Massenmails(Spam)- Virus? |
||
---|---|---|
#0
| ||
25.12.2007, 11:17
Member
Beiträge: 3716 |
||
|
||
25.12.2007, 22:08
Member
Themenstarter Beiträge: 16 |
#17
also, nachdem ich jetzt norton deinstalliert habe, werden mir natürlich auch keine mail-meldungen mehr gemacht. dafür zeigt mit jetzt antivir nach starten des computers den virus crypt.xpack.gen in einer datei an. Z.B. C:\Windows\Temp\36406.exe .
hier das logfile von rvaxo: ----------------RVAXO.exe first run------------- Files found: Uninstallers Rogue scanners: Folders Found: Hosts-file was reset, If you use a custom hosts file please replace it... ich weis nicht woher, mir sind auf dem destop 5 dateien erschienen, 3 sind alte word dateien und eine ist eine desktop.ini und eine ~WRL1177.tmp .?? bin überfordert;-) hab grad gesehen das noch mehr so dateien und ordner, die so "verblasst" angezeigt wedren erschienen sind. gleich noch das logfile vom activescan und noch jeweils die letzten 30 Tage falls es soviele gab: Datenträger in Laufwerk C: ist BOOT Volumeseriennummer: 706A-702F Verzeichnis von C:\ 26.12.2007 12:29 43 filelist.txt 26.12.2007 12:23 356 RVAXO-results.log 26.12.2007 12:23 804'839'424 hiberfil.sys 26.12.2007 12:23 2'097'152'000 pagefile.sys 25.12.2007 22:04 211 firstrun3.log 13.12.2007 17:19 12'260 ComboFix.txt Datenträger in Laufwerk C: ist BOOT Volumeseriennummer: 706A-702F Verzeichnis von C:\WINDOWS 26.12.2007 12:24 1'289'697 WindowsUpdate.log 26.12.2007 12:24 747'998 setupapi.log 26.12.2007 12:23 0 0.log 26.12.2007 12:23 157 wiadebug.log 26.12.2007 12:23 50 wiaservc.log 26.12.2007 12:23 2'048 bootstat.dat 26.12.2007 05:17 32'582 SchedLgU.Txt 26.12.2007 05:16 34'772 KB942615-IE7.log 25.12.2007 22:26 677 win.ini 24.12.2007 16:04 41'463 wmsetup.log 23.12.2007 16:15 229 NeroDigital.ini 23.12.2007 15:55 54'156 QTFont.qfn 16.12.2007 19:46 216'466 setupact.log 13.12.2007 17:13 227 system.ini 13.12.2007 05:07 11'007'340 ntbtlog.txt 12.12.2007 16:42 302'599 iis6.log 12.12.2007 16:42 532'639 comsetup.log 12.12.2007 16:42 325'074 ntdtcsetup.log 12.12.2007 16:42 742'500 tsoc.log 12.12.2007 16:42 76'825 ocmsn.log 12.12.2007 16:42 1'393 imsins.log 12.12.2007 16:42 30'751 KB942763.log 12.12.2007 16:42 931'323 ocgen.log 12.12.2007 16:42 95'229 msgsocm.log 12.12.2007 16:42 1'886'397 FaxSetup.log 12.12.2007 16:40 1'393 imsins.BAK 12.12.2007 16:40 18'342 KB941569.log 12.12.2007 16:23 119'772 updspapi.log 12.12.2007 16:14 11'249 KB941568.log 12.12.2007 16:11 11'961 KB944653.log 09.12.2007 19:04 142'336 catchme.exe 29.11.2007 14:46 97 WirelessFTP.INI 29.11.2007 13:54 502 ODBC.INI 29.11.2007 12:23 3'768 ModemLog_Standard 33600 bps Modem.txt 25.11.2007 15:33 1'409 QTFont.for Verzeichnis von C:\WINDOWS\system -> hier war der letzte Eintrag 2004 Verzeichnis von C:\WINDOWS\system32 26.12.2007 12:24 88'566 nvapps.xml 26.12.2007 12:23 1'158 wpa.dbl 25.12.2007 22:31 0 asfiles.txt 25.12.2007 22:11 2'550 Uninstall.ico 25.12.2007 22:11 1'406 Help.ico 25.12.2007 22:11 30'590 pavas.ico 25.12.2007 07:36 570'383 RVAXO.bat 22.12.2007 22:49 0 4_exception.nls 12.12.2007 19:30 1'474 RootkitReveal.txt 12.12.2007 16:42 498'182 TZLog.log 11.12.2007 23:27 386'450 perfh009.dat 11.12.2007 23:27 398'680 perfh007.dat 11.12.2007 23:27 56'422 perfc009.dat 11.12.2007 23:27 68'104 perfc007.dat 11.12.2007 23:27 920'624 PerfStringBackup.INI 04.12.2007 01:00 136'704 swsc.exe 03.12.2007 00:00 18'684'536 MRT.exe 29.11.2007 14:03 42'348 PCSuiteP80x.txt Verzeichnis von C:\WINDOWS\Prefetch 26.12.2007 12:29 11'232 FIND.EXE-0EC32F1E.pf 26.12.2007 12:29 20'002 CMD.EXE-087B4001.pf 26.12.2007 12:29 61'288 WINRAR.EXE-3588DFE8.pf 26.12.2007 12:29 81'532 WKUFIND.EXE-18C07230.pf 26.12.2007 12:28 39'740 AUPDATE.EXE-089630E1.pf 26.12.2007 12:28 52'346 LUCOMS~1.EXE-02DB5950.pf 26.12.2007 12:27 86'250 IEXPLORE.EXE-2CA9778D.pf 26.12.2007 12:27 22'884 VERCLSID.EXE-3667BD89.pf 26.12.2007 12:25 78'292 TASKMGR.EXE-20256C55.pf 26.12.2007 12:25 70'096 AVNOTIFY.EXE-0B59FC42.pf 26.12.2007 12:25 38'336 GUARDGUI.EXE-3AFB6D88.pf 26.12.2007 12:24 75'528 WUAUCLT.EXE-399A8E72.pf 26.12.2007 12:24 41'732 NMINDEXSTORESVR.EXE-1DBCF9FD.pf 26.12.2007 12:24 59'894 SVCHOST.EXE-3530F672.pf 26.12.2007 12:24 31'426 DITEXP.EXE-205A659C.pf 26.12.2007 12:24 13'904 RUNDLL32.EXE-451FC2C0.pf 26.12.2007 12:24 16'828 MPTBOX.EXE-21121365.pf 26.12.2007 12:24 12'610 SOUNDMAN.EXE-19745A34.pf 26.12.2007 12:24 16'584 AGENT.EXE-0C97E2D4.pf 26.12.2007 12:24 14'348 DIT.EXE-08CE4330.pf 26.12.2007 12:24 8'914 CAPFAX.EXE-2CC20261.pf 26.12.2007 12:24 15'438 NOTEPAD.EXE-336351A9.pf 26.12.2007 12:24 11'062 NEROCHECK.EXE-092C6DFA.pf 26.12.2007 12:24 7'010 SWREG.EXE-3688D00C.pf 26.12.2007 12:24 1'016'754 NTOSBOOT-B00DFAAD.pf 26.12.2007 05:16 76'026 UPDATE.EXE-21D39439.pf 26.12.2007 05:15 47'388 WMIPRVSE.EXE-28F301A9.pf 26.12.2007 05:14 51'930 LOGONUI.EXE-0AF22957.pf 26.12.2007 04:53 31'372 RUNDLL32.EXE-2E5AF1D7.pf 26.12.2007 04:51 19'706 FIREFOX.EXE-1D57670A.pf 26.12.2007 02:48 18'424 SKYPEPM.EXE-03F1BFBD.pf 26.12.2007 02:47 26'960 RUNDLL32.EXE-3D97474F.pf 26.12.2007 02:47 29'082 CONTROL.EXE-013DBFB5.pf 26.12.2007 02:04 69'566 MPCMDRUN.EXE-1EF164E2.pf 26.12.2007 02:04 25'320 DW20.EXE-005BA42F.pf 25.12.2007 23:45 768 SKYPE.EXE-21F19BC8.pf 25.12.2007 22:56 73'184 WOW.EXE-3A6DE196.pf 25.12.2007 22:55 61'204 AVSCAN.EXE-0D0CD933.pf 25.12.2007 22:31 3'586 IRLWU.EXE-01DDDD1C.pf 25.12.2007 22:30 15'282 REGEDIT.EXE-1B606482.pf 25.12.2007 22:15 40'850 STARDOWN.EXE-03D9F09D.pf 25.12.2007 22:14 15'866 REGSVR32.EXE-25EEFE2F.pf 25.12.2007 22:14 13'662 RUNONCE.EXE-2803F297.pf 25.12.2007 22:14 91'032 ADOBEUPDATER.EXE-370FC314.pf 25.12.2007 22:13 70'796 ACRORD32.EXE-153330F0.pf 25.12.2007 22:13 11'460 QTTASK.EXE-2D7EEF34.pf 25.12.2007 22:04 11'260 ATTRIB.EXE-39EAFB02.pf 25.12.2007 22:04 11'044 FINDSTR.EXE-0CA6274B.pf 25.12.2007 22:02 23'634 DWTRIG20.EXE-2A052F11.pf 25.12.2007 21:59 75'614 RVAXO.EXE-3589CFF9.pf 25.12.2007 21:55 23'554 _IU14D2N.TMP-08A65D68.pf 25.12.2007 21:55 22'352 UNINS000.EXE-3622D8EB.pf 25.12.2007 21:55 10'830 REMOVE.EXE-0888FA60.pf 25.12.2007 21:55 58'764 UPDATE.EXE-16FE79E0.pf 25.12.2007 21:54 44'198 RUNDLL32.EXE-13404D23.pf 25.12.2007 21:54 58'068 WGATRAY.EXE-0ED38BED.pf 25.12.2007 21:54 36'504 ALG.EXE-0F138680.pf 25.12.2007 21:50 67'114 MSIEXEC.EXE-2F8A8CAE.pf 25.12.2007 21:50 18'498 LSETUP.EXE-37ECF0AF.pf 25.12.2007 21:50 10'820 SEVINST.EXE-02050791.pf 25.12.2007 21:50 23'128 SEVINST.EXE-02E7491A.pf 25.12.2007 21:47 34'490 IDSINST.EXE-063B5EEB.pf 25.12.2007 21:47 14'212 ISPWDSVC.EXE-268FAE7E.pf 25.12.2007 21:46 22'728 MSI27E.TMP-2B52D2A2.pf 25.12.2007 21:45 10'244 SYMLCSVC.EXE-2A0ED518.pf 25.12.2007 21:41 50'998 {5AA2CD16-706F-41F3-87C5-2B5A-38FD449E.pf 25.12.2007 21:40 13'218 RUNDLL32.EXE-2AE6FCB0.pf 25.12.2007 21:40 36'490 SDTRAYAPP.EXE-1A2007EF.pf 25.12.2007 21:40 42'138 SWDOCTOR.EXE-13B584DD.pf 25.12.2007 21:40 57'842 SWDSVC.EXE-178874E9.pf 25.12.2007 21:39 59'880 SVCNTAUX.EXE-2857762E.pf 25.12.2007 21:39 20'794 UNINS000.EXE-1063764D.pf 25.12.2007 21:36 45'082 RUNDLL32.EXE-147710F4.pf 25.12.2007 21:28 5'410 NMBGMONITOR.EXE-0BC10095.pf 25.12.2007 21:28 7'666 GOOGLETOOLBARNOTIFIER.EXE-09E6E9C6.pf 25.12.2007 21:28 13'610 CTFMON.EXE-0E17969B.pf 25.12.2007 21:28 3'078 AVGNT.EXE-18356F59.pf 25.12.2007 21:28 29'878 MSASCUI.EXE-266B5613.pf 25.12.2007 21:28 22'454 PIFSVC.EXE-29FA40EF.pf 25.12.2007 21:27 25'056 RUNDLL32.EXE-1340EF7F.pf 25.12.2007 21:27 9'882 NWIZ.EXE-2D0F9FBC.pf 25.12.2007 21:27 15'752 RUNDLL32.EXE-415F88EC.pf 25.12.2007 21:27 13'692 READER_SL.EXE-1EA4C8B2.pf 25.12.2007 21:27 16'156 RUNDLL32.EXE-1218E1AC.pf 25.12.2007 21:27 12'054 JUSCHED.EXE-309E47F8.pf 25.12.2007 21:27 19'928 MHOTKEY.EXE-28F476F7.pf 25.12.2007 21:27 9'608 NEROCHECK.EXE-1BD71082.pf 25.12.2007 21:27 10'982 OSCHECK.EXE-28DA21EB.pf 25.12.2007 21:27 18'320 CCAPP.EXE-2EA3695D.pf 25.12.2007 21:27 55'796 IMAPI.EXE-0BF740A4.pf 25.12.2007 21:27 13'382 MPTBOX.EXE-3A18A4C9.pf 25.12.2007 21:27 47'824 EXPLORER.EXE-082F38A9.pf 25.12.2007 21:27 32'104 USERINIT.EXE-30B18140.pf 25.12.2007 21:26 125'560 MSIMN.EXE-0B61806C.pf 25.12.2007 21:22 40'458 SSAUTORN.EXE-26BC4D68.pf 25.12.2007 21:18 83'432 UPDATE.EXE-0C3CBDEF.pf 25.12.2007 21:12 45'266 LUCALLBACKPROXY.EXE-0B5F632D.pf 25.12.2007 21:09 61'566 MSMSGS.EXE-32066BA5.pf 25.12.2007 21:07 9'136 JAVA.EXE-0967259C.pf 25.12.2007 21:04 17'884 UPDATE.EXE-3A80F1D2.pf 25.12.2007 21:04 12'932 SYMLCSVC.EXE-04DC2DC5.pf 25.12.2007 21:04 13'206 PREUPD.EXE-18CBCD87.pf 25.12.2007 21:04 30'900 SYMLCSV1.EXE-342D0FE7.pf 25.12.2007 21:03 10'714 WANMPSVC.EXE-079295ED.pf 25.12.2007 21:03 31'852 APPSVC32.EXE-05291E4C.pf 25.12.2007 21:03 36'176 NVSVC32.EXE-1F9EED18.pf 24.12.2007 14:32 46'532 layout.ini 24.12.2007 11:42 60'260 NAVW32.EXE-2944DF24.pf 24.12.2007 10:42 9'714 SYMLCSV1.EXE-0EE21BE3.pf 24.12.2007 10:41 17'392 RUNDLL32.EXE-31610E45.pf 24.12.2007 10:41 17'312 RUNDLL32.EXE-1857459C.pf 24.12.2007 00:42 8'932 MPDBMGR.EXE-075E0CEC.pf 112 Datei(en) 4'662'848 Bytes 0 Verzeichnis(se), 15'166'689'280 Bytes frei Verzeichnis von C:\WINDOWS\tasks 26.12.2007 12:26 322 MP Scheduled Scan.job 26.12.2007 12:23 6 SA.DAT 19.12.2007 22:24 276 AppleSoftwareUpdate.job Verzeichnis von C:\WINDOWS\Temp 26.12.2007 12:26 524'288 TMP0000003230D00D609B127BCB 26.12.2007 12:23 409 WGANotify.settings 26.12.2007 12:23 255 WGAErrLog.txt 26.12.2007 02:04 3'646 MpCmdRun.log 26.12.2007 02:04 77 dw.log 22.12.2007 03:00 123 DFC5A2B2.TMP Verzeichnis von C:\DOKUME~1\Florian\LOKALE~1\Temp 26.12.2007 12:29 692 jusched.log 26.12.2007 05:04 0 qtu5E9.tmp 26.12.2007 05:03 0 imc5E8.tmp 26.12.2007 05:03 0 qba5E7.tmp 26.12.2007 05:01 0 24w5DB.tmp 26.12.2007 04:59 0 7qm5D0.tmp 25.12.2007 21:51 386'900 Norton Setup 10,0,0 12-25-2007 21h41m20s.log 25.12.2007 21:50 160 isDel.bat 25.12.2007 21:50 6'856'698 Norton Internet Security 2007 Uninstall 12-25-2007 21h41m24s.log 25.12.2007 21:50 13'641 SYMEVENT.LOG 25.12.2007 21:48 5'266 SNDunin.log 25.12.2007 21:47 2'602 IDSinst.LOG 25.12.2007 21:43 9'780 srtUnin.log 25.12.2007 21:41 394 PreScan.log 25.12.2007 21:41 26'371 Uninstall Log 2007-12-25 #001.txt 25.12.2007 21:32 1'843 CC140.tmp 25.12.2007 21:32 1'922 CC139.tmp 25.12.2007 21:32 2'022 CC136.tmp 25.12.2007 21:32 1'904 CC135.tmp 25.12.2007 21:32 1'900 CC133.tmp 25.12.2007 21:32 1'949 CC132.tmp 25.12.2007 21:32 1'997 CC131.tmp 25.12.2007 21:32 1'984 CC130.tmp 25.12.2007 21:32 1'948 CC12F.tmp 25.12.2007 21:32 2'010 CC12E.tmp 25.12.2007 21:32 2'025 CC12B.tmp 25.12.2007 21:32 1'911 CC12A.tmp 25.12.2007 21:32 1'865 CC129.tmp 25.12.2007 21:32 1'880 CC128.tmp 25.12.2007 21:32 1'938 CC120.tmp 25.12.2007 21:32 2'012 CC11E.tmp 25.12.2007 21:32 1'974 CC122.tmp 25.12.2007 21:32 1'861 CC118.tmp 25.12.2007 21:32 1'916 CC11D.tmp 24.12.2007 17:02 1'968 wmplog00.sqm 22.12.2007 03:00 123 DFC5A2B2.TMP 06.12.2007 15:23 524 srtspsp.dat 05.12.2007 13:13 588 srtspse.dat 05.12.2007 13:13 2'204 srtspso.dat Anhang: Activescan.txt Dieser Beitrag wurde am 26.12.2007 um 12:36 Uhr von Botaz editiert.
|
|
|
||
02.01.2008, 17:07
Member
Themenstarter Beiträge: 16 |
#18
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-02 17:05:02 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.13 ---- SSDT F7EBE754 ZwCreateThread SSDT F7EBE740 ZwOpenProcess SSDT F7EBE745 ZwOpenThread SSDT F7EBE74F ZwTerminateProcess SSDT F7EBE74A ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.13 ---- ? C:\WINDOWS\Ejm04.sys Zugriff verweigert ? C:\WINDOWS\Ejm04.sys Zugriff verweigert ---- User IAT/EAT - GMER 1.0.13 ---- IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\System32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\System32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll IAT C:\WINDOWS\Explorer.EXE[1548] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINDOWS\system32\ShimEng.dll Device \Ntfs IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \Ntfs IRP_MJ_CLOSE [F76250EA] Ntfs.sys Device \Ntfs IRP_MJ_CLOSE [F76250EA] Ntfs.sys Device \Ntfs IRP_MJ_READ [F7602F3B] Ntfs.sys Device \Ntfs IRP_MJ_READ [F7602F3B] Ntfs.sys Device \Ntfs IRP_MJ_WRITE [F7601B57] Ntfs.sys Device \Ntfs IRP_MJ_WRITE [F7601B57] Ntfs.sys Device \Ntfs IRP_MJ_QUERY_INFORMATION [F76262B9] Ntfs.sys Device \Ntfs IRP_MJ_QUERY_INFORMATION [F76262B9] Ntfs.sys Device \Ntfs IRP_MJ_SET_INFORMATION [F7603618] Ntfs.sys Device \Ntfs IRP_MJ_QUERY_EA [F76262B9] Ntfs.sys Device \Ntfs IRP_MJ_QUERY_EA [F76262B9] Ntfs.sys Device \Ntfs IRP_MJ_SET_EA [F76262B9] Ntfs.sys Device \Ntfs IRP_MJ_SET_EA [F76262B9] Ntfs.sys Device \Ntfs IRP_MJ_FLUSH_BUFFERS [F763FEC8] Ntfs.sys Device \Ntfs IRP_MJ_FLUSH_BUFFERS [F763FEC8] Ntfs.sys Device \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7626404] Ntfs.sys Device \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7626404] Ntfs.sys Device \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7626404] Ntfs.sys Device \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7627FBD] Ntfs.sys Device \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F762A758] Ntfs.sys Device \Ntfs IRP_MJ_DEVICE_CONTROL [F7626404] Ntfs.sys Device \Ntfs IRP_MJ_SHUTDOWN [F76145AF] Ntfs.sys Device \Ntfs IRP_MJ_LOCK_CONTROL [F7679AA3] Ntfs.sys Device \Ntfs IRP_MJ_CLEANUP [F7625AB8] Ntfs.sys Device \Ntfs IRP_MJ_QUERY_SECURITY [F7626404] Ntfs.sys Device \Ntfs IRP_MJ_SET_SECURITY [F7626404] Ntfs.sys Device \Ntfs IRP_MJ_QUERY_QUOTA [F76262B9] Ntfs.sys Device \Ntfs IRP_MJ_SET_QUOTA [F76262B9] Ntfs.sys Device \Ntfs IRP_MJ_PNP [F76427F0] Ntfs.sys Device \Ntfs FastIoCheckIfPossible [F7639EDA] Ntfs.sys Device \Ntfs FastIoRead [F7620B57] Ntfs.sys Device \Ntfs FastIoWrite [F763F448] Ntfs.sys Device \Ntfs FastIoQueryBasicInfo [F762648E] Ntfs.sys Device \Ntfs FastIoQueryStandardInfo [F7624F7E] Ntfs.sys Device \Ntfs FastIoLock [F76400F2] Ntfs.sys Device \Ntfs FastIoUnlockSingle [F76401F8] Ntfs.sys Device \Ntfs FastIoUnlockAll [F76796AE] Ntfs.sys Device \Ntfs FastIoUnlockAllByKey [F76797F3] Ntfs.sys Device \Ntfs AcquireFileForNtCreateSection [F762083A] Ntfs.sys Device \Ntfs ReleaseFileForNtCreateSection [F7620881] Ntfs.sys Device \Ntfs FastIoQueryNetworkOpenInfo [F7667E1D] Ntfs.sys Device \Ntfs AcquireForModWrite [F762CA10] Ntfs.sys Device \Ntfs MdlRead [F7667F31] Ntfs.sys Device \Ntfs PrepareMdlWrite [F76682AB] Ntfs.sys Device \Ntfs FastIoQueryOpen [F7624DB8] Ntfs.sys Device \Ntfs AcquireForCcFlush [F76206E2] Ntfs.sys Device \Ntfs ReleaseForCcFlush [F7620708] Ntfs.sys AttachedDevice \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F76C61DE] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_CLOSE [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_READ [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_WRITE [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_QUERY_INFORMATION [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_SET_INFORMATION [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_QUERY_EA [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_SET_EA [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_FLUSH_BUFFERS [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_DIRECTORY_CONTROL [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F76C6454] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_DEVICE_CONTROL [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_SHUTDOWN [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_LOCK_CONTROL [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_CLEANUP [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_CREATE_MAILSLOT [F76C61DE] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_QUERY_SECURITY [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_SET_SECURITY [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_POWER [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_SYSTEM_CONTROL [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_DEVICE_CHANGE [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_QUERY_QUOTA [F76B9F4C] fltmgr.sys AttachedDevice \Ntfs IRP_MJ_SET_QUOTA [F76B9F4C] fltmgr.sys Device \FatCdrom IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \FatCdrom IRP_MJ_CLOSE [F55BE7C8] Fastfat.SYS Device \FatCdrom IRP_MJ_READ [F55BA60A] Fastfat.SYS Device \FatCdrom IRP_MJ_WRITE [F55BAAED] Fastfat.SYS Device \FatCdrom IRP_MJ_QUERY_INFORMATION [F55C5958] Fastfat.SYS Device \FatCdrom IRP_MJ_SET_INFORMATION [F55C8821] Fastfat.SYS Device \FatCdrom IRP_MJ_QUERY_EA [F55D138A] Fastfat.SYS Device \FatCdrom IRP_MJ_SET_EA [F55D0D49] Fastfat.SYS Device \FatCdrom IRP_MJ_FLUSH_BUFFERS [F55CABBE] Fastfat.SYS Device \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION [F55CB331] Fastfat.SYS Device \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION [F55D94F4] Fastfat.SYS Device \FatCdrom IRP_MJ_DIRECTORY_CONTROL [F55C1B37] Fastfat.SYS Device \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL [F55BD948] Fastfat.SYS Device \FatCdrom IRP_MJ_DEVICE_CONTROL [F55C746B] Fastfat.SYS Device \FatCdrom IRP_MJ_SHUTDOWN [F55D879D] Fastfat.SYS Device \FatCdrom IRP_MJ_LOCK_CONTROL [F55D7C4A] Fastfat.SYS Device \FatCdrom IRP_MJ_CLEANUP [F55BE2FD] Fastfat.SYS Device \FatCdrom IRP_MJ_PNP [F55D81DB] Fastfat.SYS Device \FatCdrom FastIoCheckIfPossible [F55D31F9] Fastfat.SYS Device \FatCdrom FastIoQueryBasicInfo [F55C2646] Fastfat.SYS Device \FatCdrom FastIoQueryStandardInfo [F55C2405] Fastfat.SYS Device \FatCdrom FastIoLock [F55C89F3] Fastfat.SYS Device \FatCdrom FastIoUnlockSingle [F55CB518] Fastfat.SYS Device \FatCdrom FastIoUnlockAll [F55D7929] Fastfat.SYS Device \FatCdrom FastIoUnlockAllByKey [F55D7A21] Fastfat.SYS Device \FatCdrom FastIoQueryNetworkOpenInfo [F55D328E] Fastfat.SYS Device \FatCdrom AcquireForCcFlush [F55D84A6] Fastfat.SYS Device \FatCdrom ReleaseForCcFlush [F55D851F] Fastfat.SYS Device \UdfsCdRom IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \UdfsCdRom IRP_MJ_CLOSE [B7B1BCAA] Udfs.SYS Device \UdfsCdRom IRP_MJ_READ [B7B1BCAA] Udfs.SYS Device \UdfsCdRom IRP_MJ_WRITE [B7B1BCAA] Udfs.SYS Device \UdfsCdRom IRP_MJ_QUERY_INFORMATION [B7B1BCAA] Udfs.SYS Device \UdfsCdRom IRP_MJ_SET_INFORMATION [B7B1BCAA] Udfs.SYS Device \UdfsCdRom IRP_MJ_QUERY_VOLUME_INFORMATION [B7B1BCAA] Udfs.SYS Device \UdfsCdRom IRP_MJ_DIRECTORY_CONTROL [B7B1BCAA] Udfs.SYS Device \UdfsCdRom IRP_MJ_FILE_SYSTEM_CONTROL [B7B1BCAA] Udfs.SYS Device \UdfsCdRom IRP_MJ_DEVICE_CONTROL [B7B1BCAA] Udfs.SYS Device \UdfsCdRom IRP_MJ_LOCK_CONTROL [B7B1BCAA] Udfs.SYS Device \UdfsCdRom IRP_MJ_CLEANUP [B7B1BCAA] Udfs.SYS Device \UdfsCdRom IRP_MJ_PNP [B7B1BCAA] Udfs.SYS Device \UdfsCdRom FastIoCheckIfPossible [B7B2756E] Udfs.SYS Device \UdfsCdRom AcquireFileForNtCreateSection [B7B256CC] Udfs.SYS Device \UdfsCdRom ReleaseFileForNtCreateSection [B7B25702] Udfs.SYS Device \FileSystem\Mup \Dfs IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \UdfsDisk IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \UdfsDisk IRP_MJ_CLOSE [B7B1BCAA] Udfs.SYS Device \UdfsDisk IRP_MJ_READ [B7B1BCAA] Udfs.SYS Device \UdfsDisk IRP_MJ_WRITE [B7B1BCAA] Udfs.SYS Device \UdfsDisk IRP_MJ_QUERY_INFORMATION [B7B1BCAA] Udfs.SYS Device \UdfsDisk IRP_MJ_SET_INFORMATION [B7B1BCAA] Udfs.SYS Device \UdfsDisk IRP_MJ_QUERY_VOLUME_INFORMATION [B7B1BCAA] Udfs.SYS Device \UdfsDisk IRP_MJ_DIRECTORY_CONTROL [B7B1BCAA] Udfs.SYS Device \UdfsDisk IRP_MJ_FILE_SYSTEM_CONTROL [B7B1BCAA] Udfs.SYS Device \UdfsDisk IRP_MJ_DEVICE_CONTROL [B7B1BCAA] Udfs.SYS Device \UdfsDisk IRP_MJ_LOCK_CONTROL [B7B1BCAA] Udfs.SYS Device \UdfsDisk IRP_MJ_CLEANUP [B7B1BCAA] Udfs.SYS Device \UdfsDisk IRP_MJ_PNP [B7B1BCAA] Udfs.SYS Device \UdfsDisk FastIoCheckIfPossible [B7B2756E] Udfs.SYS Device \UdfsDisk AcquireFileForNtCreateSection [B7B256CC] Udfs.SYS Device \UdfsDisk ReleaseFileForNtCreateSection [B7B25702] Udfs.SYS Device \FileSystem\RAW \Device\RawTape IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \FileSystem\MRxDAV \Device\WebDavRedirector IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F79FED60] sfsync02.sys Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL [F79FED60] sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F79FED60] sfsync02.sys Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL [F79FED60] sfsync02.sys Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL [F79FED60] sfsync02.sys Device \Driver\USBSTOR \Device\00000080 IRP_MJ_INTERNAL_DEVICE_CONTROL [F79FED60] sfsync02.sys Device \Driver\USBSTOR \Device\00000081 IRP_MJ_INTERNAL_DEVICE_CONTROL [F79FED60] sfsync02.sys Device \Driver\USBSTOR \Device\00000082 IRP_MJ_INTERNAL_DEVICE_CONTROL [F79FED60] sfsync02.sys Device \Driver\mcdbus \Device\00000077 IRP_MJ_INTERNAL_DEVICE_CONTROL [F79FED60] sfsync02.sys Device \Driver\mcdbus \Device\mcdbus IRP_MJ_INTERNAL_DEVICE_CONTROL [F79FED60] sfsync02.sys Device \FileSystem\Mup \Device\Mup IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \Device\RawDisk IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \Device\LanmanRedirector IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_CLOSE [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_READ [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_WRITE [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_SET_INFORMATION [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_QUERY_EA [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_SET_EA [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_SHUTDOWN [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_CLEANUP [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_SET_SECURITY [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_POWER [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_SET_QUOTA [F572C209] mrxsmb.sys Device \Device\LanmanRedirector IRP_MJ_PNP [F572C209] mrxsmb.sys Device \Driver\USBSTOR \Device\0000007e IRP_MJ_INTERNAL_DEVICE_CONTROL [F79FED60] sfsync02.sys Device \Driver\USBSTOR \Device\0000007f IRP_MJ_INTERNAL_DEVICE_CONTROL [F79FED60] sfsync02.sys Device \Device\RawCdRom IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \FileSystem\Mup \Device\WinDfs\Root IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \Fat IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \Fat IRP_MJ_CLOSE [F55BE7C8] Fastfat.SYS Device \Fat IRP_MJ_READ [F55BA60A] Fastfat.SYS Device \Fat IRP_MJ_WRITE [F55BAAED] Fastfat.SYS Device \Fat IRP_MJ_QUERY_INFORMATION [F55C5958] Fastfat.SYS Device \Fat IRP_MJ_SET_INFORMATION [F55C8821] Fastfat.SYS Device \Fat IRP_MJ_QUERY_EA [F55D138A] Fastfat.SYS Device \Fat IRP_MJ_SET_EA [F55D0D49] Fastfat.SYS Device \Fat IRP_MJ_FLUSH_BUFFERS [F55CABBE] Fastfat.SYS Device \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F55CB331] Fastfat.SYS Device \Fat IRP_MJ_SET_VOLUME_INFORMATION [F55D94F4] Fastfat.SYS Device \Fat IRP_MJ_DIRECTORY_CONTROL [F55C1B37] Fastfat.SYS Device \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F55BD948] Fastfat.SYS Device \Fat IRP_MJ_DEVICE_CONTROL [F55C746B] Fastfat.SYS Device \Fat IRP_MJ_SHUTDOWN [F55D879D] Fastfat.SYS Device \Fat IRP_MJ_LOCK_CONTROL [F55D7C4A] Fastfat.SYS Device \Fat IRP_MJ_CLEANUP [F55BE2FD] Fastfat.SYS Device \Fat IRP_MJ_PNP [F55D81DB] Fastfat.SYS Device \Fat FastIoCheckIfPossible [F55D31F9] Fastfat.SYS Device \Fat FastIoQueryBasicInfo [F55C2646] Fastfat.SYS Device \Fat FastIoQueryStandardInfo [F55C2405] Fastfat.SYS Device \Fat FastIoLock [F55C89F3] Fastfat.SYS Device \Fat FastIoUnlockSingle [F55CB518] Fastfat.SYS Device \Fat FastIoUnlockAll [F55D7929] Fastfat.SYS Device \Fat FastIoUnlockAllByKey [F55D7A21] Fastfat.SYS Device \Fat FastIoQueryNetworkOpenInfo [F55D328E] Fastfat.SYS Device \Fat AcquireForCcFlush [F55D84A6] Fastfat.SYS Device \Fat ReleaseForCcFlush [F55D851F] Fastfat.SYS AttachedDevice \Fat IRP_MJ_CREATE_NAMED_PIPE [F76C61DE] fltmgr.sys AttachedDevice \Fat IRP_MJ_CLOSE [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_READ [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_WRITE [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_QUERY_INFORMATION [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_SET_INFORMATION [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_QUERY_EA [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_SET_EA [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_FLUSH_BUFFERS [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_SET_VOLUME_INFORMATION [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_DIRECTORY_CONTROL [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F76C6454] fltmgr.sys AttachedDevice \Fat IRP_MJ_DEVICE_CONTROL [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_SHUTDOWN [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_LOCK_CONTROL [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_CLEANUP [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_CREATE_MAILSLOT [F76C61DE] fltmgr.sys AttachedDevice \Fat IRP_MJ_QUERY_SECURITY [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_SET_SECURITY [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_POWER [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_SYSTEM_CONTROL [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_DEVICE_CHANGE [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_QUERY_QUOTA [F76B9F4C] fltmgr.sys AttachedDevice \Fat IRP_MJ_SET_QUOTA [F76B9F4C] fltmgr.sys Device \Cdfs IRP_MJ_CREATE [F7A087F0] Ejm04.sys Device \Cdfs IRP_MJ_CLOSE [F799E400] Cdfs.SYS Device \Cdfs IRP_MJ_READ [F799E400] Cdfs.SYS Device \Cdfs IRP_MJ_QUERY_INFORMATION [F799E400] Cdfs.SYS Device \Cdfs IRP_MJ_SET_INFORMATION [F799E400] Cdfs.SYS Device \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION [F799E400] Cdfs.SYS Device \Cdfs IRP_MJ_DIRECTORY_CONTROL [F799E400] Cdfs.SYS Device \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [F799E400] Cdfs.SYS Device \Cdfs IRP_MJ_DEVICE_CONTROL [F799E400] Cdfs.SYS Device \Cdfs IRP_MJ_SHUTDOWN [F79A1C74] Cdfs.SYS Device \Cdfs IRP_MJ_LOCK_CONTROL [F799E400] Cdfs.SYS Device \Cdfs IRP_MJ_CLEANUP [F799E400] Cdfs.SYS Device \Cdfs IRP_MJ_PNP [F799E400] Cdfs.SYS Device \Cdfs FastIoCheckIfPossible [F79A1BCE] Cdfs.SYS Device \Cdfs FastIoQueryBasicInfo [F79A640D] Cdfs.SYS Device \Cdfs FastIoQueryStandardInfo [F79A64F1] Cdfs.SYS Device \Cdfs FastIoLock [F79A7EE7] Cdfs.SYS Device \Cdfs FastIoUnlockSingle [F79A8059] Cdfs.SYS Device \Cdfs FastIoUnlockAll [F79A81E0] Cdfs.SYS Device \Cdfs FastIoUnlockAllByKey [F79A8341] Cdfs.SYS Device \Cdfs AcquireFileForNtCreateSection [F79A9E7A] Cdfs.SYS Device \Cdfs ReleaseFileForNtCreateSection [F79A9EAD] Cdfs.SYS Device \Cdfs FastIoQueryNetworkOpenInfo [F79A65DB] Cdfs.SYS ---- Processes - GMER 1.0.13 ---- Process hidden process (*** hidden *** ) 8912 Process hidden process (*** hidden *** ) 9072 Process hidden process (*** hidden *** ) 9088 Process hidden process (*** hidden *** ) 9092 Process hidden process (*** hidden *** ) 9412 Process hidden process (*** hidden *** ) 21216 Process hidden process (*** hidden *** ) 21636 Process hidden process (*** hidden *** ) 26956 Process hidden process (*** hidden *** ) 47192 Process hidden process (*** hidden *** ) 61712 Process hidden process (*** hidden *** ) 8912 Process hidden process (*** hidden *** ) 9072 Process hidden process (*** hidden *** ) 9088 Process hidden process (*** hidden *** ) 9092 Process hidden process (*** hidden *** ) 9412 Process hidden process (*** hidden *** ) 21216 Process hidden process (*** hidden *** ) 21636 Process hidden process (*** hidden *** ) 26956 Process hidden process (*** hidden *** ) 47192 Process hidden process (*** hidden *** ) 61712 ---- Files - GMER 1.0.13 ---- ADS C:\Dokumente und Einstellungen\Florian\Favoriten\Schule\Herzlich willkommen! :favicon ADS C:\Dokumente und Einstellungen\Florian\Favoriten\Schule\Herzlich willkommen! :favicon ADS C:\Dokumente und Einstellungen\Florian\Favoriten\Schwimmen\:favicon ADS C:\Dokumente und Einstellungen\Florian\Favoriten\Schwimmen\:favicon ---- EOF - GMER 1.0.13 ---- danach hat das programm gestoppt, weil er ein rootkit gefunden hat... 01/02/08 17:09:17 [Info]: BlackLight Engine 1.0.67 initialized 01/02/08 17:09:17 [Info]: OS: 5.1 build 2600 (Service Pack 2) 01/02/08 17:09:18 [Note]: 7019 4 01/02/08 17:09:18 [Note]: 7005 0 01/02/08 17:09:23 [Note]: 7006 0 01/02/08 17:09:23 [Note]: 7011 1548 01/02/08 17:09:23 [Note]: 7026 0 01/02/08 17:09:23 [Note]: 7026 0 01/02/08 17:09:29 [Note]: FSRAW library version 1.7.1024 01/02/08 17:13:28 [Error]: 4028 34 01/02/08 17:26:58 [Error]: 4028 34 01/02/08 17:26:59 [Note]: 2000 1012 01/02/08 17:27:23 [Note]: 7007 0 Dieser Beitrag wurde am 02.01.2008 um 17:44 Uhr von Botaz editiert.
