IEXPLORER.EXE virus pls gennemgang Hijack log

nitingaur · #1 21. sep 2008, 12:02

Logfile af Trend Micro HijackThis v2.0.2
Scan gemt kl 12:01:37 den 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Kørende processer:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ csrss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Programmer \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Programmer \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Programmer \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Programmer \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Programmer \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ WINDOWS \ system32 \ Spoolsv.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Centenn.ial \ Revision \ CAgent32.exe
C: \ Centenn.ial \ Revision \ xferwan.exe
C: \ Programmer \ Cisco VPN Client \ cvpnd.exe
C: \ Programmer \ Symantec AntiVirus \ DefWatch.exe
C: \ Programmer \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Programmer \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Programmer \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Programmer \ Symantec AntiVirus \ SavRoam.exe
C: \ Programmer \ Symantec AntiVirus \ Rtvscan.exe
C: \ Programmer \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ System32 \ TPHDEXLG.exe
C: \ Programmer \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
c: \ _integra \ bin \ ccmagent.exe
c: \ Programmer \ Lenovo \ system update \ suservice.exe
C: \ WINDOWS \ System32 \ alg.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ calc.exe
c: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ system32 \ tp4mon.exe
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ NWTRAY.EXE
C: \ Programmer \ Common Files \ Symantec Shared \ ccApp.exe
C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
C: \ Programmer \ Lenovo \ Genvejstast \ TPOSDSVC.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ WINDOWS \ system32 \ TpShocks.exe
C: \ Programmer \ Lenovo \ Genvejstast \ TPONSCR.exe
C: \ Programmer \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
C: \ Programmer \ Lenovo \ Zoom \ TpScrex.exe
C: \ Programmer \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ Programmer \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ WINDOWS \ system32 \ taskmgr.exe
C: \ Programmer \ Internet Explorer \ IEXPLORE.EXE
C: \ Programmer \ Internet Explorer \ IEXPLORE.EXE
C: \ Programmer \ Internet Explorer \ IEXPLORE.EXE
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ Wbem \ wmiprvse.exe
C: \ Programmer \ Trend Micro \ HijackThis \ HijackThis.exe
C: \ WINDOWS \ system32 \ Wbem \ wmiprvse.exe
F2 - REG: system.ini: UserInit = C: \ Windows \ system32 \ userinit.exe, C: \ _inte gra \ bin \ shstart.exe
O2 - BHO: AcroIEHlprObj Class - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Programmer \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [Persistens] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Programmer \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Programmer \ Lenovo \ Genvejstast \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Programmer \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT Scheduler Proxy] C: \ Programmer \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Programmer \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Pager] "C: \ Programmer \ Yahoo! \ Messenger \ YahooMessenger.exe"-quiet
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Programmer \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Programmer \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Programmer \ Microsoft Office Communicator \ Communicator.exe" (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Programmer \ Microsoft Office Communicator \ Communicator.exe" (User 'Default user')
O8 - Extra sammenhæng menupunktet: E & ksporter til Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ mikroer ~ 2 \ Office11 \ EXCEL.EXE/3000
O9 - Ekstra knap: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ mikroer ~ 2 \ Office11 \ REFIEBAR.DLL
O9 - Ekstra knap: @ C: \ Programmer \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Programmer \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' MENUITEM: @ C: \ Programmer \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Programmer \ Messenger \ msmsgs.exe
O16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C: \ Programmer \ Lavasoft \ Ad-Aware \ aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Ukendt ejer - C: \ Program.exe (filen mangler)
O23 - Service: BHCP Service (BHsrv) - Ukendt ejer - C: \ Program.exe (filen mangler)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Programmer \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Programmer \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C: \ Centenn.ial \ Revision \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C: \ Centenn.ial \ Revision \ xferwan.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C: \ WINDOWS \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C: \ Programmer \ Cisco VPN Client \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Programmer \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) PROSet / Wireless Event Log (EvtEng) - Intel Corporation - C: \ Programmer \ Intel \ Wireless \ Bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ WINDOWS \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C: \ PROGRA ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) PROSet / Wireless Registry Service (RegSrvc) - Intel Corporation - C: \ Programmer \ Intel \ Wireless \ Bin \ RegSrvc.exe
O23 - Service: Intel (R) PROSet / Wireless Service (S24EventMonitor) - Intel Corporation - C: \ Programmer \ Intel \ Wireless \ Bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Programmer \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Programmer \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Programmer \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c: \ Programmer \ Lenovo \ system update \ suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Programmer \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C: \ Programmer \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C: \ WINDOWS \ System32 \ TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C: \ Programmer \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c: \ _integra \ bin \ ccmagent.exe
--
End of file - 8621 bytes

**evilfantasy** · #2 21. sep 2008, 15:30

Downloade Malwarebytes' Anti-Malware (MBAM)

Dobbeltklik på mbam-setup.exe og følg instruktionerne for at installere programmet.
Ved udgangen, skal du sørge for en hak er placeret ud for følgende:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Klik derefter på Udfør.
Hvis en opdatering er fundet, vil det at hente og installere den nyeste version.
Når programmet er indlæst, skal du vælge Udføre hurtig scanningKlik derefter på Scan.
Når scanningen er færdig, skal du klikke på OK, Derefter Vis resultater at se resultaterne.
Vær sikker på at alt er markeret, og klik Fjern markering.
Når desinfektionen er afsluttet, en log vil åbne i Notesblok, og du kan blive bedt om at genstarte. (Se Ekstra note)
Logfilen gemmes automatisk ved MBAM og kan ses ved at klikke på Logs fane i MBAM.
Kopier og indsæt hele rapport i dit næste svar.

Ekstra Bemærk: Hvis MBAM støder på en fil, der er vanskelige at fjerne, vil du blive præsenteret med 1 af 2 prompter, klik på OK for at enten og lad MBAM fortsætte med desinfektion processen, hvis bedt om at genstarte computeren, skal du gøre det straks.

nitingaur · #3 21. sep 2008, 18:18

Nr. malware fundet, her er betænkning
-------------------------------------------------- ----
Windows 5.1.2600 Service Pack 2
9/21/2008 6:16:07 PM
mbam-log-2008-09-21 (18-16-07). txt
Scan type: Quick Scan
Objekter skannet: 52621
Tidsforbrug: 4 minut (ter), 41 sekund (s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registreringsdatabasenøgler Inficerede: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(Nr. ondsindede elementer opdaget)
Memory Modules Infected:
(Nr. ondsindede elementer opdaget)
Registreringsdatabasenøgler Inficerede:
(Nr. ondsindede elementer opdaget)
Registry Values Infected:
(Nr. ondsindede elementer opdaget)
Registry Data Items Infected:
(Nr. ondsindede elementer opdaget)
Folders Infected:
(Nr. ondsindede elementer opdaget)
Files Infected:
(Nr. ondsindede elementer opdaget)

**evilfantasy** · #4 21. sep 2008, 18:40

Der er ingen malware vises i enten log.

Hvad præcis sker der?

nitingaur · #5 21. sep 2008, 19:23

Multiple IEXPLORER.EXE proces er spwaning i processen listen. De umiddelbart popper op, hvis jeg dræber dem én efter én. Nogle gange har jeg også høre nogle lyder som en af dem kører nogen browservindue, men ingen synlig. Der er absolut forkert, er de ikke formodes at eksistere.

**evilfantasy** · #6 21. sep 2008, 19:26

Download ComboFix ved Subs fra et af nedenstående links. Vær sikker på toppen gemme den til Desktop.

Link # 1
Link # 2

** Note: Det er vigtigt, at den er gemt direkte til dit skrivebord

Luk alle åbne Internet-browsere. (Firefox, Internet Explorer, osv.), før du begynder ComboFix.

Midlertidigt deaktivere din antivirus, Og enhver antispyware realtid beskyttelse før udførelse af en scanning. Klik på dette link at se en liste over sikkerhedsprogrammer, der skal være slået fra, og hvordan du deaktivere dem.

Dobbeltklik combofix.exe & følg instruktionerne.
Når du er færdig ComboFix vil udarbejde en log for dig.
Post den ComboFix log og en ny HijackThis log i dit næste svar.

Vigtigt: Må ikke mouseclick ComboFix vindue mens den kører. Det kan få det til at stå.

Husk at genaktivere dine antivirus-og antispyware beskyttelse, når ComboFix er færdig.

nitingaur · #7 21. sep 2008, 19:42

ComboFix Log
-----------------------
ComboFix 08-09-20.05 - 012466 2008-09-21 19:31:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.473 [GMT -7:00]
Kører fra: C: \ Keanetools \ ComboFix.exe
* Skabt et nyt gendannelsespunkt
ADVARSEL-maskinen IKKE HAR RECOVERY CONSOLE INSTALLERET!!
.
((((((((((((((((((((((((((((((((((((((( Andre Bortfald ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ Documents and Settings \ LocalService \ Cookies \ system@ad.yieldmanag er [1]. Txt
C: \ WINDOWS \ system32 \ x64
.
((((((((((((((((((((((((((((((((((((((( Drivers / Services )))))))) )))))))))))))))))))))))))))))))))))))))))
.
------- \ Legacy_BHSRV
------- \ Service_BHsrv

((((((((((((((((((((((((( Files Created fra 2008-08-22 til 2008-09-22 ))))))))))) ))))))))))))))))))))
.
2008-09-21 18:09. 2008-09-21 18:10 <DIR> d -------- C: \ Programmer \ Malwarebytes' Anti-Malware
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \012466 \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-10 00:04 38.528 - a ------ C: \ Windows \ System32 \ Drivers \ mbamswissarmy.sys
2008-09-21 18:09. 2008-09-10 00:03 17.200 - a ------ C: \ Windows \ System32 \ Drivers \ mbam.sys
2008-09-21 11:07. 2008-09-21 11:07 <DIR> d -------- C: \ Programmer \ Lavasoft
2008-09-21 11:07. 2008-09-21 11:08 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008-09-21 11:06. 2008-09-21 11:06 <DIR> d -------- C: \ Programmer \ Common Files \ Wise Installation Wizard
2008-09-20 23:40. 2008-09-20 23:40 <DIR> d -------- C: \ Programmer \ Trend Micro
2008-09-19 09:03. 2008-09-19 09:08 <DIR> d -------- C: \ WINDOWS \ SxsCaPendDel
2008-09-19 00:49. 2008-09-19 00:52 <DIR> d -------- C: \ Documents and Settings \012466 \. Housecall6.6
2008-09-19 00:27. 2008-09-19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-09-18 20:25. 2002-02-04 06:22 1.230.336 - a ------ C: \ WINDOWS \ system32 \ Msxml4.dll
2008-09-18 20:25. 2007-09-14 05:01 922.920 --------- C: \ WINDOWS \ system32 \ ahlprun.exe
2008-09-18 20:25. 2002-02-04 06:13 82.432 - a ------ C: \ WINDOWS \ system32 \ Msxml4r.dll
2008-09-18 20:25. 2002-02-04 06:13 44.544 - a ------ C: \ WINDOWS \ system32 \ msxml4a.dll
2008-09-18 20:25. 2002-02-07 18:43 9.679 - a ------ C: \ WINDOWS \ system32 \ msxml4r.cat
2008-09-18 20:25. 2002-02-07 18:43 9.675 - a ------ C: \ WINDOWS \ system32 \ msxml4.cat
2008-09-18 20:25. 2002-02-06 20:31 3.489 - a ------ C: \ WINDOWS \ system32 \ msxml4.Manifest
2008-09-18 20:25. 2002-02-06 20:31 500 - a ------ C: \ WINDOWS \ system32 \ msxml4r.Manifest
2008-09-18 20:21. 2008-09-18 20:21 <DIR> d -------- C: \ Programmer \ Common Files \ Lenovo
2008-09-18 18:27. 2008-09-21 11:54 21.272 - a ------ C: \ WINDOWS \ system32 \ bynpea.key
2008-09-18 18:25. 2008-09-18 18:25 1 - a ------ C: \ WINDOWS \ system32 \004fdb9.imi
2008-09-15 14:23. 2008-09-15 14:23 332.800 --- hs ---- C: \ WINDOWS \ system32 \ _Bhsrv.msi
2008-09-15 12:15. 2008-09-18 15:57 69.942 - a ------ C: \ WINDOWS \ system32 \ rrjack.key
2008-09-15 12:15. 2008-09-15 12:15 1 - a ------ C: \ WINDOWS \ system32 \0048444.imi
2008-09-13 19:27. 2008-09-13 19:27 24 - a ------ C: \ WINDOWS \ cdplayer.ini
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Programmer \ Real
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Programmer \ Common Files \ xing delt
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Programmer \ Common Files \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 02:33 --------- d ----- w C: \ Programmer \ Symantec AntiVirus
2008-09-22 02:33 --------- d ----- w C: \ Programmer \ Cisco VPN klient
2008-09-21 18:56 16 - sh - r C: \ MSCIOTL.SYS
2008-09-21 18:55 8.416 ---- aw C: \ Windows \ System32 \ Drivers \ CDProbe.SYS
2008-09-20 19:26 430.816 - sh - w C: \ Programmer \ _MsInfo.msi
2008-09-19 03:25 --------- d - h - w C: \ Programmer \ InstallShield Installation Information
2008-09-19 03:25 --------- d ----- w C: \ Programmer \ ThinkVantage
2008-09-19 03:21 --------- d ----- w C: \ Programmer \ Lenovo
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default entries er ikke vist
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager" = "C: \ Programmer \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"IgfxTray" = "C: \ WINDOWS \ system32 \ igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds" = "C: \ WINDOWS \ system32 \ hkcmd.exe" [2007-08-15 162328]
"Persistens" = "C: \ WINDOWS \ system32 \ igfxpers.ex e" [2007-08-15 137752]
"ccApp" = "C: \ Programmer \ Common Files \ Symantec Shared \ ccApp.exe" [2006-03-24 53408]
"vptray" = "C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2006-06-14 124656]
"TPHOTKEY" = "C: \ Programmer \ Lenovo \ Genvejstast \ TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager" = "C: \ Programmer \ Common Files \ Sonic \ Update Manager \ sgtray.exe" [2003-08-18 110592]
"dla" = "C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP" = "C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007-04-26 243248]
"LPManager" = "C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007-03-22 120368]
"TVT Scheduler Proxy" = "C: \ Programmer \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe" = "C: \ Programmer \ Common Files \ Real \ Update_OB \ realsched.exe" [2008-09-13 185896]
"TrackPointSrv" = "tp4mon.exe" [2004-08-03 C: \ WINDOWS \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002-03-12 C: \ WINDOWS \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007-03-29 C: \ WINDOWS \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Programmer \ Microsoft Office Communicator \ Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Curr entversion \ policies \ system]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ valu rentversion \ policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ anmelde \ tpfnf2]
2006-09-06 13:37 34344 C: \ Programmer \ Lenovo \ Genvejstast \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ anmelde \ tphotkey]
2006-12-14 08:06 28672 C: \ Programmer \ Lenovo \ Genvejstast \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ LSA]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Programmer \ \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ \ Programmer \ \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf; C: \ Windows \ System32 \ Drivers \ Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN; TPDIGIMN; C: \ Windows \ System32 \ Drivers \ ApsH M86.sys [2007-03-02 19760]
R2 smefs; SMEFileSystem; C: \ Windows \ System32 \ Drivers \ sm efs.sys [2006-02-08 20508]
R3 CdProbe; CdProbe; C: \ Windows \ System32 \ Drivers \ cdprob e.sys [2008-09-21 8416]
R3 smedrv; SMEDriver; C: \ Windows \ System32 \ Drivers \ smedr v.sys [2006-02-08 9516]
S2 AppMgSvc; Application Management Service; C: \ Programmer \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008-09-20 430816]
S2 yraebbgi; yraebbgi; C: \ Windows \ System32 \ Drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh; C: \ Windows \ System32 \ Drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
.
------- Supplerende Scan -------
.
R0 -: HKCU-Main, Start Page = hxxp: / / www.google.com/
O8 -: E & ksporter til Microsoft Excel - C: \ PROGRA ~ 1 \ mikroer ~ 2 \ Office11 \ EXCEL.EXE/3000
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit / stealth malware detector ved Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 19:35:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning skjulte processer ...
scanning skjulte autostart entries ...
scanning skjulte filer ...
scanning afsluttet med succes
skjulte filer: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ A ppMgSvc]
"ImagePath" = "C: \ Programmer \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLL'er Loaded Under Running Processes ---------------------
PROCESS: C: \ WINDOWS \ system32 \ Winlogon.exe
-> C: \ Programmer \ Lenovo \ Genvejstast \ tphklock.dll
.
------------------------ Other Running Processes ----------------------- --
.
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ Programmer \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ Programmer \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Programmer \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Programmer \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Programmer \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Programmer \ Lenovo \ Genvejstast \ TPONSCR.exe
C: \ Programmer \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Programmer \ Symantec AntiVirus \ DoScan.exe
C: \ Programmer \ Internet Explorer \ IEXPLORE.EXE
C: \ CENTENN.IAL \ REVISION \ CAgent32.exe
C: \ CENTENN.IAL \ REVISION \ xferwan.exe
C: \ Programmer \ Cisco VPN Client \ cvpnd.exe
C: \ Programmer \ Symantec AntiVirus \ DefWatch.exe
C: \ Programmer \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Programmer \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Programmer \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Programmer \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ Programmer \ Symantec AntiVirus \ SavRoam.exe
C: \ Programmer \ Symantec AntiVirus \ Rtvscan.exe
C: \ Programmer \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Programmer \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Programmer \ Lenovo \ System Update \ SUService.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Afslutning tid: 2008-09-21 19:36:58 - maskinen blev genstartet
ComboFix-karantæne-files.txt 2008-09-22 02:36:54
Pre-Run: 64333811712 bytes fri
Post-Run: 64523264000 bytes fri
175

HijackThis Log
-----------------------------------
Logfile af Trend Micro HijackThis v2.0.2
Scan gemt på 7:38:41 PM, den 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Kørende processer:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Programmer \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Programmer \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Programmer \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Programmer \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Programmer \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ WINDOWS \ system32 \ Spoolsv.exe
c: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ tp4mon.exe
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ NWTRAY.EXE
C: \ Programmer \ Common Files \ Symantec Shared \ ccApp.exe
C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Programmer \ Lenovo \ Genvejstast \ TPOSDSVC.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ Programmer \ Lenovo \ Genvejstast \ TPONSCR.exe
C: \ Programmer \ Lenovo \ Zoom \ TpScrex.exe
C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ WINDOWS \ system32 \ TpShocks.exe
C: \ Programmer \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
C: \ Programmer \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ Programmer \ Internet Explorer \ IEXPLORE.EXE
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Centenn.ial \ Revision \ CAgent32.exe
C: \ Centenn.ial \ Revision \ xferwan.exe
C: \ Programmer \ Cisco VPN Client \ cvpnd.exe
C: \ Programmer \ Symantec AntiVirus \ DefWatch.exe
C: \ Programmer \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Programmer \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Programmer \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Programmer \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ Programmer \ Symantec AntiVirus \ SavRoam.exe
C: \ Programmer \ Symantec AntiVirus \ Rtvscan.exe
C: \ Programmer \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ System32 \ TPHDEXLG.exe
C: \ Programmer \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
c: \ _integra \ bin \ ccmagent.exe
c: \ Programmer \ Lenovo \ system update \ suservice.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ Explorer.exe
C: \ Programmer \ Trend Micro \ HijackThis \ HijackThis.exe
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Programmer \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [Persistens] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Programmer \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Programmer \ Lenovo \ Genvejstast \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Programmer \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT Scheduler Proxy] C: \ Programmer \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Programmer \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Pager] "C: \ Programmer \ Yahoo! \ Messenger \ YahooMessenger.exe"-quiet
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Programmer \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Programmer \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Programmer \ Microsoft Office Communicator \ Communicator.exe" (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Programmer \ Microsoft Office Communicator \ Communicator.exe" (User 'Default user')
O8 - Extra sammenhæng menupunktet: E & ksporter til Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ mikroer ~ 2 \ Office11 \ EXCEL.EXE/3000
O9 - Ekstra knap: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ mikroer ~ 2 \ Office11 \ REFIEBAR.DLL
O9 - Ekstra knap: @ C: \ Programmer \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Programmer \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' MENUITEM: @ C: \ Programmer \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Programmer \ Messenger \ msmsgs.exe
O16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (D239A412-22C2-4683-95BC-1FFAA687D0DF): NameServer = 172.21.18.101,172.21.18.102
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C: \ Programmer \ Lavasoft \ Ad-Aware \ aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Ukendt ejer - C: \ Program.exe (filen mangler)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Programmer \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Programmer \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C: \ Centenn.ial \ Revision \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C: \ Centenn.ial \ Revision \ xferwan.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C: \ WINDOWS \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C: \ Programmer \ Cisco VPN Client \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Programmer \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) PROSet / Wireless Event Log (EvtEng) - Intel Corporation - C: \ Programmer \ Intel \ Wireless \ Bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ WINDOWS \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C: \ PROGRA ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) PROSet / Wireless Registry Service (RegSrvc) - Intel Corporation - C: \ Programmer \ Intel \ Wireless \ Bin \ RegSrvc.exe
O23 - Service: Intel (R) PROSet / Wireless Service (S24EventMonitor) - Intel Corporation - C: \ Programmer \ Intel \ Wireless \ Bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Programmer \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Programmer \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Programmer \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c: \ Programmer \ Lenovo \ system update \ suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Programmer \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C: \ Programmer \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C: \ WINDOWS \ System32 \ TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C: \ Programmer \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c: \ _integra \ bin \ ccmagent.exe
--
End of file - 8581 bytes

