-11db-8bc5-00112f4a4738}]

AutoRun\command- K:\Startup.exe

directx\command- K:\dx61core.exe

gamespy\command- K:\gamespy\GameSpyInstaller207.exe

indeo\command- K:\iv5play.exe

machines\command- K:\machines\setup.exe

mindspring\command- K:\mindspring\setup.exe

speechapi\command- K:\spchapi.exe

text2speech\command- K:\msttsl.exe

turok2\command- K:\setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a20a41a9-7c78-11db-8bc5-00112f4a4738}]

AutoRun\command- L:\Autorun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df5906cb-5e40-11dc-9ef8-00112f4a4738}]

AutoRun\command- G:\Launcher.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df5906cc-5e40-11dc-9ef8-00112f4a4738}]

AutoRun\command- H:\Launcher.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df5906cd-5e40-11dc-9ef8-00112f4a4738}]

AutoRun\command- I:\autorun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df5906ce-5e40-11dc-9ef8-00112f4a4738}]

AutoRun\command- J:\setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df5906cf-5e40-11dc-9ef8-00112f4a4738}]

AutoRun\command- K:\Startup.exe

directx\command- K:\dx61core.exe

gamespy\command- K:\gamespy\GameSpyInstaller207.exe

indeo\command- K:\iv5play.exe

machines\command- K:\machines\setup.exe

mindspring\command- K:\mindspring\setup.exe

speechapi\command- K:\spchapi.exe

text2speech\command- K:\msttsl.exe

turok2\command- K:\setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df5906d0-5e40-11dc-9ef8-00112f4a4738}]

AutoRun\command- L:\autorun.exe

dinstall\command- L:\Directx\dxsetup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df5906d1-5e40-11dc-9ef8-00112f4a4738}]

AutoRun\command- M:\Autorun.exe

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28681820-917D-11d5-8177-005056FDDA4B}]

rundll32.exe C:\WINDOWS\system32\ShellExt\DafiTech\Cpy2Clip\cpy2clip.dll,CreateUserSettings

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-30 12:08:26

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-09-30 12:09:05

C:\ComboFix-quarantined-files.txt ... 2007-09-30 12:09

C:\ComboFix2.txt ... 2007-09-30 01:04

C:\ComboFix3.txt ... 2007-09-09 18:42

.

--- E O F ---

 

 

 

 

 

 

[Cecilia]

Vissa saker sprids via utdelade mappar i lokala nätverk, men vanligare är väl att man laddar ner samma trojan i bägge datorerna.

 

Skanna på virustotal-sidan:

C:\Windows\System32\csharpshell.exe finns i första datorn

 

Det är en gammal Java-version med säkerhetshål i datorerna. Jag rekommenderar dig att installera en ny från http://www.java.com/sv/ och därefter avinstallera alla Java/J2SE/JRE utom den senaste i Kontrollpanelen - Lägg till eller ta bort program (inga webbläsare igång).

 

[Megaman9]

Konstigt det med java. Jag har ju den senaste versionen. Men i min första dator så såg jag att det låg 2 gamla versioner i lägg till/ ta bort program så jag tog bort dem. Men i min bästa dator finns bara den senaste.

 

I min första dator så hittade jag och tog bort ett malware som heter Lop med programmet Ad-Aware.

 

Det hittade en del på virus total:

 

Fil csharpshell.exe mottagen 2007.09.30 14:17:55 (CET)

Resultat: 5/32 (15.63%)

 

 

Antivirus Version Senaste Uppdatering Resultat

AhnLab-V3 2007.9.29.0 2007.09.28 -

AntiVir 7.6.0.18 2007.09.28 -

Authentium 4.93.8 2007.09.29 -

Avast 4.7.1043.0 2007.09.29 -

AVG 7.5.0.488 2007.09.30 -

BitDefender 7.2 2007.09.30 BehavesLike:Win32.ExplorerHijack

CAT-QuickHeal 9.00 2007.09.29 -

ClamAV 0.91.2 2007.09.30 -

DrWeb 4.33 2007.09.30 -

eSafe 7.0.15.0 2007.09.29 -

eTrust-Vet 31.2.5174 2007.09.30 -

Ewido 4.0 2007.09.30 -

FileAdvisor 1 2007.09.30 -

Fortinet 3.11.0.0 2007.09.30 -

F-Prot 4.3.2.48 2007.09.29 -

F-Secure 6.70.13030.0 2007.09.29 -

Ikarus T3.1.1.12 2007.09.30 MemScanBackdoor.VB.EV

Kaspersky 7.0.0.125 2007.09.30 -

McAfee 5130 2007.09.28 -

Microsoft 1.2803 2007.09.30 -

NOD32v2 2560 2007.09.30 -

Norman 5.80.02 2007.09.28 -

Panda 9.0.0.4 2007.09.30 -

Prevx1 V2 2007.09.30 -

Rising 19.42.61.00 2007.09.30 -

Sophos 4.22.0 2007.09.30 -

Sunbelt 2.2.907.0 2007.09.28 VIPRE.Suspicious

Symantec 10 2007.09.30 -

TheHacker 6.2.6.073 2007.09.28 W32/Behav-Heuristic-064

VBA32 3.12.2.4 2007.09.30 -

VirusBuster 4.3.26:9 2007.09.29 -

Webwasher-Gateway 6.0.1 2007.09.28 Packer.Themida

 

Övrig information

File size: 1594368 bytes

MD5: a1e38989480975e0fbd8db191c3c7b11

SHA1: 1ab1f70c53a68b52bf54fe42788105d94d5a2592

packers: Themida

Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

 

 

 

 

 

[inlägget ändrat 2007-09-30 16:08:35 av Megaman9]

[Cecilia]

Se om du kan ta bort (till Papperskorgen) C:\Windows\System32\csharpshell.ex i första datorn. Du kan behöva ställa in Utforskaren/Den här datorn så att du ser dolda filer och operativsystemfiler. Kolla att den fortfarande är borta efter en omstart.

 

Kolla så att det inte ligger kvar några gamla Java mappar i C:\Program\Java i båda datorerna.

 

[Megaman9]

Den filen ligger i papperskorgen nu. Den var fortfarande borta från System32 mappen efter en omstart. Ska jag tömma papperskorgen?

 

Jag har avinstallerat java och sen intstallerat det igen. Verkar detta riktigt eller ser det fortfarande ut som en gammal:

 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll