IEXPLORER.EXE virus pls tarkistaa Hijack loki

nitingaur · #1 21. Sep 2008, 12:02

Logfile ja Trend Micro HijackThis v2.0.2
Scan tallennettu klo 12:01:37, on 9.21.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Käynnissä olevista prosesseista:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ csrss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Centenn.ial \ Audit \ CAgent32.exe
C: \ Centenn.ial \ Audit \ xferwan.exe
C: \ Program Files \ Cisco VPN Client \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ System32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
c: \ _integra \ bin \ ccmagent.exe
c: \ program files \ Lenovo \ System Update \ suservice.exe
C: \ WINDOWS \ System32 \ alg.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ calc.exe
c: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ Explorer.exe
C: \ WINDOWS \ system32 \ tp4mon.exe
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ NWTRAY.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
C: \ Program Files \ Lenovo \ Pikanäppäin \ TPOSDSVC.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ WINDOWS \ system32 \ TpShocks.exe
C: \ Program Files \ Lenovo \ Pikanäppäin \ TPONSCR.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
C: \ Program Files \ Lenovo \ Zoom \ TpScrex.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ Program Files \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ WINDOWS \ system32 \ taskmgr.exe
C: \ program files \ Internet Explorer \ IEXPLORE.EXE
C: \ program files \ Internet Explorer \ IEXPLORE.EXE
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
F2 - REG: system.ini: UserInit = c: \ windows \ system32 \ userinit.exe, c: \ _inte gra \ bin \ shstart.exe
O2 - BHO: AcroIEHlprObj Class - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [Persistence] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Program Files \ Lenovo \ Pikanäppäin \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT Scheduler Proxy] C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Hakulaite] "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe"-quiet
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'Default user')
O8 - Extra yhteydessä valikkotoimintoa: E & Vie Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ mikros ~ 2 \ Office11 \ EXCEL.EXE/3000
O9 - Extra button: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ mikros ~ 2 \ Office11 \ REFIEBAR.DLL
O9 - Extra button: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' menuitem: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Unknown owner - C: \ Program.exe (file missing)
O23 - Service: BHCP Service (BHsrv) - Unknown owner - C: \ Program.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C: \ Centenn.ial \ Audit \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C: \ Centenn.ial \ Audit \ xferwan.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C: \ WINDOWS \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C: \ Program Files \ Cisco VPN Client \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) PROSet / Wireless Event Log (EvtEng) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ WINDOWS \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdaten - Symantec Corporation - C: \ PROGRA ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) PROSet / Wireless Registry Service (RegSrvc) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
O23 - Service: Intel (R) PROSet / Wireless Service (S24EventMonitor) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c: \ program files \ Lenovo \ System Update \ suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C: \ WINDOWS \ System32 \ TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c: \ _integra \ bin \ ccmagent.exe
--
End of file - 8621 bytes

**evilfantasy** · #2 21. Sep 2008, 15:30

Ladata Malwarebytes' Anti-Malware (MBAM)

Kaksoisnapsauta mbam-setup.exe ja seuraa ohjeita asentaaksesi ohjelman.
Lopussa, varmista, että yksi tarkistusmerkkiä on viereen seuraavasti:
- Päivitä Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Valitse sitten Maali.
Jos päivitys löytyy, se lataa ja asentaa uusimman version.
Kun ohjelma on ladattu, valitse Suorittaa Quick ScanValitse sitten Scan.
Kun skannaus on valmis, valitse OK, Sitten Näytä tulokset Voit tarkastella tuloksia.
Olla varma, että kaikki on valittu, ja napsauta Poista valitut.
Kun desinfiointi on valmis, loki avautuu Muistioon ja sinua saatetaan kehottaa uudelleen. (Katso Extra huomautus)
Loki on automaattisesti tallennetaan MBAM ja voi tarkastella napsauttamalla Lokit välilehti MBAM.
Kopioi ja liitä koko raportin seuraavan vastauksen.