**evilfantasy** · #8 21. sep 2008, 21:24

Bemærk: nedenstående instruktioner var skabt specielt til denne bruger. Hvis du ikke er denne bruger, MÅ IKKE Følg disse anvisninger, som de kunne skade funktionen af dit system

Slet disse filer / mapper, som følger:

1. Gå til Start > Løbe > Type Notepad.exe og klik OK at åbne Notesblok.
Det skal være Notesblok ikke WordPad.
2. Kopier teksten i nedenstående kode boksen ved at markere al teksten og trykke på Ctrl + C

Code:

Killall:: Driver:: BHSRV BHsrv File:: C: \ WINDOWS \ system32 \ bynpea.key C: \ WINDOWS \ system32 \ 004fdb9.imi C: \ WINDOWS \ system32 \ _Bhsrv.msi C: \ WINDOWS \ system32 \ rrjack. nøglen C: \ WINDOWS \ system32 \ 0048444.imi C: \ Windows \ System32 \ Drivers \ bynpea.sys C: \ Windows \ System32 \ Drivers \ rrjack.sys C: \ WINDOWS \ system32 \ calc.exe

3. Gå til Notesblok-vinduet, og klik Redigér > Paste
4. Klik derefter på Fil > Gemme
5. Navngiv filen CFScript.txt - Gem filen på dit skrivebord
6. Derefter trække CFScript (hold venstre museknap nede, samtidig med at trække filen) og slippe det (release venstre museknap) i ComboFix.exe som du kan se i skærmbilledet nedenunder. Vigtigt: Udfør denne instruktion omhyggeligt!

ComboFix vil begynde at udføre, skal du blot følge instruktionerne.
Efter genstart (når den beder om at genstarte), den vil udarbejde en log for dig.
Post, at log (Combofix.txt) i dit næste svar.

Bemærk: Må ikke mouseclick ComboFix vindue mens den kører. Det kan forårsage dit system til at fryse

