Firefox kraschar hela tiden pga virus?

[eixie]

Hej!

 

Mitt firefox kraschar i princip hela tiden av att NOD 32 blockerar nån konstig hemsida från nån konstig IP-adress.

Sjukt jobbigt och vet inte hur jag skall lösa detta. Lite hjälp vore uppskattat.

 

Tack på förhand!

[Cecilia]

Vi kan se vad DDS visar till att börja med. Spara DDS på Skrivbordet.

http://download.bleepingcomputer.com/sUBs/dds.scr

 

Starta programmet genom att dubbelklicka på det.

Tryck Yes/Ja om frågan om Optional Scan dyker upp.

I ditt svar klistrar du in loggen DSS.txt. Medan du bifogar Attach.txt som en fil.

 

Berätta gärna vilken webbsida och/eller IP-adress Nod32 blockerar.

[eixie]

DDS (Ver_10-03-17.01) - NTFSx86

Run by Djulle at 18:19:14,53 on 2010-04-12

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_19

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.2045.1488 [GMT 2:00]

 

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe

svchost.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Documents and Settings\Djulle\Desktop\dds.scr

 

============== Pseudo HJT Report ===============

 

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [richtx64.exe] c:\docume~1\djulle\locals~1\temp\richtx64.exe

uRun: [steam] "c:\program files\steam\steam.exe" -silent

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [sigmatelSysTrayApp] sttray.exe

mRun: [intelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [sunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe

IE: E&xportera till Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_19.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\djulle\applic~1\mozilla\firefox\profiles\odnu0cae.default\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

 

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

 

============= SERVICES / DRIVERS ===============

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-27 64288]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-11-14 35168]

R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-10-7 472280]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]

 

=============== Created Last 30 ================

 

2010-04-12 12:18:52 5632 ----a-w- c:\windows\system32\ptpusb.dll

2010-04-12 12:18:52 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-04-12 12:18:52 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-04-12 12:18:51 159232 ----a-w- c:\windows\system32\ptpusd.dll

2010-04-08 18:04:51 0 d-sha-r- C:\autorun.inf

2010-04-08 18:02:23 0 d-----w- c:\windows\system32\appmgmt

2010-04-07 18:03:47 0 d-----w- c:\program files\Trend Micro

2010-03-27 16:05:18 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-03-27 16:05:18 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-24 00:04:04 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2010-03-24 00:04:04 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2010-03-17 15:10:40 0 d-----w- c:\docume~1\djulle\applic~1\foobar2000

2010-03-17 15:10:30 0 d-----w- c:\program files\foobar2000

 

==================== Find3M ====================

 

2010-04-11 11:03:43 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys

2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll

2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-01-27 14:48:28 15880 ----a-w- c:\windows\system32\lsdelete.exe

2009-12-27 15:11:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009121420091221\index.dat

2009-12-27 15:11:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122720091228\index.dat

 

============= FINISH: 18:20:25,50 ===============

[eixie]

Vet inte om Attach kom med i första.

[eixie]

Så här ser det ut när det kommer fram.

 

http://data.fuskbugg.se/skalman01/crash.bmp

[Cecilia]

Ladda ner Malwarebytes Anti-Malware (MBAM) från:

http://www.malwarebytes.org/mbam.php

Dubbelklicka på mbam-setup för att installera programmet.

 

Se till i slutet av installationen att det är bockar för:

Uppdatera Malwarebytes' Anti-Malware

Starta Malwarebytes' Anti-Malware

Tryck på Slutför

Om det finns någon uppdatering så kommer den att laddas ner och installeras.

 

När programmet startar så välj "Utför snabb skanning" och tryck på Skanna.

Skanningen tar ett tag.

När den är klar så tryck på OK och sedan "Visa resultat".

Bocka för allt och tryck sedan Ta bort markerade.

När borttagningen är klar så öppnar Anteckningar med en logg.

 

Eventuellt så kommer det upp en begäran om att starta om datorn (Restart). I så fall gör det.

Om det blir ett felmeddelande Error loading... efter omstarten så starta om datorn än en gång.

Om programmet inte kommer igång efter omstarten så starta det.

 

Om loggen inte kommer upp själv i Anteckningar så hittar du loggen på fliken Loggar i MBAM.

Kopiera loggen och klistra in den i ditt svar.

[eixie]

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

 

Databasversion: 3981

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

 

2010-04-12 18:59:28

mbam-log-2010-04-12 (18-59-28).txt

 

Skanningstyp: Snabbskanning

Antal skannade objekt: 100769

Förfluten tid: 4 minut(er), 38 sekund(er)

 

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 0

Infekterade registernycklar: 2

Infekterade registervärden: 1

Infekterade registerdataposter: 0

Infekterade mappar: 0

Infekterade filer: 1

 

Infekterade minnesprocesser:

(Inga illasinnade poster hittades)

 

Infekterade minnesmoduler:

(Inga illasinnade poster hittades)

 

Infekterade registernycklar:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

 

Infekterade registervärden:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\richtx64.exe (Trojan.Agent) -> Quarantined and deleted successfully.

 

Infekterade registerdataposter:

(Inga illasinnade poster hittades)

 

Infekterade mappar:

(Inga illasinnade poster hittades)

 

Infekterade filer:

C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.

[Cecilia]

Starta om datorn och sök med MBAM igen. Om något hittas så klistra in den loggen.

 

Spara ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den i ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

[eixie]

Starta om datorn och sök med MBAM igen. Om något hittas så klistra in den loggen.

 

Spara ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den i ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

 

Alltså skall jag vara uppkopplad mot internet när jag stänger av virusprogrammet?

[Cecilia]

Ja, det är inte farligt att ha en internetanslutning men inget antivirusprogram. Däremot är det viktigt att ha en brandvägg igång när det finns en internetanslutning.

[eixie]

Denna kom upp när jag körde ComboFix:

 

http://data.fuskbugg.se/skalman01/IMAG0105.jpg

 

Vad skall jag trycka. Den vill ju connecta till internet.

[Cecilia]

Som jag skrev förut

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

ComboFix behöver tillgång till internet dels för att se efter att du kör senaste versionen och dels för att hämta de filer som behövs för återställningskonsolen.

[eixie]

Som jag skrev förutComboFix behöver tillgång till internet dels för att se efter att du kör senaste versionen och dels för att hämta de filer som behövs för återställningskonsolen.

 

Ojsan, förlåt. Slarvigt av mig.

[eixie]

ComboFix 10-04-12.01 - Djulle 2010-04-12 20:21:18.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.2045.1569 [GMT 2:00]

Körs från: c:\documents and settings\Djulle\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

 

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

D:\Autorun.inf

 

.

(((((((((((((((((((((((( Filer Skapade från 2010-03-12 till 2010-04-12 ))))))))))))))))))))))))))))))

.

 

2010-04-12 16:52 . 2010-04-12 16:52 -------- d-----w- c:\documents and settings\Djulle\Application Data\Malwarebytes

2010-04-12 16:52 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-12 16:52 . 2010-04-12 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-12 16:52 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-12 16:52 . 2010-04-12 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-12 12:18 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-04-12 12:18 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-04-12 12:18 . 2001-08-17 20:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2010-04-12 12:18 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

2010-04-07 18:03 . 2010-04-07 18:03 -------- d-----w- c:\program files\Trend Micro

2010-04-06 16:37 . 2010-04-06 16:37 503808 ----a-w- c:\documents and settings\Djulle\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-64410a43-n\msvcp71.dll

2010-04-06 16:37 . 2010-04-06 16:37 499712 ----a-w- c:\documents and settings\Djulle\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-64410a43-n\jmc.dll

2010-04-06 16:37 . 2010-04-06 16:37 348160 ----a-w- c:\documents and settings\Djulle\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-64410a43-n\msvcr71.dll

2010-04-06 16:37 . 2010-04-06 16:37 61440 ----a-w- c:\documents and settings\Djulle\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-201f22fd-n\decora-sse.dll

2010-04-06 16:37 . 2010-04-06 16:37 12800 ----a-w- c:\documents and settings\Djulle\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-201f22fd-n\decora-d3d.dll

2010-03-27 16:05 . 2010-03-09 02:28 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-27 16:04 . 2010-03-27 16:04 152576 ----a-w- c:\documents and settings\Djulle\Application Data\Sun\Java\jre1.6.0_16\lzma.dll

2010-03-24 00:04 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2010-03-24 00:04 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2010-03-17 15:10 . 2010-04-11 20:47 -------- d-----w- c:\documents and settings\Djulle\Application Data\foobar2000

2010-03-17 15:10 . 2010-03-17 15:10 -------- d-----w- c:\program files\foobar2000

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-12 17:15 . 2010-03-11 12:31 -------- d-----w- c:\program files\Steam

2010-04-12 13:02 . 2009-12-18 16:05 -------- d-----w- c:\documents and settings\Djulle\Application Data\Spotify

2010-04-11 11:03 . 2004-08-10 19:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys

2010-04-10 14:09 . 2010-01-02 18:14 -------- d-----w- c:\documents and settings\Djulle\Application Data\vlc

2010-04-10 10:24 . 2010-03-10 21:23 -------- d-----w- c:\program files\World of Warcraft

2010-04-08 18:02 . 2009-12-17 18:12 -------- d-----w- c:\program files\Java

2010-04-08 18:02 . 2009-12-17 18:12 -------- d-----w- c:\program files\Common Files\Java

2010-04-05 00:19 . 2010-01-02 18:07 -------- d-----w- c:\documents and settings\Djulle\Application Data\uTorrent

2010-03-16 15:10 . 2010-01-09 01:03 -------- d-----w- c:\documents and settings\Djulle\Application Data\dvdcss

2010-03-12 12:49 . 2010-03-12 07:07 -------- d-----w- c:\documents and settings\Djulle\Application Data\Ventrilo

2010-03-12 12:39 . 2010-03-12 06:59 -------- d-----w- c:\program files\VentriloMIX

2010-03-12 08:27 . 2010-01-02 18:07 -------- d-----w- c:\program files\uTorrent

2010-03-11 12:38 . 2004-08-10 19:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-10 19:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-10 19:00 17408 ------w- c:\windows\system32\corpol.dll

2010-03-10 21:46 . 2010-03-10 21:46 -------- d-----w- c:\program files\SystemRequirementsLab

2010-03-10 21:46 . 2010-03-10 21:46 85504 ----a-w- c:\documents and settings\Djulle\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll

2010-03-10 21:46 . 2010-03-10 21:46 -------- d-----w- c:\documents and settings\Djulle\Application Data\SystemRequirementsLab

2010-03-10 21:40 . 2010-03-10 21:40 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2010-03-10 21:40 . 2010-03-10 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard

2010-03-03 14:48 . 2010-01-20 20:48 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

2010-02-24 20:19 . 2009-12-17 19:59 -------- d-----w- c:\program files\ESET

2010-02-20 22:19 . 2010-02-20 22:19 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-20 22:13 . 2009-12-17 19:42 20776 ----a-w- c:\documents and settings\Djulle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-12 10:03 . 2010-03-12 06:45 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-04 20:48 . 2009-12-27 02:48 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2010-02-04 20:48 . 2009-12-27 02:48 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2010-02-04 20:48 . 2009-12-27 02:48 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

.

 

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]

"Steam"="c:\program files\steam\steam.exe" [2010-03-11 1217872]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 9134080]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]

"nwiz"="nwiz.exe" [2006-08-11 1519616]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\eixie\\counter-strike\\hl.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-27 64288]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-11-14 35168]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-10-07 472280]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-12-02 1181328]

.

Innehållet i mappen 'Schemalagda aktiviteter':

 

2010-04-12 c:\windows\Tasks\Ad-Aware Update (Daily 1).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:48]

 

2010-04-12 c:\windows\Tasks\Ad-Aware Update (Daily 2).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:48]

 

2010-04-12 c:\windows\Tasks\Ad-Aware Update (Daily 3).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:48]

 

2010-04-12 c:\windows\Tasks\Ad-Aware Update (Daily 4).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:48]

 

2010-04-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 20:48]

.

.

------- Extra genomsökning -------

.

IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Djulle\Application Data\Mozilla\Firefox\Profiles\odnu0cae.default\

 

---- FIREFOX POLICY ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

 

HKLM-Run-SigmatelSysTrayApp - sttray.exe

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net'>http://www.gmer.net

Rootkit scan 2010-04-12 20:27

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8943EAC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28

\Driver\ACPI -> ACPI.sys @ 0xba77fcb8

\Driver\atapi -> atapi.sys @ 0xba711852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Intel® PRO/1000 PL Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xba61dbb0

PacketIndicateHandler -> NDIS.sys @ 0xba62aa21

SendHandler -> NDIS.sys @ 0xba60887b

user & kernel MBR OK

 

**************************************************************************

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]

"D140211900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLer som "laddats" under processer som körs ---------------------

 

- - - - - - - > 'winlogon.exe'(708)

c:\windows\system32\WININET.dll

 

- - - - - - - > 'lsass.exe'(768)

c:\windows\system32\WININET.dll

.

Sluttid: 2010-04-12 20:30:39

ComboFix-quarantined-files.txt 2010-04-12 18:30

 

Före genomsökningen: 142 486 274 048 bytes free

Efter genomsökningen: 142 454 935 552 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

 

- - End Of File - - A324DB3DBFAD6F96DF20FECBFDA9D852

[Cecilia]

Kan vara ett rootkit i datorn. Vi får se vilket av dessa program som fungerar.

 

1. Spara denna fil på Skrivbordet:

http://rootrepeal.googlepages.com/RootRepeal.zip

Packa upp zip-filen (extrahera) så att du får en programfil.

 

Dra ut internetanslutningen. Stäng av alla program du ser inklusive brandvägg, antivirusprogram och antispionprogram.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

 

Starta RootRepeal (i Vista och Windows 7 som vanligt genom att högerklicka på ikonen och välja Kör som administratör).

Välj Report-fliken och tryck på Scan.

Bocka för alla sju valen och tryck sedan på Yes/Ja.

Välj C: och tryck Ok.

Det tar ett tag för RootRepeal att söka igenom C:.

När sökningen är klar så tryck på Save Report och spara den med namnet rootrepeal.log. Klistra in innehållet i rootrepeal.log i ditt svar.

 

2. Spara Gmer på Skrivbordet från:

http://www2.gmer.net/download.php

Den har ett slumpmässigt namn så notera vad programmet sparas som.

 

Dra ur internetanslutningen.

Stäng alla program, även antivirusprogram och brandvägg.

Starta det nedladdade programmet.

En första snabbskanning startar.

Om det kommer upp en WARNING som nämner ROOTKIT och frågar om "fully scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer.

 

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All och andra partitioner än C:\. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på.

 

3. Spara TDSSKiller på Skrivbordet:

http://support.kaspersky.com/downloads/utils/tdsskiller.zip

 

Högerklicka och välj Extrahera alla. Se till att uppackningen sker till Skrivbordet. Alternativt så kan du använda ditt eget program för att packa upp zip-filer, se bara till att filen tdsskiller.exe hamnar på Skrivbordet.

 

Start - Kör

Kopiera raden som är i rutan

"%userprofile%\skrivbord\TDSSKiller.exe" -l rapport.txt -v

 

Öppna filer rapport som skapades i C:\ eller på Skrivbordet och klistra in innehållet i ditt svar.

Tryck på Save och spara resultatet på Skrivbordet.

Sätt igång antivirusprogram och brandvägg innan du ansluter till internet.

Klistra in resultatet i ditt svar.

[eixie]

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/04/12 22:44

Program Version: Version 1.3.5.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

 

Drivers

-------------------

Name: catchme.sys

Image Path: C:\DOCUME~1\Djulle\LOCALS~1\Temp\catchme.sys

Address: 0xBAB70000 Size: 31744 File Visible: No Signed: -

Status: -

 

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xBADEA000 Size: 7872 File Visible: No Signed: -

Status: -

 

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0x8CDA5000 Size: 49152 File Visible: No Signed: -

Status: -

 

SSDT

-------------------

#: 041 Function Name: NtCreateKey

Status: Hooked by "Lbd.sys" at address 0xba91887e

 

#: 247 Function Name: NtSetValueKey

Status: Hooked by "Lbd.sys" at address 0xba918bfe

 

==EOF==

[eixie]

Körde GMER men fick ingen loggfil? Har jag gjort fel nu?

[eixie]

Skall jag vara uppkopplad när jag kör TDSSKiller? För det fungerade nämligen inte att köra filen när jag inte var det.

[Cecilia]

Hur långt kom Gmer?

 

Du kan ha datorn ansluten till internet när du kör TDSSkiller.

[eixie]

Hur långt kom Gmer?

 

Du kan ha datorn ansluten till internet när du kör TDSSkiller.

 

Den körde klart men jag tryckte bara "Ok" och glömde att spara en loggfil :/

 

Det fungerar inte att köra TDSS på det sättet du säger. Det står att filen inte är tillgänglig.

[Cecilia]

Är du säker på att du har packat upp TDSSKiller.zip till en riktig mapp?

 

Kör Gmer en gång till om du inte ser till någon logg på skrivbordet.

Återkommer i morgon.

[eixie]

01:20:17:781 2068 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

01:20:17:781 2068 ================================================================================

01:20:17:781 2068 SystemInfo:

 

01:20:17:781 2068 OS Version: 5.1.2600 ServicePack: 3.0

01:20:17:781 2068 Product type: Workstation

01:20:17:781 2068 ComputerName: JOEL

01:20:17:781 2068 UserName: Djulle

01:20:17:781 2068 Windows directory: C:\WINDOWS

01:20:17:781 2068 Processor architecture: Intel x86

01:20:17:781 2068 Number of processors: 2

01:20:17:781 2068 Page size: 0x1000

01:20:17:781 2068 Boot type: Normal boot

01:20:17:781 2068 ================================================================================

01:20:17:812 2068 UnloadDriverW: NtUnloadDriver error 2

01:20:17:812 2068 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

01:20:18:093 2068 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

01:20:18:093 2068 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

01:20:18:093 2068 wfopen_ex: Trying to KLMD file open

01:20:18:093 2068 wfopen_ex: File opened ok (Flags 2)

01:20:18:093 2068 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

01:20:18:093 2068 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

01:20:18:093 2068 wfopen_ex: Trying to KLMD file open

01:20:18:093 2068 wfopen_ex: File opened ok (Flags 2)

01:20:18:093 2068 Initialize success

01:20:18:093 2068

01:20:18:093 2068 Scanning Services ...

01:20:18:453 2068 Raw services enum returned 315 services

01:20:18:453 2068

01:20:18:453 2068 Scanning Kernel memory ...

01:20:18:453 2068 Devices to scan: 14

01:20:18:453 2068

01:20:18:453 2068 Driver Name: Disk

01:20:18:453 2068 IRP_MJ_CREATE : BA90EBB0

01:20:18:453 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:453 2068 IRP_MJ_CLOSE : BA90EBB0

01:20:18:453 2068 IRP_MJ_READ : BA908D1F

01:20:18:453 2068 IRP_MJ_WRITE : BA908D1F

01:20:18:453 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:453 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:453 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:453 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:453 2068 IRP_MJ_FLUSH_BUFFERS : BA9092E2

01:20:18:453 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:453 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:453 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:453 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:453 2068 IRP_MJ_DEVICE_CONTROL : BA9093BB

01:20:18:453 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28

01:20:18:453 2068 IRP_MJ_SHUTDOWN : BA9092E2

01:20:18:453 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:453 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:453 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:453 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:453 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:453 2068 IRP_MJ_POWER : BA90AC82

01:20:18:453 2068 IRP_MJ_SYSTEM_CONTROL : BA90F99E

01:20:18:453 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:453 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:453 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:500 2068 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