|
|
|
||
02.01.2008, 17:54
Ehrenmitglied
Beiträge: 1441 |
#19
Botaz
« wende Avenger laut Anleitung an: http://www.virus-protect.org/artikel/tools/avenger.html kopiere rein: Zitat Files to delete:»» wende C Cleaner an http://www.virus-protect.org/ccleaner.html »» wende catchme an und poste das log http://www.virus-protect.org/catchme.html «« wende sdfix im abgesicherten Modus an und poste den Report hier http://www.virus-protect.org/artikel/tools/sdfix.html __________ Gruss Pinguin bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/ |
|
|
||
02.01.2008, 18:02
Moderator
Beiträge: 7805 |
#20
Zu der Datei C:\WINDOWS\Ejm04.sys koenntest du diese an virus@protecus.de schicken?
Dazu ist etwas vorarbeit noetig. Du hast einen Ordner namens Qombofix in Laufwerk c. Dort ist eine Datei catchme.cfexe, benenne diese bitte nach catchme.exe um und starte sie. Gehe auf den Reiter script und gebe dort folgendes ein: files: C:\WINDOWS\Ejm04.sys dann druecke Run. Nun hast du auf dem Desktop eine Zipdatei mit namen catchme.zip. Diese kannst du dann schicken. __________ MfG Ralf SEO-Spam Hunter |
|
|
||
02.01.2008, 18:19
Member
Themenstarter Beiträge: 16 |
#21
Qombofix habe ich schon nach angaben von Arnold(siehe seite 1) gelöscht
|
|
|
||
02.01.2008, 18:34
Member
Themenstarter Beiträge: 16 |
#22
avenger gibt mir folgendes an: fatal error: could not create a new script file
error code: 0 Zitat raman postete Dieser Beitrag wurde am 02.01.2008 um 18:38 Uhr von Botaz editiert.
|
|
|
||
02.01.2008, 18:58
Moderator
Beiträge: 7805 |
#23
Hm, hier ist noch nichts angekommen. Sonst lade die Datei hier hoch:
http://forum.hijackthis.de/showpost.php?p=157529&postcount=2 Denke daran, das du die Datei nicht siehst, wenn du das Posting abgeschicdkt hast __________ MfG Ralf SEO-Spam Hunter |
|
|
||
02.01.2008, 19:11
Member
Themenstarter Beiträge: 16 |
#24
ist es normal das der task manager mir 4 prozesse nämlich iexplorer.exe anzeigt die alle vom system ausgeführt werden?
du hast ne email mit dem ordner als anhang gemeint oder? hab si jetzt hier gepostet: http://thespykiller.co.uk/index.php/topic,5618.new.html#new?PHPSESSID=01ae9a512a6dcf0b0b35e1145c261d4b Dieser Beitrag wurde am 02.01.2008 um 19:15 Uhr von Botaz editiert.
|
|
|
||
02.01.2008, 19:20
Moderator
Beiträge: 7805 |
#25
Ich hab die Datei. Hat nur lange gedauert. Die sieht sehr sonderbar aus. Muss mal genauer nachschauen. IExplorer sollte eigentlich garnicht laufen. Schon garnicht als "system"
__________ MfG Ralf SEO-Spam Hunter |
|
|
||
02.01.2008, 19:40
Moderator
Beiträge: 7805 |
#26
Das ist ein Rootkit. Frage ist nun, willst du den Rechner lieber gleich platt machen(es werden wohl teilweise Systemdateien ersetzt) oder eine Reinigung versuchen. Das Rootkit hat dir alles an Passworte geklaut, die du auf dem REchner genutzt und gespeichert hast....
__________ MfG Ralf SEO-Spam Hunter |
|
|
||
02.01.2008, 19:41
Moderator
Beiträge: 7805 |
#27
Koenntest du einen Report mit Gmer 1.014 beta erstellen?
http://www2.gmer.net/beta/ __________ MfG Ralf SEO-Spam Hunter |
|
|
||
03.01.2008, 20:47
Member
Themenstarter Beiträge: 16 |
#28
seit heute erscheint die Meldung:" Generic Host Process for Win32 Services hat ein Problem festgestellt und muss beendet werden."
wird das Fenster weggeklickt, wird der PC nach einer >Minute heruntergefahren.(NT-Autorität\System Dein Tip? PC platt machen? wird dann alles gelöscht oder? kann ich dateien auf externen festplatten speichern ohne dass der virus mit darauf komm? |
|
|
||
03.01.2008, 20:50
Moderator
Beiträge: 7805 |
#29
Ja, Datensicherung ohne Virus ist problemlos moeglich. DU musst halt keine ausfuehrbaren Dateien sichern. Falls du ein Backup machst, kontrolliere auf einem anderen Rechner, ob die Daten wirklich vorhanden und vollstaendig sind.
__________ MfG Ralf SEO-Spam Hunter |
|
|
||
03.01.2008, 20:55
Member
Themenstarter Beiträge: 16 |
#30
wie macht man den rechner schon wieder genau platt?;-)
danach sollte dann alles ok sein!? mit den passwörtwern noch, muss ich für alle passwörter, auch im internet ein neues machen danach? |
|
|
||
http://members.linzag.net/680262/filelist.zip
poste von jedem verzeichniss die jeweils letzten 30 tage.
ein antivirenprogramm runter. norton währe meine wahl!
bitte führe all diese rootkitscans aus:
http://www.hijackthis-forum.de/showthread.php?t=20219
chatchme:
http://www.hijackthis-forum.de/showthread.php?t=26821
poste alle logs!