IEXPLORER.EXE vīruss pls pārskats HiJack log

nitingaur · #1 Septembris 21, 2008, 12:02

Logfile of Trend Micro HijackThis v2.0.2
Scan saglabāts 12:01:37, uz 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running procesiem:
C: \ WINDOWS \ System32 \ Smss.exe
C: \ WINDOWS \ system32 \ csrss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Program Files \ Intel \ Bezvadu \ Bin \ S24EvMon.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ WINDOWS \ system32 \ Spoolsv.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Centenn.ial \ Audit \ CAgent32.exe
C: \ Centenn.ial \ Audit \ xferwan.exe
C: \ Program Files \ Cisco VPN klients \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Bezvadu \ Bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Bezvadu \ Bin \ RegSrvc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ System32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ plānotājs \ tvtsched.exe
c: \ _integra \ bin \ ccmagent.exe
c: \ Program Files \ LENOVO \ sistēmas atjaunināšanas \ suservice.exe
C: \ WINDOWS \ System32 \ alg.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ calc.exe
c: \ _integra \ bin \ shstart.exe
C: \ Windows \ Explorer.exe
C: \ WINDOWS \ system32 \ tp4mon.exe
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ NWTRAY.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
C: \ Program Files \ Lenovo \ Hotkey \ TPOSDSVC.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ WINDOWS \ system32 \ TpShocks.exe
C: \ Program Files \ Lenovo \ Hotkey \ TPONSCR.exe
C: \ Program Files \ Common Files \ Lenovo \ plānotājs \ scheduler_proxy.exe
C: \ Program Files \ Lenovo \ Zoom \ TpScrex.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ Program Files \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ WINDOWS \ system32 \ taskmgr.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
F2 - REG: SYSTEM.INI: Userinit = c: \ windows \ system32 \ userinit.exe, c: \ _inte Gra \ bin \ shstart.exe
O2 - BHO: AcroIEHlprObj Class - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Adobe \ Acrobat 7,0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [noturīgums] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Program Files \ Lenovo \ Hotkey \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT plānotājs Proxy] C: \ Program Files \ Common Files \ Lenovo \ plānotājs \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ system32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Peidžeri] "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe"-kluss
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User "SISTĒMA")
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'Default user')
Ø8 - ārpus konteksta menu item: E & ksportēt uz Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ Micros ~ 2 \ Office11 \ EXCEL.EXE/3000
Ø9 - Extra button: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ Micros ~ 2 \ Office11 \ REFIEBAR.DLL
Ø9 - Extra button: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61.144 - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
Ø9 - Extra 'Tools' MENUITEM: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61.144 - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
Ø16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
Ø17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O23 - Service: Lavasoft Ad-Aware dienests (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Unknown īpašnieks - C: \ Program.exe (file missing)
O23 - Service: BHCP Service (BHsrv) - Unknown īpašnieks - C: \ Program.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C: \ Centenn.ial \ Audit \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C: \ Centenn.ial \ Audit \ xferwan.exe
O23 - Service: Client Update Service Novell (cusrvc) - Novell, Inc - C: \ WINDOWS \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc VPN dienests (CVPND) - Cisco Systems, Inc - C: \ Program Files \ Cisco VPN klients \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) ProSet / Wireless Event Log (EvtEng) - Intel Corporation - C: \ Program Files \ Intel \ Bezvadu \ Bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ WINDOWS \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C: \ PROGRA ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) ProSet / Wireless Registry Service (RegSrvc) - Intel Corporation - C: \ Program Files \ Intel \ Bezvadu \ Bin \ RegSrvc.exe
O23 - Service: Intel (R) ProSet / Wireless dienests (S24EventMonitor) - Intel Corporation - C: \ Program Files \ Intel \ Bezvadu \ Bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C: \ Program Files \ LENOVO \ sistēmas atjaunināšanas \ suservice.exe
O23 - Service: Symantec Antivirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C: \ WINDOWS \ System32 \ TPHDEXLG.exe
O23 - Service: TVT plānotājs - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ plānotājs \ tvtsched.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c: \ _integra \ bin \ ccmagent.exe
--
End of failu - 8.621 bytes

**evilfantasy** · #2 Septembris 21, 2008, 15:30

Lejupielādēt Malwarebytes "Anti-Malware (MBAM)

Veiciet dubultklikšķi uz mbam-setup.exe un sekojiet norādījumiem, lai instalētu programmu.
Gada beigās, pārliecinieties atzīmes atrodas blakus šādi:
- Update Malwarebytes "Anti-Malware
- Launch Malwarebytes "Anti-Malware
Pēc tam noklikšķiniet uz Apdare.
Ja atjaunināšana ir atrasts, tas lejupielādētu un instalētu jaunāko versiju.
Kad programma ir piekrauts, izvēlieties Veikt quick scan, Tad noklikšķiniet uz Scan.
Kad skenēšana ir pabeigta, noklikšķiniet uz OK, Tad Parādīt rezultātus apskatīt rezultātus.
Pārliecinieties, ka viss ir pārbaudīts, un noklikšķiniet uz Noņemt atlasīto.
Kad dezinfekcija ir pabeigta, log atvērsies Notepad un jums var tikt piedāvāts restartēt. (Skatīt Extra piezīmi)
Log tiek automātiski saglabāts ar MBAM un to var apskatīt, noklikšķinot Baļķi cilnē MBAM.
Kopēt un ielīmēt visu ziņojumu savā nākamajā atbildi.

Extra Piezīme: Ja MBAM sastopas failu, kas ir grūta, Jums tiks parādīts 1 of 2 uzvednes, noklikšķiniet uz Labi, lai nu un ļaujiet MBAM rīkoties ar dezinfekcijas procesu, ja prasīts restartēt datoru, lūdzu, dariet to nekavējoties.

nitingaur · #3 Septembris 21, 2008, 18:18

Nav malware atrasts, šeit ir ziņojums
-------------------------------------------------- ----
Windows 5.1.2600 Service Pack 2
9/21/2008 6:16:07
mbam-log-2008-09-21 (18-16-07). txt
Scan type: Quick Scan
Objekti skenēts: 52.621
Pagājušo laiku: 4 minūte (s), 41 second (s)
Memory Processes Inficētie: 0
Memory Modules Inficētie: 0
Registry Keys Inficētie: 0
Reģistra vērtības Inficētie: 0
Registry Data Items Infected: 0
Mapes Inficētie: 0
Faili Inficētie: 0
Atmiņas procesi Inficētie:
(No ļaunprātīgs preces konstatētas)
Memory Modules Inficētie:
(No ļaunprātīgs preces konstatētas)
Registry Keys Inficētie:
(No ļaunprātīgs preces konstatētas)
Reģistra vērtības Inficētie:
(No ļaunprātīgs preces konstatētas)
Registry Data Items Infected:
(No ļaunprātīgs preces konstatētas)
Mapes Inficētie:
(No ļaunprātīgs preces konstatētas)
Faili Inficētie:
(No ļaunprātīgs preces konstatētas)

**evilfantasy** · #4 Septembris 21, 2008, 18:40

Nav malware rāda ne žurnālu.

Kas īsti notiek?

nitingaur · #5 Septembris 21, 2008, 19:23

Multiple IEXPLORER.EXE procesu spwaning procesā sarakstā. Tās nekavējoties pop up, ja es nogalināt tos pa vienam. Dažreiz es arī uzklausīt dažus, piemēram, viens no tiem darbojas jebkura pārlūka logā, bet nav redzams skaņas. Tur noteikti ir nepareizi, tās nedrīkst pastāvēt.

**evilfantasy** · #6 Septembris 21, 2008, 19:26

Download ComboFix by subs no vienas no saitēm. Pārliecinieties top saglabājiet to Desktop.

Link # 1
Link # 2

** Piezīme: Ir svarīgi, ka tā ir saglabāta tieši jūsu Desktop

Aizveriet visas atvērtās interneta pārlūkprogrammas. (Firefox, Internet Explorer uc) pirms uzsākt ComboFix.

Laiku sakropļot jūsu antivīruss, Un jebkuru antispyware reāllaika aizsardzību pirms veic skenēšanu. Click šo saiti redzēt sarakstu drošības programmas, kas ir invalīdi un to, kā pārtraukt to darbību.

Dubultklikšķi combofix.exe un sekojiet norādījumiem.
Kad pabeigts ComboFix ražos log for you.
Post ComboFix log un jaunu HijackThis log Jūsu nākamo atbildi.

Svarīgi: Nav mouseclick ComboFix loga kamēr tas darbojas. Tas var izraisīt to apstāsies.

Atcerieties, ka jauna aktivizētu jūsu antivīrusu un antispyware aizsardzību, ja ComboFix ir pabeigta.

nitingaur · #7 Septembris 21, 2008, 19:42

ComboFix Log
-----------------------
ComboFix 08-09-20.05 - 012466 2008-09-21 19:31:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.473 [GMT -7:00]
Sākot no: C: \ Keanetools \ ComboFix.exe
* Izveido jaunu atjaunošanas punktu
WARNING, šī mašīna nav atkop Installed!
.
((((((((((((((((((((((((((((((((((((((( Citi Svītrojumi ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ Documents and Settings \ LocalService \ Cookies \ system@ad.yieldmanag er [1]. Txt
C: \ WINDOWS \ system32 \ x64
.
((((((((((((((((((((((((((((((((((((((( Drivers / Pakalpojumi )))))))) )))))))))))))))))))))))))))))))))))))))))
.
------- \ Legacy_BHSRV
------- \ Service_BHsrv