Extra Huomautus: Jos MBAM kohtaa tiedoston, joka on vaikea poistaa, näytetään 1 2 kehotteita, OK joko ja anna MBAM edetä desinfiointiin prosessi, jos pyydetään käynnistämään tietokone uudelleen, tee niin välittömästi.

nitingaur · #3 21. Sep 2008, 18:18

Ei haittaohjelmia löytyy, tästä on mietintö
-------------------------------------------------- ----
Windows 5.1.2600 Service Pack 2
9/21/2008 6:16:07 PM
mbam-log-2008-09-21 (18-16-07). txt
Scan type: Quick Scan
Objektit skannattavan: 52621
Kulunut aika: 4 minute (s), 41 toinen (t)
Memory Processes Infected: 0
Memory Modules Infected: 0
Rekisteriavaimista Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(Ei haittaohjelmia kohteet havaitaan)
Memory Modules Infected:
(Ei haittaohjelmia kohteet havaitaan)
Rekisteriavaimista Infected:
(Ei haittaohjelmia kohteet havaitaan)
Registry Values Infected:
(Ei haittaohjelmia kohteet havaitaan)
Registry Data Items Infected:
(Ei haittaohjelmia kohteet havaitaan)
Kansiot Infected:
(Ei haittaohjelmia kohteet havaitaan)
Files Infected:
(Ei haittaohjelmia kohteet havaitaan)

**evilfantasy** · #4 21. Sep 2008, 18:40

Ei ole haittaohjelmia, josta ilmenevät joko loki.

Mitä on tapahtumassa?

nitingaur · #5 21. Sep 2008, 19:23

Useita IEXPLORER.EXE prosessin spwaning prosessi luettelosta. Ne välittömästi pop up jos tappaa niitä yksi kerrallaan. Joskus olen myös kuulla ääniä, kuten yksi niistä käytössä jokin selainikkuna mutta ei ole näkyvää. On ehdottomasti väärin, ne eivät ole oletettu olevan.

**evilfantasy** · #6 21. Sep 2008, 19:26

Lataa ComboFix jonka Subs jonkin alle linkkejä. Olla varma alkuun tallentaa ne Desktop.

Linkki # 1
Linkki # 2

** Huomautus: On tärkeää, että se on tallennettu suoraan Desktopin

Sulje kaikki avoimet Internet-selaimissa. (Firefox, Internet Explorer jne.) ennen ComboFix.

Väliaikaisesti poistaa käytöstä sinun antivirus, Ja mikä tahansa AntiSpyware reaaliaikainen suoja ennen suorittamalla skannata. Valitse linkki nähdä luettelon tietoturvaohjelmia, että otetaan huomioon myös vammaisten ja miten poistaa ne käytöstä.

Kaksoisnapsauta combofix.exe ja seuraa ohjeita.
Kun olet valmis ComboFix tuottaa lokin sinulle.
Postata ComboFix loki ja uusi HijackThis loki näkyy seuraavassa vastausta.

Tärkeää: Älä mouseclick ComboFix ikkunassa, kun se on käynnissä. Tämä saattaa aiheuttaa sen, pilttuu.

Muista uudelleen käyttöön virustentorjuntaohjelmasi ja antispyware suojelun ComboFix on valmis.

nitingaur · #7 21. Sep 2008, 19:42

ComboFix Kirjaudu
-----------------------
ComboFix 08-09-20.05 - 012466 2008-09-21 19:31:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.473 [GMT -7:00]
Running from: C: \ Keanetools \ ComboFix.exe
* Luonut uuden palautuspisteen
VAROITUS-Tämä kone ei ole RECOVERY CONSOLE asennettuna!
.
((((((((((((((((((((((((((((((((((((((( Muut Poistetut ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ Documents and Settings \ LocalService \ Cookies \ system@ad.yieldmanag er [1]. Txt
C: \ WINDOWS \ system32 \ x64
.
((((((((((((((((((((((((((((((((((((((( Ajurit / Palvelut )))))))) )))))))))))))))))))))))))))))))))))))))))
.
------- \ Legacy_BHSRV
------- \ Service_BHsrv

((((((((((((((((((((((((( Files luotu 2008-08-22 ja 2008-09-22 ))))))))))) ))))))))))))))))))))
.
2008-09-21 18:09. 2008-09-21 18:10 <DIR> d -------- C: \ Program Files \ Malwarebytes' Anti-Malware
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \012466 \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-10 00:04 38.528 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008-09-21 18:09. 2008-09-10 00:03 17.200 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008-09-21 11:07. 2008-09-21 11:07 <DIR> d -------- C: \ Program Files \ Lavasoft
2008-09-21 11:07. 2008-09-21 11:08 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008-09-21 11:06. 2008-09-21 11:06 <DIR> d -------- C: \ Program Files \ Common Files \ Wise Installation Wizard
2008-09-20 23:40. 2008-09-20 23:40 <DIR> d -------- C: \ Program Files \ Trend Micro
2008-09-19 09:03. 2008-09-19 09:08 <DIR> d -------- C: \ WINDOWS \ SxsCaPendDel
2008-09-19 00:49. 2008-09-19 00:52 <DIR> d -------- C: \ Documents and Settings \012466 \. Housecall6.6
2008-09-19 00:27. 2008-09-19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-09-18 20:25. 2002-02-04 06:22 1.230.336 - a ------ C: \ WINDOWS \ system32 \ Msxml4.dll
2008-09-18 20:25. 2007-09-14 05:01 922.920 --------- C: \ WINDOWS \ system32 \ ahlprun.exe
2008-09-18 20:25. 2002-02-04 06:13 82.432 - a ------ C: \ WINDOWS \ system32 \ msxml4r.dll
2008-09-18 20:25. 2002-02-04 06:13 44.544 - a ------ C: \ WINDOWS \ system32 \ msxml4a.dll
2008-09-18 20:25. 2002-02-07 18:43 9.679 - a ------ C: \ WINDOWS \ system32 \ msxml4r.cat
2008-09-18 20:25. 2002-02-07 18:43 9.675 - a ------ C: \ WINDOWS \ system32 \ msxml4.cat
2008-09-18 20:25. 2002-02-06 20:31 3.489 - a ------ C: \ WINDOWS \ system32 \ msxml4.Manifest
2008-09-18 20:25. 2002-02-06 20:31 500 - a ------ C: \ WINDOWS \ system32 \ msxml4r.Manifest
2008-09-18 20:21. 2008-09-18 20:21 <DIR> d -------- C: \ Program Files \ Common Files \ Lenovo
2008-09-18 18:27. 2008-09-21 11:54 21.272 - a ------ C: \ WINDOWS \ system32 \ bynpea.key
2008-09-18 18:25. 2008-09-18 18:25 1 - a ------ C: \ WINDOWS \ system32 \004fdb9.imi
2008-09-15 14:23. 2008-09-15 14:23 332.800 --- hs ---- C: \ WINDOWS \ system32 \ _Bhsrv.msi
2008-09-15 12:15. 2008-09-18 15:57 69.942 - a ------ C: \ WINDOWS \ system32 \ rrjack.key
2008-09-15 12:15. 2008-09-15 12:15 1 - a ------ C: \ WINDOWS \ system32 \0048444.imi
2008-09-13 19:27. 2008-09-13 19:27 24 - a ------ C: \ WINDOWS \ cdplayer.ini
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Real
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ Xing jaetun
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 02:33 --------- d ----- w C: \ Program Files \ Symantec AntiVirus
2008-09-22 02:33 --------- d ----- w C: \ Program Files \ Cisco VPN-client
2008-09-21 18:56 16 - sh - r C: \ MSCIOTL.SYS
2008-09-21 18:55 8.416 ---- aw C: \ WINDOWS \ system32 \ drivers \ CDProbe.SYS
2008-09-20 19:26 430.816 - sh - w C: \ Program Files \ _MsInfo.msi
2008-09-19 03:25 --------- d - h - w C: \ Program Files \ InstallShield Installation Information
2008-09-19 03:25 --------- d ----- w C: \ Program Files \ ThinkVantage
2008-09-19 03:21 --------- d ----- w C: \ Program Files \ Lenovo
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default merkinnät eivät näy
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2004-08-04 15360]
"Yahoo! Hakulaite" = "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ curr entVersion \ Run]
"IgfxTray" = "C: \ WINDOWS \ system32 \ igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds" = "C: \ WINDOWS \ system32 \ hkcmd.exe" [2007-08-15 162328]
"Persistence" = "C: \ WINDOWS \ system32 \ igfxpers.ex e" [2007-08-15 137752]
"ccApp" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2006-03-24 53408]
"vptray" = "C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2006-06-14 124656]
"TPHOTKEY" = "C: \ Program Files \ Lenovo \ Pikanäppäin \ TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager" = "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" [2003-08-18 110592]
"dla" = "C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP" = "C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007-04-26 243248]
"LPManager" = "C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007-03-22 120368]
"TVT Scheduler Proxy" = "C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe" = "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" [2008-09-13 185896]
"TrackPointSrv" = "tp4mon.exe" [2004-08-03 C: \ WINDOWS \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002-03-12 C: \ WINDOWS \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007-03-29 C: \ WINDOWS \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ curr entversion \ policies \ system]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ cur rentversion \ Policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ ilmoitettava \ tpfnf2]
2006-09-06 13:37 34344 C: \ Program Files \ Lenovo \ Pikanäppäin \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ ilmoitettava \ tphotkey]
2006-12-14 08:06 28672 C: \ Program Files \ Lenovo \ Pikanäppäin \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ Lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ Program Files \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ Program Files \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf, C: \ WINDOWS \ system32 \ DRIVERS \ Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN; TPDIGIMN, C: \ WINDOWS \ system32 \ DRIVERS \ ApsH M86.sys [2007-03-02 19760]
R2 smefs; SMEFileSystem, C: \ WINDOWS \ system32 \ drivers \ sm efs.sys [2006-02-08 20508]
R3 CdProbe; CdProbe, C: \ WINDOWS \ system32 \ DRIVERS \ cdprob e.sys [2008-09-21 8416]
R3 smedrv; SMEDriver, C: \ WINDOWS \ system32 \ drivers \ smedr v.sys [2006-02-08 9516]
S2 AppMgSvc; Application Management Service, C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008-09-20 430816]
S2 yraebbgi; yraebbgi, C: \ WINDOWS \ system32 \ drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh, C: \ WINDOWS \ system32 \ drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main, Start Page = hxxp: / / www.google.com/
O8 -: E & Vie Microsoft Exceliin - C: \ PROGRA ~ 1 \ mikros ~ 2 \ Office11 \ EXCEL.EXE/3000
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit / varkain haittaohjelmien detektori on Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 19:35:12
Windows 5.1.2600 Service Pack 2 NTFS
skannaus piilotettu prosessien ...
skannaus piilotettu Autostart merkinnät ...
skannaus piilotetut tiedostot ...
scan loppuun onnistuneesti
piilotetut tiedostot: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ A ppMgSvc]
"ImagePath" = "C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLL Loaded Under Running Processes ---------------------
PROSESSI: C: \ WINDOWS \ system32 \ Winlogon.exe
-> C: \ Program Files \ Lenovo \ Pikanäppäin \ tphklock.dll
.
------------------------ Other Running Processes ----------------------- --
.
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ Pikanäppäin \ TPONSCR.exe
C: \ Program Files \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Program Files \ Symantec AntiVirus \ DoScan.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ CENTENN.IAL \ TARKASTUS \ CAgent32.exe
C: \ CENTENN.IAL \ TARKASTUS \ xferwan.exe
C: \ Program Files \ Cisco VPN Client \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Program Files \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ System Update \ SUService.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Täydennys-aika: 2008-09-21 19:36:58 - kone käynnistettiin uudelleen
ComboFix-karanteenissa-files.txt 2008-09-22 02:36:54
Pre-Run: 64333811712 tavua vapaata
Post-Run: 64523264000 tavua vapaata
175