01:20:18:500 2068

01:20:18:500 2068 Driver Name: Disk

01:20:18:500 2068 IRP_MJ_CREATE : BA90EBB0

01:20:18:500 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:500 2068 IRP_MJ_CLOSE : BA90EBB0

01:20:18:500 2068 IRP_MJ_READ : BA908D1F

01:20:18:500 2068 IRP_MJ_WRITE : BA908D1F

01:20:18:500 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:500 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:500 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:500 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:500 2068 IRP_MJ_FLUSH_BUFFERS : BA9092E2

01:20:18:500 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:500 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:500 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:500 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:500 2068 IRP_MJ_DEVICE_CONTROL : BA9093BB

01:20:18:500 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28

01:20:18:500 2068 IRP_MJ_SHUTDOWN : BA9092E2

01:20:18:500 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:500 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:500 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:500 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:500 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:500 2068 IRP_MJ_POWER : BA90AC82

01:20:18:500 2068 IRP_MJ_SYSTEM_CONTROL : BA90F99E

01:20:18:500 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:500 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:500 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:515 2068 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

01:20:18:515 2068

01:20:18:515 2068 Driver Name: Disk

01:20:18:515 2068 IRP_MJ_CREATE : BA90EBB0

01:20:18:515 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:515 2068 IRP_MJ_CLOSE : BA90EBB0

01:20:18:515 2068 IRP_MJ_READ : BA908D1F

01:20:18:515 2068 IRP_MJ_WRITE : BA908D1F

01:20:18:515 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:515 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:515 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:515 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:515 2068 IRP_MJ_FLUSH_BUFFERS : BA9092E2

01:20:18:515 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:515 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:515 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:515 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:515 2068 IRP_MJ_DEVICE_CONTROL : BA9093BB

01:20:18:515 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28

01:20:18:515 2068 IRP_MJ_SHUTDOWN : BA9092E2

01:20:18:515 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:515 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:515 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:515 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:515 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:515 2068 IRP_MJ_POWER : BA90AC82

01:20:18:515 2068 IRP_MJ_SYSTEM_CONTROL : BA90F99E

01:20:18:515 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:515 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:515 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:515 2068 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

01:20:18:515 2068

01:20:18:515 2068 Driver Name: Disk

01:20:18:515 2068 IRP_MJ_CREATE : BA90EBB0

01:20:18:515 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:515 2068 IRP_MJ_CLOSE : BA90EBB0

01:20:18:515 2068 IRP_MJ_READ : BA908D1F

01:20:18:515 2068 IRP_MJ_WRITE : BA908D1F

01:20:18:515 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:515 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:515 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:515 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:515 2068 IRP_MJ_FLUSH_BUFFERS : BA9092E2

01:20:18:515 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:515 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:515 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:515 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:515 2068 IRP_MJ_DEVICE_CONTROL : BA9093BB

01:20:18:515 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28

01:20:18:515 2068 IRP_MJ_SHUTDOWN : BA9092E2

01:20:18:515 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:515 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:515 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:515 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:515 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:515 2068 IRP_MJ_POWER : BA90AC82

01:20:18:515 2068 IRP_MJ_SYSTEM_CONTROL : BA90F99E

01:20:18:515 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:515 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:515 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:531 2068 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

01:20:18:531 2068

01:20:18:531 2068 Driver Name: Disk

01:20:18:531 2068 IRP_MJ_CREATE : BA90EBB0

01:20:18:531 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:531 2068 IRP_MJ_CLOSE : BA90EBB0

01:20:18:531 2068 IRP_MJ_READ : BA908D1F

01:20:18:531 2068 IRP_MJ_WRITE : BA908D1F

01:20:18:531 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:531 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:531 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:531 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:531 2068 IRP_MJ_FLUSH_BUFFERS : BA9092E2

01:20:18:531 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:531 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:531 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:531 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:531 2068 IRP_MJ_DEVICE_CONTROL : BA9093BB

01:20:18:531 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28

01:20:18:531 2068 IRP_MJ_SHUTDOWN : BA9092E2

01:20:18:531 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:531 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:531 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:531 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:531 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:531 2068 IRP_MJ_POWER : BA90AC82

01:20:18:531 2068 IRP_MJ_SYSTEM_CONTROL : BA90F99E

01:20:18:531 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:531 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:531 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:531 2068 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

01:20:18:531 2068

01:20:18:531 2068 Driver Name: Disk

01:20:18:531 2068 IRP_MJ_CREATE : BA90EBB0

01:20:18:531 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:531 2068 IRP_MJ_CLOSE : BA90EBB0

01:20:18:531 2068 IRP_MJ_READ : BA908D1F

01:20:18:531 2068 IRP_MJ_WRITE : BA908D1F

01:20:18:531 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:531 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:531 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:531 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:531 2068 IRP_MJ_FLUSH_BUFFERS : BA9092E2

01:20:18:531 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:531 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:531 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:531 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:531 2068 IRP_MJ_DEVICE_CONTROL : BA9093BB

01:20:18:531 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28

01:20:18:531 2068 IRP_MJ_SHUTDOWN : BA9092E2

01:20:18:531 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:531 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:531 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:531 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:531 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:531 2068 IRP_MJ_POWER : BA90AC82

01:20:18:531 2068 IRP_MJ_SYSTEM_CONTROL : BA90F99E

01:20:18:531 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:531 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:531 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:531 2068 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

01:20:18:531 2068

01:20:18:531 2068 Driver Name: usbstor

01:20:18:531 2068 IRP_MJ_CREATE : BAC2D218

01:20:18:531 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:531 2068 IRP_MJ_CLOSE : BAC2D218

01:20:18:531 2068 IRP_MJ_READ : BAC2D23C

01:20:18:531 2068 IRP_MJ_WRITE : BAC2D23C

01:20:18:531 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:531 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:531 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:531 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:531 2068 IRP_MJ_FLUSH_BUFFERS : 804F4562

01:20:18:531 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:531 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:531 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:531 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:531 2068 IRP_MJ_DEVICE_CONTROL : BAC2D180

01:20:18:531 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAC289E6

01:20:18:531 2068 IRP_MJ_SHUTDOWN : 804F4562

01:20:18:531 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:531 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:531 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:531 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:531 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:531 2068 IRP_MJ_POWER : BAC2C5F0

01:20:18:531 2068 IRP_MJ_SYSTEM_CONTROL : BAC2AA6E

01:20:18:531 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:531 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:531 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:546 2068 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

01:20:18:546 2068

01:20:18:546 2068 Driver Name: usbstor

01:20:18:546 2068 IRP_MJ_CREATE : BAC2D218

01:20:18:546 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:546 2068 IRP_MJ_CLOSE : BAC2D218

01:20:18:546 2068 IRP_MJ_READ : BAC2D23C

01:20:18:546 2068 IRP_MJ_WRITE : BAC2D23C

01:20:18:546 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:546 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:546 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:546 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:546 2068 IRP_MJ_FLUSH_BUFFERS : 804F4562

01:20:18:546 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:546 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:546 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:546 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:546 2068 IRP_MJ_DEVICE_CONTROL : BAC2D180

01:20:18:546 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAC289E6

01:20:18:546 2068 IRP_MJ_SHUTDOWN : 804F4562

01:20:18:546 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:546 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:546 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:546 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:546 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:546 2068 IRP_MJ_POWER : BAC2C5F0

01:20:18:546 2068 IRP_MJ_SYSTEM_CONTROL : BAC2AA6E

01:20:18:546 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:546 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:546 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:546 2068 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

01:20:18:546 2068

01:20:18:546 2068 Driver Name: usbstor

01:20:18:546 2068 IRP_MJ_CREATE : BAC2D218

01:20:18:546 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:546 2068 IRP_MJ_CLOSE : BAC2D218

01:20:18:546 2068 IRP_MJ_READ : BAC2D23C

01:20:18:546 2068 IRP_MJ_WRITE : BAC2D23C

01:20:18:546 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:546 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:546 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:546 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:546 2068 IRP_MJ_FLUSH_BUFFERS : 804F4562

01:20:18:546 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:546 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:546 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:546 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:546 2068 IRP_MJ_DEVICE_CONTROL : BAC2D180

01:20:18:546 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAC289E6

01:20:18:546 2068 IRP_MJ_SHUTDOWN : 804F4562

01:20:18:546 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:546 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:546 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:546 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:546 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:546 2068 IRP_MJ_POWER : BAC2C5F0

01:20:18:546 2068 IRP_MJ_SYSTEM_CONTROL : BAC2AA6E

01:20:18:546 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:546 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:546 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:546 2068 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

01:20:18:546 2068

01:20:18:546 2068 Driver Name: usbstor

01:20:18:546 2068 IRP_MJ_CREATE : BAC2D218

01:20:18:546 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:546 2068 IRP_MJ_CLOSE : BAC2D218

01:20:18:546 2068 IRP_MJ_READ : BAC2D23C

01:20:18:546 2068 IRP_MJ_WRITE : BAC2D23C

01:20:18:546 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:546 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:546 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:546 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:546 2068 IRP_MJ_FLUSH_BUFFERS : 804F4562

01:20:18:546 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:546 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:546 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:546 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:546 2068 IRP_MJ_DEVICE_CONTROL : BAC2D180

01:20:18:546 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAC289E6

01:20:18:546 2068 IRP_MJ_SHUTDOWN : 804F4562

01:20:18:546 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:546 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:546 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:546 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:546 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:546 2068 IRP_MJ_POWER : BAC2C5F0

01:20:18:546 2068 IRP_MJ_SYSTEM_CONTROL : BAC2AA6E

01:20:18:546 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:546 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:546 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:562 2068 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

01:20:18:562 2068

01:20:18:562 2068 Driver Name: usbstor

01:20:18:562 2068 IRP_MJ_CREATE : BAC2D218

01:20:18:562 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:562 2068 IRP_MJ_CLOSE : BAC2D218