((((((((((((((((((((((((( Faili Created no 2008/08/22 līdz 2008/09/22 ))))))))))) ))))))))))))))))))))
.
2008/09/21 18:09. 2008/09/21 18:10 <DIR> d -------- C: \ Program Files \ Malwarebytes "Anti-Malware
2008/09/21 18:09. 2008/09/21 18:09 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008/09/21 18:09. 2008/09/21 18:09 <DIR> d -------- C: \ Documents and Settings \012.466 \ Application Data \ Malwarebytes
2008/09/21 18:09. 2008/09/10 00:04 38.528 - ------ C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008/09/21 18:09. 2008/09/10 00:03 17.200 - ------ C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008/09/21 11:07. 2008/09/21 11:07 <DIR> d -------- C: \ Program Files \ Lavasoft
2008/09/21 11:07. 2008/09/21 11:08 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008/09/21 11:06. 2008/09/21 11:06 <DIR> d -------- C: \ Program Files \ Common Files \ Wise Installation Wizard
2008/09/20 23:40. 2008/09/20 23:40 <DIR> d -------- C: \ Program Files \ Trend Micro
2008/09/19 09:03. 2008/09/19 09:08 <DIR> d -------- C: \ WINDOWS \ SxsCaPendDel
2008/09/19 00:49. 2008/09/19 00:52 <DIR> d -------- C: \ Documents and Settings \012.466 \. Housecall6.6
2008/09/19 00:27. 2008/09/19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008/09/18 20:25. 2002/02/04 06:22 1.230.336 - ------ C: \ WINDOWS \ system32 \ msxml4.dll
2008/09/18 20:25. 2007/09/14 05:01 922.920 --------- C: \ WINDOWS \ system32 \ ahlprun.exe
2008/09/18 20:25. 2002/02/04 06:13 82.432 - ------ C: \ WINDOWS \ system32 \ msxml4r.dll
2008/09/18 20:25. 2002/02/04 06:13 44.544 - ------ C: \ WINDOWS \ system32 \ msxml4a.dll
2008/09/18 20:25. 2002/02/07 18:43 9.679 - ------ C: \ WINDOWS \ system32 \ msxml4r.cat
2008/09/18 20:25. 2002/02/07 18:43 9.675 - ------ C: \ WINDOWS \ system32 \ msxml4.cat
2008/09/18 20:25. 2002/02/06 20:31 3.489 - ------ C: \ WINDOWS \ system32 \ msxml4.Manifest
2008/09/18 20:25. 2002/02/06 20:31 500 - ------ C: \ WINDOWS \ system32 \ msxml4r.Manifest
2008/09/18 20:21. 2008/09/18 20:21 <DIR> d -------- C: \ Program Files \ Common Files \ Lenovo
2008/09/18 18:27. 2008/09/21 11:54 21.272 - ------ C: \ WINDOWS \ system32 \ bynpea.key
2008/09/18 18:25. 2008/09/18 18:25 1 - ------ C: \ WINDOWS \ system32 \004fdb9.imi
2008/09/15 14:23. 2008/09/15 14:23 332.800 --- hs ---- C: \ WINDOWS \ system32 \ _Bhsrv.msi
2008/09/15 12:15. 2008/09/18 15:57 69.942 - ------ C: \ WINDOWS \ system32 \ rrjack.key
2008/09/15 12:15. 2008/09/15 12:15 1 - ------ C: \ WINDOWS \ system32 \0048444.imi
2008/09/13 19:27. 2008/09/13 19:27 24 - ------ C: \ WINDOWS \ cdplayer.ini
2008/09/13 19:26. 2008/09/13 19:26 <DIR> d -------- C: \ Program Files \ Real
2008/09/13 19:26. 2008/09/13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ xing dalītas
2008/09/13 19:26. 2008/09/13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Ziņojums )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008/09/22 02:33 --------- d ----- w C: \ Program Files \ Symantec AntiVirus
2008/09/22 02:33 --------- d ----- w C: \ Program Files \ Cisco VPN klients
2008/09/21 18:56 16 - SH - R c: \ MSCIOTL.SYS
2008/09/21 18:55 8.416 ---- aw C: \ WINDOWS \ system32 \ drivers \ CDProbe.SYS
2008/09/20 19:26 430.816 - sh - w C: \ Program Files \ _MsInfo.msi
2008/09/19 03:25 --------- d - h - w C: \ Program Files \ InstallShield Installation Information
2008/09/19 03:25 --------- d ----- w C: \ Program Files \ ThinkVantage
2008/09/19 03:21 --------- d ----- w C: \ Program Files \ Lenovo
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Piezīme * tukši ieraksti & legit default ieraksti netiek parādīti
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"ctfmon.exe" = "C: \ WINDOWS \ system32 \ ctfmon.exe" [2004/08/04 15.360]
"Yahoo! Pager" = "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007/08/30 4.670.704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"IgfxTray" = "C: \ WINDOWS \ system32 \ igfxtray.exe" [2007/08/15 141.848]
"HotKeysCmds" = "C: \ WINDOWS \ system32 \ hkcmd.exe" [2007/08/15 162.328]
"Noturība" = "C: \ WINDOWS \ system32 \ igfxpers.ex e" [2007/08/15 137.752]
"ccApp" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2006/03/24 53.408]
"vptray" = "C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2006/06/14 124.656]
"TPHOTKEY" = "C: \ Program Files \ Lenovo \ Hotkey \ TPOSDSVC.exe" [2007/03/09 66.176]
"UpdateManager" = "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" [2003/08/18 110.592]
"dla" = "C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe" [2005/05/19 127.037]
"EZEJMNAP" = "C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007/04/26 243.248]
"LPManager" = "C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007/03/22 120.368]
"TVT plānotājs Proxy" = "C: \ Program Files \ Common Files \ Lenovo \ plānotājs \ scheduler_proxy.exe" [2008/03/04 487.424]
"TkBellExe" = "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" [2008/09/13 185.896]
"TrackPointSrv" = "tp4mon.exe" [2004/08/03 C: \ WINDOWS \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002/03/12 C: \ WINDOWS \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007/03/29 C: \ WINDOWS \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" [2005/05/12 4.167.376]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entversion \ Policies \ SYSTEM]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. Default \ Software \ Microsoft \ Windows \ cur rentversion \ Policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ paziņot \ tpfnf2]
2006/09/06 13:37 34.344 C: \ Program Files \ Lenovo \ Hotkey \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ paziņot \ tphotkey]
2006/12/14 08:06 28.672 C: \ Program Files \ Lenovo \ Hotkey \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ LSA]
Autentifikācijas Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = DWORD: 00000001
[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf, C: \ WINDOWS \ system32 \ drivers \ Apsx 86.sys [2007/03/02 100.656]
R0 TPDIGIMN; TPDIGIMN, C: \ WINDOWS \ system32 \ drivers \ ApsH M86.sys [2007/03/02 19.760]
R2 smefs; SMEFileSystem, C: \ WINDOWS \ system32 \ drivers \ sm efs.sys [2006/02/08 20.508]
R3 CdProbe; CdProbe, C: \ WINDOWS \ system32 \ drivers \ cdprob e.sys [2008/09/21 8.416]
R3 smedrv; SMEDriver, C: \ WINDOWS \ system32 \ drivers \ smedr v.sys [2006/02/08 9.516]
S2 AppMgSvc; Application Management Service, C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008/09/20 430.816]
S2 yraebbgi; yraebbgi, C: \ WINDOWS \ system32 \ drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh, C: \ WINDOWS \ system32 \ drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
.
------- Papildu Scan -------
.
R0 -: HKCU-Main, Start Page = hxxp: / / www.google.com/
Ø8 -: E & ksportēt uz Microsoft Excel - C: \ PROGRA ~ 1 \ Micros ~ 2 \ Office11 \ EXCEL.EXE/3000
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit / Stealth malware detektoru, ar Gmer, http://www.gmer.net
Rootkit scan 2008/09/21 19:35:12
Windows 5.1.2600 Service Pack 2 NTFS
skenēšana slēptās procesi ...
skenēšana slēptās palaišana ieraksti ...
skenēšana slēptos failus ...
scan sekmīgi pabeigta
slēptos failus: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ ppMgSvc]
"ImagePath" = "C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLL Loaded Under Running Processes ---------------------
PROCESS: C: \ WINDOWS \ system32 \ winlogon.exe
-> C: \ Program Files \ Lenovo \ Hotkey \ tphklock.dll
.
------------------------ Citi Running Processes ----------------------- --
.
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ Program Files \ Intel \ Bezvadu \ Bin \ S24EvMon.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ Hotkey \ TPONSCR.exe
C: \ Program Files \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Program Files \ Symantec AntiVirus \ DoScan.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ CENTENN.IAL \ AUDIT \ CAgent32.exe
C: \ CENTENN.IAL \ AUDIT \ xferwan.exe
C: \ Program Files \ Cisco VPN klients \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Bezvadu \ Bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Bezvadu \ Bin \ RegSrvc.exe
C: \ Program Files \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ plānotājs \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ System Update \ SUService.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Izpildes laiks: 2008-09-21 19:36:58 - mašīna bija rebooted
ComboFix-karantīnā-files.txt 2008/09/22 02:36:54
Pre-Run: 64333811712 bytes free
Post-Run: 64523264000 bytes free
175

HijackThis Log
-----------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saglabāts 7:38:41 gada 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running procesiem:
C: \ WINDOWS \ System32 \ Smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Program Files \ Intel \ Bezvadu \ Bin \ S24EvMon.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ WINDOWS \ system32 \ Spoolsv.exe
c: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ tp4mon.exe
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ NWTRAY.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ Hotkey \ TPOSDSVC.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ Program Files \ Lenovo \ Hotkey \ TPONSCR.exe
C: \ Program Files \ Lenovo \ Zoom \ TpScrex.exe
C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ WINDOWS \ system32 \ TpShocks.exe
C: \ Program Files \ Common Files \ Lenovo \ plānotājs \ scheduler_proxy.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Centenn.ial \ Audit \ CAgent32.exe
C: \ Centenn.ial \ Audit \ xferwan.exe
C: \ Program Files \ Cisco VPN klients \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Bezvadu \ Bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Bezvadu \ Bin \ RegSrvc.exe
C: \ Program Files \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ System32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ plānotājs \ tvtsched.exe
c: \ _integra \ bin \ ccmagent.exe
c: \ Program Files \ LENOVO \ sistēmas atjaunināšanas \ suservice.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ Windows \ Explorer.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Adobe \ Acrobat 7,0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [noturīgums] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Program Files \ Lenovo \ Hotkey \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT plānotājs Proxy] C: \ Program Files \ Common Files \ Lenovo \ plānotājs \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ system32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Peidžeri] "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe"-kluss
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User "SISTĒMA")
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'Default user')
Ø8 - ārpus konteksta menu item: E & ksportēt uz Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ Micros ~ 2 \ Office11 \ EXCEL.EXE/3000
Ø9 - Extra button: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ Micros ~ 2 \ Office11 \ REFIEBAR.DLL
Ø9 - Extra button: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61.144 - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
Ø9 - Extra 'Tools' MENUITEM: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61.144 - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
Ø16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
Ø17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
Ø17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (D239A412-22C2-4.683-95BC-1FFAA687D0DF): NameServer = 172.21.18.101,172.21.18.102
O23 - Service: Lavasoft Ad-Aware dienests (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Unknown īpašnieks - C: \ Program.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C: \ Centenn.ial \ Audit \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C: \ Centenn.ial \ Audit \ xferwan.exe
O23 - Service: Client Update Service Novell (cusrvc) - Novell, Inc - C: \ WINDOWS \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc VPN dienests (CVPND) - Cisco Systems, Inc - C: \ Program Files \ Cisco VPN klients \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) ProSet / Wireless Event Log (EvtEng) - Intel Corporation - C: \ Program Files \ Intel \ Bezvadu \ Bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ WINDOWS \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C: \ PROGRA ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) ProSet / Wireless Registry Service (RegSrvc) - Intel Corporation - C: \ Program Files \ Intel \ Bezvadu \ Bin \ RegSrvc.exe
O23 - Service: Intel (R) ProSet / Wireless dienests (S24EventMonitor) - Intel Corporation - C: \ Program Files \ Intel \ Bezvadu \ Bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C: \ Program Files \ LENOVO \ sistēmas atjaunināšanas \ suservice.exe
O23 - Service: Symantec Antivirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C: \ WINDOWS \ System32 \ TPHDEXLG.exe
O23 - Service: TVT plānotājs - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ plānotājs \ tvtsched.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c: \ _integra \ bin \ ccmagent.exe
--
End of failu - 8.581 bytes