HijackThis Log
-----------------------------------
Logfile ja Trend Micro HijackThis v2.0.2
Scan tallennettu klo 7:38:41 PM, annettu 9.21.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Käynnissä olevista prosesseista:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
c: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ tp4mon.exe
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ NWTRAY.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ Pikanäppäin \ TPOSDSVC.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ Program Files \ Lenovo \ Pikanäppäin \ TPONSCR.exe
C: \ Program Files \ Lenovo \ Zoom \ TpScrex.exe
C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ WINDOWS \ system32 \ TpShocks.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ program files \ Internet Explorer \ IEXPLORE.EXE
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Centenn.ial \ Audit \ CAgent32.exe
C: \ Centenn.ial \ Audit \ xferwan.exe
C: \ Program Files \ Cisco VPN Client \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Program Files \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ System32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
c: \ _integra \ bin \ ccmagent.exe
c: \ program files \ Lenovo \ System Update \ suservice.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ Explorer.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [Persistence] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Program Files \ Lenovo \ Pikanäppäin \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT Scheduler Proxy] C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Hakulaite] "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe"-quiet
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'Default user')
O8 - Extra yhteydessä valikkotoimintoa: E & Vie Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ mikros ~ 2 \ Office11 \ EXCEL.EXE/3000
O9 - Extra button: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ mikros ~ 2 \ Office11 \ REFIEBAR.DLL
O9 - Extra button: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' menuitem: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (D239A412-22C2-4683-95BC-1FFAA687D0DF): NameServer = 172.21.18.101,172.21.18.102
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Unknown owner - C: \ Program.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C: \ Centenn.ial \ Audit \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C: \ Centenn.ial \ Audit \ xferwan.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C: \ WINDOWS \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C: \ Program Files \ Cisco VPN Client \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) PROSet / Wireless Event Log (EvtEng) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ WINDOWS \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdaten - Symantec Corporation - C: \ PROGRA ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) PROSet / Wireless Registry Service (RegSrvc) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
O23 - Service: Intel (R) PROSet / Wireless Service (S24EventMonitor) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c: \ program files \ Lenovo \ System Update \ suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C: \ WINDOWS \ System32 \ TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c: \ _integra \ bin \ ccmagent.exe
--
End of file - 8581 bytes