01:20:18:562 2068 IRP_MJ_READ : BAC2D23C

01:20:18:562 2068 IRP_MJ_WRITE : BAC2D23C

01:20:18:562 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:562 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:562 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:562 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:562 2068 IRP_MJ_FLUSH_BUFFERS : 804F4562

01:20:18:562 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:562 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:562 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:562 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:562 2068 IRP_MJ_DEVICE_CONTROL : BAC2D180

01:20:18:562 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAC289E6

01:20:18:562 2068 IRP_MJ_SHUTDOWN : 804F4562

01:20:18:562 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:562 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:562 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:562 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:562 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:562 2068 IRP_MJ_POWER : BAC2C5F0

01:20:18:562 2068 IRP_MJ_SYSTEM_CONTROL : BAC2AA6E

01:20:18:562 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:562 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:562 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:562 2068 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

01:20:18:562 2068

01:20:18:562 2068 Driver Name: usbstor

01:20:18:562 2068 IRP_MJ_CREATE : BAC2D218

01:20:18:562 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:562 2068 IRP_MJ_CLOSE : BAC2D218

01:20:18:562 2068 IRP_MJ_READ : BAC2D23C

01:20:18:562 2068 IRP_MJ_WRITE : BAC2D23C

01:20:18:562 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:562 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:562 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:562 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:562 2068 IRP_MJ_FLUSH_BUFFERS : 804F4562

01:20:18:562 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:562 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:562 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:562 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:562 2068 IRP_MJ_DEVICE_CONTROL : BAC2D180

01:20:18:562 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAC289E6

01:20:18:562 2068 IRP_MJ_SHUTDOWN : 804F4562

01:20:18:562 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:562 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:562 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:562 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:562 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:562 2068 IRP_MJ_POWER : BAC2C5F0

01:20:18:562 2068 IRP_MJ_SYSTEM_CONTROL : BAC2AA6E

01:20:18:562 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:562 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:562 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:562 2068 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