**evilfantasy** · #8 Septembris 21, 2008, 21:24

Piezīme: Instrukcijas turpmāk tika izveidota speciāli šim lietotājam. Ja Jums nav šī lietotāja, DO NOT ievērojiet šos norādījumus, jo tie varētu kaitēt jūsu sistēmas darbības principus

Izdzēst šos failus / mapes, tas ir:

1. Doties uz Sākums > Skriet > Type Notepad.exe un noklikšķiniet uz OK atvērt Notepad.
Tas vajag ir Notepad, nevis Wordpad.
2. Kopēt tekstu tālāk kodu ailē, uzsverot visu tekstu un nospiediet Ctrl + C

Kods:

Killall:: Driver:: BHSRV BHsrv File: C: \ WINDOWS \ system32 \ bynpea.key C: \ WINDOWS \ system32 \ 004fdb9.imi C: \ WINDOWS \ system32 \ _Bhsrv.msi C: \ WINDOWS \ system32 \ rrjack. taustiņu C: \ WINDOWS \ system32 \ 0048444.imi C: \ WINDOWS \ system32 \ drivers \ bynpea.sys C: \ WINDOWS \ system32 \ drivers \ rrjack.sys C: \ WINDOWS \ system32 \ calc.exe

3. Go to Notepad logu un noklikšķiniet uz Rediģēt > Ielīmēt
4. Pēc tam noklikšķiniet uz Fails > Glābt
5. Nosaukums failu CFScript.txt - Saglabāt failu darbvirsmā
6. Velciet CFScript (turiet peles kreiso pogu un velkot failu) un nometiet to (izlaide peles kreiso pogu) pārnes ComboFix.exe kā redzat attēlā zemāk. Svarīgi: Veic šo instrukciju uzmanīgi!