**evilfantasy** · #8 21. Sep 2008, 21:24

Huom: seuraavat ohjeet on luotu erityisesti tälle käyttäjälle. Jos et ole tämän käyttäjän, ÄLÄ noudattaa näitä ohjeita, koska ne saattavat vahingoittaa toimintaa järjestelmän

Poista nämä tiedostot / kansiot, seuraavasti:

1. Siirry Alku > Juosta > Tyyppi Notepad.exe ja napsauta OK Avaa Muistio.
Se täytyä on Muistiossa ei Wordpad.
2. Kopioi teksti jäljempänä koodi ruutuun korostamalla kaiken tekstin ja painamalla Ctrl + C

Code:

Killall:: Driver: BHSRV BHsrv File:: C: \ WINDOWS \ system32 \ bynpea.key C: \ WINDOWS \ system32 \ 004fdb9.imi C: \ WINDOWS \ system32 \ _Bhsrv.msi C: \ WINDOWS \ system32 \ rrjack. keskeinen C: \ WINDOWS \ system32 \ 0048444.imi C: \ WINDOWS \ system32 \ drivers \ bynpea.sys C: \ WINDOWS \ system32 \ drivers \ rrjack.sys C: \ WINDOWS \ system32 \ calc.exe

3. Go to Notepadia ikkunasta ja napsauta Muokkaa > Liitä
4. Valitse sitten Tiedosto > Tallentaa
5. Nimeä tiedosto CFScript.txt - Tallenna tiedosto Desktop
6. Vedä CFScript (Pidä vasenta hiiren painiketta, kun vetämällä tiedosto) ja pudottaa sen (vapauta hiiren vasen painike) osaksi ComboFix.exe kuten näette kuvakaappaus alla. Tärkeää: Tehdään tämä ohje huolellisesti!

ComboFix alkaa toteuttaa, seuraa ohjeita.
After reboot (jos se kysyy käynnistää), se tuottaa lokin sinulle.
Post että log (Combofix.txt) näkyy seuraavassa vastausta.

Huom: Älä mouseclick ComboFix ikkunassa, kun se on käynnissä. Tämä voi aiheuttaa järjestelmän jäätyä