01:20:18:562 2068

01:20:18:562 2068 Driver Name: Disk

01:20:18:562 2068 IRP_MJ_CREATE : BA90EBB0

01:20:18:562 2068 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

01:20:18:562 2068 IRP_MJ_CLOSE : BA90EBB0

01:20:18:562 2068 IRP_MJ_READ : BA908D1F

01:20:18:562 2068 IRP_MJ_WRITE : BA908D1F

01:20:18:562 2068 IRP_MJ_QUERY_INFORMATION : 804F4562

01:20:18:562 2068 IRP_MJ_SET_INFORMATION : 804F4562

01:20:18:562 2068 IRP_MJ_QUERY_EA : 804F4562

01:20:18:562 2068 IRP_MJ_SET_EA : 804F4562

01:20:18:562 2068 IRP_MJ_FLUSH_BUFFERS : BA9092E2

01:20:18:562 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

01:20:18:562 2068 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

01:20:18:562 2068 IRP_MJ_DIRECTORY_CONTROL : 804F4562

01:20:18:562 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

01:20:18:562 2068 IRP_MJ_DEVICE_CONTROL : BA9093BB

01:20:18:562 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28

01:20:18:562 2068 IRP_MJ_SHUTDOWN : BA9092E2

01:20:18:562 2068 IRP_MJ_LOCK_CONTROL : 804F4562

01:20:18:562 2068 IRP_MJ_CLEANUP : 804F4562

01:20:18:562 2068 IRP_MJ_CREATE_MAILSLOT : 804F4562

01:20:18:562 2068 IRP_MJ_QUERY_SECURITY : 804F4562

01:20:18:562 2068 IRP_MJ_SET_SECURITY : 804F4562

01:20:18:562 2068 IRP_MJ_POWER : BA90AC82

01:20:18:562 2068 IRP_MJ_SYSTEM_CONTROL : BA90F99E

01:20:18:562 2068 IRP_MJ_DEVICE_CHANGE : 804F4562

01:20:18:562 2068 IRP_MJ_QUERY_QUOTA : 804F4562

01:20:18:562 2068 IRP_MJ_SET_QUOTA : 804F4562

01:20:18:562 2068 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

01:20:18:562 2068

01:20:18:562 2068 Driver Name: atapi

01:20:18:562 2068 IRP_MJ_CREATE : 8948FAC8

01:20:18:562 2068 IRP_MJ_CREATE_NAMED_PIPE : 8948FAC8

01:20:18:562 2068 IRP_MJ_CLOSE : 8948FAC8

01:20:18:562 2068 IRP_MJ_READ : 8948FAC8

01:20:18:562 2068 IRP_MJ_WRITE : 8948FAC8

01:20:18:562 2068 IRP_MJ_QUERY_INFORMATION : 8948FAC8

01:20:18:562 2068 IRP_MJ_SET_INFORMATION : 8948FAC8

01:20:18:562 2068 IRP_MJ_QUERY_EA : 8948FAC8

01:20:18:562 2068 IRP_MJ_SET_EA : 8948FAC8

01:20:18:562 2068 IRP_MJ_FLUSH_BUFFERS : 8948FAC8

01:20:18:562 2068 IRP_MJ_QUERY_VOLUME_INFORMATION : 8948FAC8

01:20:18:562 2068 IRP_MJ_SET_VOLUME_INFORMATION : 8948FAC8

01:20:18:562 2068 IRP_MJ_DIRECTORY_CONTROL : 8948FAC8

01:20:18:562 2068 IRP_MJ_FILE_SYSTEM_CONTROL : 8948FAC8

01:20:18:562 2068 IRP_MJ_DEVICE_CONTROL : 8948FAC8

01:20:18:562 2068 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8948FAC8

01:20:18:562 2068 IRP_MJ_SHUTDOWN : 8948FAC8

01:20:18:562 2068 IRP_MJ_LOCK_CONTROL : 8948FAC8

01:20:18:562 2068 IRP_MJ_CLEANUP : 8948FAC8

01:20:18:562 2068 IRP_MJ_CREATE_MAILSLOT : 8948FAC8

01:20:18:562 2068 IRP_MJ_QUERY_SECURITY : 8948FAC8

01:20:18:562 2068 IRP_MJ_SET_SECURITY : 8948FAC8

01:20:18:562 2068 IRP_MJ_POWER : 8948FAC8

01:20:18:562 2068 IRP_MJ_SYSTEM_CONTROL : 8948FAC8

01:20:18:562 2068 IRP_MJ_DEVICE_CHANGE : 8948FAC8

01:20:18:562 2068 IRP_MJ_QUERY_QUOTA : 8948FAC8

01:20:18:562 2068 IRP_MJ_SET_QUOTA : 8948FAC8

01:20:18:562 2068 Driver "atapi" infected by TDSS rootkit!

01:20:18:562 2068 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1

01:20:18:562 2068 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 01:20:18:562 2068 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

01:20:18:562 2068 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3

01:20:18:796 2068 vfvi6

01:20:18:921 2068 !dsvbh1

01:20:20:765 2068 dsvbh2

01:20:20:765 2068 fdfb2

01:20:20:765 2068 Backup copy found, using it..

01:20:20:984 2068 will be cured on next reboot

01:20:20:984 2068 Reboot required for cure complete..

01:20:21:093 2068 Cure on reboot scheduled successfully

01:20:21:093 2068

01:20:21:093 2068 Completed

01:20:21:093 2068

01:20:21:093 2068 Results:

01:20:21:109 2068 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

01:20:21:109 2068 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

01:20:21:109 2068 File objects infected / cured / cured on reboot: 1 / 0 / 1

01:20:21:109 2068

01:20:21:109 2068 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

01:20:21:109 2068 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

01:20:21:109 2068 UnloadDriverW: NtUnloadDriver error 1

01:20:21:109 2068 KLMD(ARK) unloaded successfully

[eixie]

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-13 01:53:51

Windows 5.1.2600 Service Pack 3

Running: nscshx6s.exe; Driver: C:\DOCUME~1\Djulle\LOCALS~1\Temp\pxtdypod.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA91887E]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA918BFE]

 

---- Kernel code sections - GMER 1.0.15 ----

 

? klmdb.sys Det går inte att hitta filen. !

? tsk1D1.tmp Det går inte att hitta filen. !

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9F9D360, 0x24526E, 0xE8000020]

.rsrc C:\WINDOWS\system32\DRIVERS\rasacd.sys entry point in ".rsrc" section [0xBA389C14]

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[620] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0072000A

.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0073000A

.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0071000C

.text C:\WINDOWS\Explorer.EXE[1724] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CD000A

.text C:\WINDOWS\Explorer.EXE[1724] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CE000A

.text C:\WINDOWS\Explorer.EXE[1724] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CC000C

.text C:\WINDOWS\system32\wuauclt.exe[2316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E000A

.text C:\WINDOWS\system32\wuauclt.exe[2316] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009F000A

.text C:\WINDOWS\system32\wuauclt.exe[2316] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009D000C

 

---- Devices - GMER 1.0.15 ----

 

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

 

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 tsk1D1.tmp

Device \Driver\atapi \Device\Ide\IdePort0 tsk1D1.tmp

Device \Driver\atapi \Device\Ide\IdePort1 tsk1D1.tmp

Device \Driver\atapi \Device\Ide\IdePort2 tsk1D1.tmp

Device -> \Driver\atapi \Device\Harddisk0\DR0 89406AC8

 

---- Files - GMER 1.0.15 ----

 

File C:\WINDOWS\system32\DRIVERS\rasacd.sys suspicious modification

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

 

---- EOF - GMER 1.0.15 ----

[eixie]

Så, nu var alla loggar postade. Tack för hjälpen hittills!

[Cecilia]

Bra! TDSSKiller hittade och åtgärdade något. Om du inte har startat om datorn sedan du körde Gmer så gör det. Kör TDSSKiller och Gmer en gång till på samma sätt så får vi se vad som är kvar efter det (starta om datorn efter att du kört TDSSKiller). Kör också ComboFix. Det blir alltså tre loggar att klistra in.