nitingaur · #9 21. sep 2008, 22:20

ComboFix log efter kører CFSCript
-------------------------------------------------- --------
ComboFix 08-09-20.05 - 012466 2008-09-21 22:11:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.598 [GMT -7:00]
Kører fra: C: \ Keanetools \ ComboFix.exe
Command switches anvendes:: C: \ Documents and Settings \012466 \ Desktop \ CFScript.txt
* Skabt et nyt gendannelsespunkt
ADVARSEL-maskinen IKKE HAR RECOVERY CONSOLE INSTALLERET!!
FILE::
C: \ WINDOWS \ system32 \ _Bhsrv.msi
C: \ WINDOWS \ system32 \0048444.imi
C: \ WINDOWS \ system32 \004fdb9.imi
C: \ WINDOWS \ system32 \ bynpea.key
C: \ WINDOWS \ system32 \ calc.exe
C: \ Windows \ System32 \ Drivers \ bynpea.sys
C: \ Windows \ System32 \ Drivers \ rrjack.sys
C: \ WINDOWS \ system32 \ rrjack.key
.
((((((((((((((((((((((((((((((((((((((( Andre Bortfald ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ WINDOWS \ system32 \ _Bhsrv.msi
C: \ WINDOWS \ system32 \0048444.imi
C: \ WINDOWS \ system32 \004fdb9.imi
C: \ WINDOWS \ system32 \ bynpea.key
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ rrjack.key
.
((((((((((((((((((((((((( Files Created fra 2008-08-22 til 2008-09-22 ))))))))))) ))))))))))))))))))))
.
2008-09-21 18:09. 2008-09-21 18:10 <DIR> d -------- C: \ Programmer \ Malwarebytes' Anti-Malware
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \012466 \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-10 00:04 38.528 - a ------ C: \ Windows \ System32 \ Drivers \ mbamswissarmy.sys
2008-09-21 18:09. 2008-09-10 00:03 17.200 - a ------ C: \ Windows \ System32 \ Drivers \ mbam.sys
2008-09-21 11:07. 2008-09-21 11:07 <DIR> d -------- C: \ Programmer \ Lavasoft
2008-09-21 11:07. 2008-09-21 11:08 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008-09-21 11:06. 2008-09-21 11:06 <DIR> d -------- C: \ Programmer \ Common Files \ Wise Installation Wizard
2008-09-20 23:40. 2008-09-20 23:40 <DIR> d -------- C: \ Programmer \ Trend Micro
2008-09-19 09:03. 2008-09-19 09:08 <DIR> d -------- C: \ WINDOWS \ SxsCaPendDel
2008-09-19 00:49. 2008-09-19 00:52 <DIR> d -------- C: \ Documents and Settings \012466 \. Housecall6.6
2008-09-19 00:27. 2008-09-19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-09-18 20:25. 2002-02-04 06:22 1.230.336 - a ------ C: \ WINDOWS \ system32 \ Msxml4.dll
2008-09-18 20:25. 2007-09-14 05:01 922.920 --------- C: \ WINDOWS \ system32 \ ahlprun.exe
2008-09-18 20:25. 2002-02-04 06:13 82.432 - a ------ C: \ WINDOWS \ system32 \ Msxml4r.dll
2008-09-18 20:25. 2002-02-04 06:13 44.544 - a ------ C: \ WINDOWS \ system32 \ msxml4a.dll
2008-09-18 20:25. 2002-02-07 18:43 9.679 - a ------ C: \ WINDOWS \ system32 \ msxml4r.cat
2008-09-18 20:25. 2002-02-07 18:43 9.675 - a ------ C: \ WINDOWS \ system32 \ msxml4.cat
2008-09-18 20:25. 2002-02-06 20:31 3.489 - a ------ C: \ WINDOWS \ system32 \ msxml4.Manifest
2008-09-18 20:25. 2002-02-06 20:31 500 - a ------ C: \ WINDOWS \ system32 \ msxml4r.Manifest
2008-09-18 20:21. 2008-09-18 20:21 <DIR> d -------- C: \ Programmer \ Common Files \ Lenovo
2008-09-13 19:27. 2008-09-13 19:27 24 - a ------ C: \ WINDOWS \ cdplayer.ini
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Programmer \ Real
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Programmer \ Common Files \ xing delt
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Programmer \ Common Files \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 05:14 8.416 ---- aw C: \ Windows \ System32 \ Drivers \ CDProbe.SYS
2008-09-22 05:14 16 - sh - r C: \ MSCIOTL.SYS
2008-09-22 05:14 --------- d ----- w C: \ Programmer \ Symantec AntiVirus
2008-09-22 03:07 --------- d ----- w C: \ Programmer \ Cisco VPN klient
2008-09-20 19:26 430.816 - sh - w C: \ Programmer \ _MsInfo.msi
2008-09-19 03:25 --------- d - h - w C: \ Programmer \ InstallShield Installation Information
2008-09-19 03:25 --------- d ----- w C: \ Programmer \ ThinkVantage
2008-09-19 03:21 --------- d ----- w C: \ Programmer \ Lenovo
.
((((((((((((((((((((((((((((( Snapshot@2008-09-21_19.36.38.64 )))))))))) )))))))))))))))))))))))))))))))
.
- 2008-09-21 18:59:45 71.370 ---- aw C: \ WINDOWS \ system32 \ perfc009.dat
+ 2008-09-22 02:39:43 71.370 ---- aw C: \ WINDOWS \ system32 \ perfc009.dat
- 2008-09-21 18:59:45 439.832 ---- aw C: \ WINDOWS \ system32 \ perfh009.dat
+ 2008-09-22 02:39:43 439.832 ---- aw C: \ WINDOWS \ system32 \ perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default entries er ikke vist
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager" = "C: \ Programmer \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"IgfxTray" = "C: \ WINDOWS \ system32 \ igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds" = "C: \ WINDOWS \ system32 \ hkcmd.exe" [2007-08-15 162328]
"Persistens" = "C: \ WINDOWS \ system32 \ igfxpers.ex e" [2007-08-15 137752]
"ccApp" = "C: \ Programmer \ Common Files \ Symantec Shared \ ccApp.exe" [2006-03-24 53408]
"vptray" = "C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2006-06-14 124656]
"TPHOTKEY" = "C: \ Programmer \ Lenovo \ Genvejstast \ TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager" = "C: \ Programmer \ Common Files \ Sonic \ Update Manager \ sgtray.exe" [2003-08-18 110592]
"dla" = "C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP" = "C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007-04-26 243248]
"LPManager" = "C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007-03-22 120368]
"TVT Scheduler Proxy" = "C: \ Programmer \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe" = "C: \ Programmer \ Common Files \ Real \ Update_OB \ realsched.exe" [2008-09-13 185896]
"TrackPointSrv" = "tp4mon.exe" [2004-08-03 C: \ WINDOWS \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002-03-12 C: \ WINDOWS \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007-03-29 C: \ WINDOWS \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Programmer \ Microsoft Office Communicator \ Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Curr entversion \ policies \ system]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ valu rentversion \ policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ anmelde \ tpfnf2]
2006-09-06 13:37 34344 C: \ Programmer \ Lenovo \ Genvejstast \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ anmelde \ tphotkey]
2006-12-14 08:06 28672 C: \ Programmer \ Lenovo \ Genvejstast \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ LSA]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Programmer \ \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ \ Programmer \ \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf; C: \ Windows \ System32 \ Drivers \ Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN; TPDIGIMN; C: \ Windows \ System32 \ Drivers \ ApsH M86.sys [2007-03-02 19760]
R2 smefs; SMEFileSystem; C: \ Windows \ System32 \ Drivers \ sm efs.sys [2006-02-08 20508]
R3 CdProbe; CdProbe; C: \ Windows \ System32 \ Drivers \ cdprob e.sys [2008-09-21 8416]
R3 smedrv; SMEDriver; C: \ Windows \ System32 \ Drivers \ smedr v.sys [2006-02-08 9516]
S2 AppMgSvc; Application Management Service; C: \ Programmer \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008-09-20 430816]
S2 yraebbgi; yraebbgi; C: \ Windows \ System32 \ Drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh; C: \ Windows \ System32 \ Drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit / stealth malware detector ved Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 22:16:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning skjulte processer ...
scanning skjulte autostart entries ...
scanning skjulte filer ...