nitingaur · #9 21. Sep 2008, 22:20

ComboFix loki ajamisen jälkeen CFSCript
-------------------------------------------------- --------
ComboFix 08-09-20.05 - 012466 2008-09-21 22:11:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.598 [GMT -7:00]
Running from: C: \ Keanetools \ ComboFix.exe
Command valitsimia käytetään:: C: \ Documents and Settings \012466 \ Desktop \ CFScript.txt
* Luonut uuden palautuspisteen
VAROITUS-Tämä kone ei ole RECOVERY CONSOLE asennettuna!
FILE::
C: \ WINDOWS \ system32 \ _Bhsrv.msi
C: \ WINDOWS \ system32 \0048444.imi
C: \ WINDOWS \ system32 \004fdb9.imi
C: \ WINDOWS \ system32 \ bynpea.key
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ drivers \ bynpea.sys
C: \ WINDOWS \ system32 \ drivers \ rrjack.sys
C: \ WINDOWS \ system32 \ rrjack.key
.
((((((((((((((((((((((((((((((((((((((( Muut Poistetut ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ WINDOWS \ system32 \ _Bhsrv.msi
C: \ WINDOWS \ system32 \0048444.imi
C: \ WINDOWS \ system32 \004fdb9.imi
C: \ WINDOWS \ system32 \ bynpea.key
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ rrjack.key
.
((((((((((((((((((((((((( Files luotu 2008-08-22 ja 2008-09-22 ))))))))))) ))))))))))))))))))))
.
2008-09-21 18:09. 2008-09-21 18:10 <DIR> d -------- C: \ Program Files \ Malwarebytes' Anti-Malware
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \012466 \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-10 00:04 38.528 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008-09-21 18:09. 2008-09-10 00:03 17.200 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008-09-21 11:07. 2008-09-21 11:07 <DIR> d -------- C: \ Program Files \ Lavasoft
2008-09-21 11:07. 2008-09-21 11:08 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008-09-21 11:06. 2008-09-21 11:06 <DIR> d -------- C: \ Program Files \ Common Files \ Wise Installation Wizard
2008-09-20 23:40. 2008-09-20 23:40 <DIR> d -------- C: \ Program Files \ Trend Micro
2008-09-19 09:03. 2008-09-19 09:08 <DIR> d -------- C: \ WINDOWS \ SxsCaPendDel
2008-09-19 00:49. 2008-09-19 00:52 <DIR> d -------- C: \ Documents and Settings \012466 \. Housecall6.6
2008-09-19 00:27. 2008-09-19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-09-18 20:25. 2002-02-04 06:22 1.230.336 - a ------ C: \ WINDOWS \ system32 \ Msxml4.dll
2008-09-18 20:25. 2007-09-14 05:01 922.920 --------- C: \ WINDOWS \ system32 \ ahlprun.exe
2008-09-18 20:25. 2002-02-04 06:13 82.432 - a ------ C: \ WINDOWS \ system32 \ msxml4r.dll
2008-09-18 20:25. 2002-02-04 06:13 44.544 - a ------ C: \ WINDOWS \ system32 \ msxml4a.dll
2008-09-18 20:25. 2002-02-07 18:43 9.679 - a ------ C: \ WINDOWS \ system32 \ msxml4r.cat
2008-09-18 20:25. 2002-02-07 18:43 9.675 - a ------ C: \ WINDOWS \ system32 \ msxml4.cat
2008-09-18 20:25. 2002-02-06 20:31 3.489 - a ------ C: \ WINDOWS \ system32 \ msxml4.Manifest
2008-09-18 20:25. 2002-02-06 20:31 500 - a ------ C: \ WINDOWS \ system32 \ msxml4r.Manifest
2008-09-18 20:21. 2008-09-18 20:21 <DIR> d -------- C: \ Program Files \ Common Files \ Lenovo
2008-09-13 19:27. 2008-09-13 19:27 24 - a ------ C: \ WINDOWS \ cdplayer.ini
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Real
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ Xing jaetun
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 05:14 8.416 ---- aw C: \ WINDOWS \ system32 \ drivers \ CDProbe.SYS
2008-09-22 05:14 16 - sh - r C: \ MSCIOTL.SYS
2008-09-22 05:14 --------- d ----- w C: \ Program Files \ Symantec AntiVirus
2008-09-22 03:07 --------- d ----- w C: \ Program Files \ Cisco VPN-client
2008-09-20 19:26 430.816 - sh - w C: \ Program Files \ _MsInfo.msi
2008-09-19 03:25 --------- d - h - w C: \ Program Files \ InstallShield Installation Information
2008-09-19 03:25 --------- d ----- w C: \ Program Files \ ThinkVantage
2008-09-19 03:21 --------- d ----- w C: \ Program Files \ Lenovo
.
((((((((((((((((((((((((((((( Snapshot@2008-09-21_19.36.38.64 )))))))))) )))))))))))))))))))))))))))))))
.
- 2008-09-21 18:59:45 71.370 ---- aw C: \ WINDOWS \ system32 \ perfc009.dat
+ 2008-09-22 02:39:43 71.370 ---- aw C: \ WINDOWS \ system32 \ perfc009.dat
- 2008-09-21 18:59:45 439.832 ---- aw C: \ WINDOWS \ system32 \ perfh009.dat
+ 2008-09-22 02:39:43 439.832 ---- aw C: \ WINDOWS \ system32 \ perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default merkinnät eivät näy
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2004-08-04 15360]
"Yahoo! Hakulaite" = "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ curr entVersion \ Run]
"IgfxTray" = "C: \ WINDOWS \ system32 \ igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds" = "C: \ WINDOWS \ system32 \ hkcmd.exe" [2007-08-15 162328]
"Persistence" = "C: \ WINDOWS \ system32 \ igfxpers.ex e" [2007-08-15 137752]
"ccApp" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2006-03-24 53408]
"vptray" = "C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2006-06-14 124656]
"TPHOTKEY" = "C: \ Program Files \ Lenovo \ Pikanäppäin \ TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager" = "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" [2003-08-18 110592]
"dla" = "C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP" = "C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007-04-26 243248]
"LPManager" = "C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007-03-22 120368]
"TVT Scheduler Proxy" = "C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe" = "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" [2008-09-13 185896]
"TrackPointSrv" = "tp4mon.exe" [2004-08-03 C: \ WINDOWS \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002-03-12 C: \ WINDOWS \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007-03-29 C: \ WINDOWS \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ curr entversion \ policies \ system]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ cur rentversion \ Policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ ilmoitettava \ tpfnf2]
2006-09-06 13:37 34344 C: \ Program Files \ Lenovo \ Pikanäppäin \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ ilmoitettava \ tphotkey]
2006-12-14 08:06 28672 C: \ Program Files \ Lenovo \ Pikanäppäin \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ Lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ Program Files \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ Program Files \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf, C: \ WINDOWS \ system32 \ DRIVERS \ Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN; TPDIGIMN, C: \ WINDOWS \ system32 \ DRIVERS \ ApsH M86.sys [2007-03-02 19760]
R2 smefs; SMEFileSystem, C: \ WINDOWS \ system32 \ drivers \ sm efs.sys [2006-02-08 20508]
R3 CdProbe; CdProbe, C: \ WINDOWS \ system32 \ DRIVERS \ cdprob e.sys [2008-09-21 8416]
R3 smedrv; SMEDriver, C: \ WINDOWS \ system32 \ drivers \ smedr v.sys [2006-02-08 9516]
S2 AppMgSvc; Application Management Service, C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008-09-20 430816]
S2 yraebbgi; yraebbgi, C: \ WINDOWS \ system32 \ drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh, C: \ WINDOWS \ system32 \ drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit / varkain haittaohjelmien detektori on Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 22:16:04
Windows 5.1.2600 Service Pack 2 NTFS
skannaus piilotettu prosessien ...
skannaus piilotettu Autostart merkinnät ...
skannaus piilotetut tiedostot ...

C: \ WINDOWS \ system32 \ calc.exe
scan loppuun onnistuneesti
piilotetut tiedostot: 1
************************************************** ************************
[HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ A ppMgSvc]
"ImagePath" = "C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLL Loaded Under Running Processes ---------------------
PROSESSI: C: \ WINDOWS \ system32 \ Winlogon.exe
-> C: \ Program Files \ Lenovo \ Pikanäppäin \ tphklock.dll
.
------------------------ Other Running Processes ----------------------- --
.
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ CENTENN.IAL \ TARKASTUS \ CAgent32.exe
C: \ CENTENN.IAL \ TARKASTUS \ xferwan.exe
C: \ Program Files \ Cisco VPN Client \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ System Update \ SUService.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ Pikanäppäin \ TPONSCR.exe
C: \ Program Files \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Program Files \ Symantec AntiVirus \ DoScan.exe
C: \ Program Files \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Täydennys-aika: 2008-09-21 22:17:28 - kone käynnistettiin uudelleen
ComboFix-karanteenissa-files.txt 2008-09-22 05:17:23
ComboFix2.txt 2008-09-22 02:36:59
Pre-Run: 64509464576 tavua vapaata
Post-Run: 64505421824 tavua vapaata
181

**evilfantasy** · #10 21. Sep 2008, 22:26

Ladata OTMoveIt2 jonka Oldtimerja tallenna se Desktop.

Huom: Jos olet käynnissä Vista, oikea-klikkaa OTMoveIt2.exe ja valitse Suorita järjestelmänvalvojana.

1. Kaksoisnapsauta OTMoveIt2.exe suorittaa sen.
2. Kopioi rivit on codebox alla.

Code:

[tappaa explorer] C: \ WINDOWS \ system32 \ calc.exe HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ AppMgSvc EmptyTemp [aloittaa Explorer]

3. Palaa OTMoveIt2 oikeassa napsauttamalla on Liitä Luettelo tiedostot / kansiot Siirrä ikkuna (alle keltainen bar) ja valitse Liitä
4. Napsauta punaista Moveit! painiketta.
5. Kopioi kaikki Tulokset-ikkunassa (mukaisesti vihreä palkki) ja liitä se näkyy seuraavassa vastausta.
6. Sulje OTMoveIt2

Huomautus: Jos tiedostoa tai kansiota ei voi siirtää välittömästi voidaan pyytää käynnistää tietokone uudelleen, jotta voidaan lopettaa Muuttuva prosessi. Jos tietokone kehotetaan käynnistämään uudelleen, valitse Kyllä. Jos ei, uudelleenkäynnistä anyway.

Thread Tools
Näytä Tulostettava versio Lähetä tämä sivu