C: \ WINDOWS \ system32 \ calc.exe
scanning afsluttet med succes
skjulte filer: 1
************************************************** ************************
[HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ A ppMgSvc]
"ImagePath" = "C: \ Programmer \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLL'er Loaded Under Running Processes ---------------------
PROCESS: C: \ WINDOWS \ system32 \ Winlogon.exe
-> C: \ Programmer \ Lenovo \ Genvejstast \ tphklock.dll
.
------------------------ Other Running Processes ----------------------- --
.
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ Programmer \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ Programmer \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Programmer \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Programmer \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Programmer \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ Programmer \ Internet Explorer \ IEXPLORE.EXE
C: \ CENTENN.IAL \ REVISION \ CAgent32.exe
C: \ CENTENN.IAL \ REVISION \ xferwan.exe
C: \ Programmer \ Cisco VPN Client \ cvpnd.exe
C: \ Programmer \ Symantec AntiVirus \ DefWatch.exe
C: \ Programmer \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Programmer \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Programmer \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Programmer \ Symantec AntiVirus \ SavRoam.exe
C: \ Programmer \ Symantec AntiVirus \ Rtvscan.exe
C: \ Programmer \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Programmer \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Programmer \ Lenovo \ System Update \ SUService.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Programmer \ Lenovo \ Genvejstast \ TPONSCR.exe
C: \ Programmer \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Programmer \ Symantec AntiVirus \ DoScan.exe
C: \ Programmer \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Afslutning tid: 2008-09-21 22:17:28 - maskinen blev genstartet
ComboFix-karantæne-files.txt 2008-09-22 05:17:23
ComboFix2.txt 2008-09-22 02:36:59
Pre-Run: 64509464576 bytes fri
Post-Run: 64505421824 bytes fri
181

**evilfantasy** · #10 21. sep 2008, 22:26

Downloade OTMoveIt2 ved Oldtimerog gemme den på din Desktop.

Bemærk: Hvis du kører på Vista, skal du højreklikke på OTMoveIt2.exe og vælge Kør som administrator.

1. Dobbeltklik på OTMoveIt2.exe at køre den.
2. Kopier linier i codebox nedenfor.

Code:

[dræbe Explorer] C: \ WINDOWS \ system32 \ calc.exe HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ AppMgSvc EmptyTemp [Start Explorer]

3. Retur til OTMoveIt2, højreklik på Indsæt liste over de filer / mapper til Flyt vinduet (under den gule bar), og vælg Paste
4. Klik på den røde Moveit! knappen.
5. Kopier alt i Resultater vinduet (under den grønne bar), og indsætte det i dit næste svar.
6. Luk OTMoveIt2

Note: Hvis en fil eller mappe, som ikke kan flyttes straks kan du blive bedt om at genstarte computeren for at afslutte flytningen proces. Hvis du bliver bedt om at genstarte, skal du vælge Ja. Hvis ikke, reboot alligevel.

Lignende Tråde
Tråd	Thread Starter	Forum	Svar	Last Post
Fjernelse iexplore.exe virus / hijack log	xalice15x	Virus, Spyware & Sikkerhed	16	12 november 2008 19:43
Iexplorer.exe virus - Please help me!	Giant Panda	Virus, Spyware & Sikkerhed	2	6. okt 2008 14:55
Jeg får det bone.exe virus til min iexplorer	damandg	Virus, Spyware & Sikkerhed	12	14 juli 2008 14:31
Iexplorer.exe virus	iuboy2006	Virus, Spyware & Sikkerhed	9	26 marts 2008 08:12
Avssytemcare popup virus og mage - (inkluderer kapre dette)	flakkende	Virus, Spyware & Sikkerhed	23	4. sep 2007 16:15