ComboFix sāks izpildīt, vienkārši sekojiet instrukcijām.
Pēc reboot (ja tā lūdz atsāknēšana), tā sagatavos log for you.
Post (Combofix.txt), kas ieiet jūsu nākamo atbildi.

Piezīme: Nav mouseclick ComboFix loga kamēr tas darbojas. Tas var izraisīt sistēmas iesaldēt

nitingaur · #9 Septembris 21, 2008, 22:20

ComboFix log pēc darbības CFSCript
-------------------------------------------------- --------
ComboFix 08-09-20.05 - 012466 2008-09-21 22:11:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.598 [GMT -7:00]
Sākot no: C: \ Keanetools \ ComboFix.exe
Komandu slēdžus izmanto:: C: \ Documents and Settings \012.466 \ Desktop \ CFScript.txt
* Izveido jaunu atjaunošanas punktu
WARNING, šī mašīna nav atkop Installed!
ATTĒLS:
C: \ WINDOWS \ system32 \ _Bhsrv.msi
C: \ WINDOWS \ system32 \0048444.imi
C: \ WINDOWS \ system32 \004fdb9.imi
C: \ WINDOWS \ system32 \ bynpea.key
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ drivers \ bynpea.sys
C: \ WINDOWS \ system32 \ drivers \ rrjack.sys
C: \ WINDOWS \ system32 \ rrjack.key
.
((((((((((((((((((((((((((((((((((((((( Citi Svītrojumi ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ WINDOWS \ system32 \ _Bhsrv.msi
C: \ WINDOWS \ system32 \0048444.imi
C: \ WINDOWS \ system32 \004fdb9.imi
C: \ WINDOWS \ system32 \ bynpea.key
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ rrjack.key
.
((((((((((((((((((((((((( Faili Created no 2008/08/22 līdz 2008/09/22 ))))))))))) ))))))))))))))))))))
.
2008/09/21 18:09. 2008/09/21 18:10 <DIR> d -------- C: \ Program Files \ Malwarebytes "Anti-Malware
2008/09/21 18:09. 2008/09/21 18:09 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008/09/21 18:09. 2008/09/21 18:09 <DIR> d -------- C: \ Documents and Settings \012.466 \ Application Data \ Malwarebytes
2008/09/21 18:09. 2008/09/10 00:04 38.528 - ------ C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008/09/21 18:09. 2008/09/10 00:03 17.200 - ------ C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008/09/21 11:07. 2008/09/21 11:07 <DIR> d -------- C: \ Program Files \ Lavasoft
2008/09/21 11:07. 2008/09/21 11:08 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008/09/21 11:06. 2008/09/21 11:06 <DIR> d -------- C: \ Program Files \ Common Files \ Wise Installation Wizard
2008/09/20 23:40. 2008/09/20 23:40 <DIR> d -------- C: \ Program Files \ Trend Micro
2008/09/19 09:03. 2008/09/19 09:08 <DIR> d -------- C: \ WINDOWS \ SxsCaPendDel
2008/09/19 00:49. 2008/09/19 00:52 <DIR> d -------- C: \ Documents and Settings \012.466 \. Housecall6.6
2008/09/19 00:27. 2008/09/19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008/09/18 20:25. 2002/02/04 06:22 1.230.336 - ------ C: \ WINDOWS \ system32 \ msxml4.dll
2008/09/18 20:25. 2007/09/14 05:01 922.920 --------- C: \ WINDOWS \ system32 \ ahlprun.exe
2008/09/18 20:25. 2002/02/04 06:13 82.432 - ------ C: \ WINDOWS \ system32 \ msxml4r.dll
2008/09/18 20:25. 2002/02/04 06:13 44.544 - ------ C: \ WINDOWS \ system32 \ msxml4a.dll
2008/09/18 20:25. 2002/02/07 18:43 9.679 - ------ C: \ WINDOWS \ system32 \ msxml4r.cat
2008/09/18 20:25. 2002/02/07 18:43 9.675 - ------ C: \ WINDOWS \ system32 \ msxml4.cat
2008/09/18 20:25. 2002/02/06 20:31 3.489 - ------ C: \ WINDOWS \ system32 \ msxml4.Manifest
2008/09/18 20:25. 2002/02/06 20:31 500 - ------ C: \ WINDOWS \ system32 \ msxml4r.Manifest
2008/09/18 20:21. 2008/09/18 20:21 <DIR> d -------- C: \ Program Files \ Common Files \ Lenovo
2008/09/13 19:27. 2008/09/13 19:27 24 - ------ C: \ WINDOWS \ cdplayer.ini
2008/09/13 19:26. 2008/09/13 19:26 <DIR> d -------- C: \ Program Files \ Real
2008/09/13 19:26. 2008/09/13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ xing dalītas
2008/09/13 19:26. 2008/09/13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Ziņojums )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008/09/22 05:14 8.416 ---- aw C: \ WINDOWS \ system32 \ drivers \ CDProbe.SYS
2008/09/22 05:14 16 - SH - R c: \ MSCIOTL.SYS
2008/09/22 05:14 --------- d ----- w C: \ Program Files \ Symantec AntiVirus
2008/09/22 03:07 --------- d ----- w C: \ Program Files \ Cisco VPN klients
2008/09/20 19:26 430.816 - sh - w C: \ Program Files \ _MsInfo.msi
2008/09/19 03:25 --------- d - h - w C: \ Program Files \ InstallShield Installation Information
2008/09/19 03:25 --------- d ----- w C: \ Program Files \ ThinkVantage
2008/09/19 03:21 --------- d ----- w C: \ Program Files \ Lenovo
.
((((((((((((((((((((((((((((( Snapshot@2008-09-21_19.36.38.64 )))))))))) )))))))))))))))))))))))))))))))
.
- 2008/09/21 18:59:45 71.370 ---- aw C: \ WINDOWS \ system32 \ perfc009.dat
+ 2008/09/22 02:39:43 71.370 ---- aw C: \ WINDOWS \ system32 \ perfc009.dat
- 2008/09/21 18:59:45 439.832 ---- aw C: \ WINDOWS \ system32 \ perfh009.dat
+ 2008/09/22 02:39:43 439.832 ---- aw C: \ WINDOWS \ system32 \ perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Piezīme * tukši ieraksti & legit default ieraksti netiek parādīti
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"ctfmon.exe" = "C: \ WINDOWS \ system32 \ ctfmon.exe" [2004/08/04 15.360]
"Yahoo! Pager" = "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007/08/30 4.670.704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"IgfxTray" = "C: \ WINDOWS \ system32 \ igfxtray.exe" [2007/08/15 141.848]
"HotKeysCmds" = "C: \ WINDOWS \ system32 \ hkcmd.exe" [2007/08/15 162.328]
"Noturība" = "C: \ WINDOWS \ system32 \ igfxpers.ex e" [2007/08/15 137.752]
"ccApp" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2006/03/24 53.408]
"vptray" = "C: \ PROGRA ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2006/06/14 124.656]
"TPHOTKEY" = "C: \ Program Files \ Lenovo \ Hotkey \ TPOSDSVC.exe" [2007/03/09 66.176]
"UpdateManager" = "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" [2003/08/18 110.592]
"dla" = "C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe" [2005/05/19 127.037]
"EZEJMNAP" = "C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007/04/26 243.248]
"LPManager" = "C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007/03/22 120.368]
"TVT plānotājs Proxy" = "C: \ Program Files \ Common Files \ Lenovo \ plānotājs \ scheduler_proxy.exe" [2008/03/04 487.424]
"TkBellExe" = "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" [2008/09/13 185.896]
"TrackPointSrv" = "tp4mon.exe" [2004/08/03 C: \ WINDOWS \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002/03/12 C: \ WINDOWS \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007/03/29 C: \ WINDOWS \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" [2005/05/12 4.167.376]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entversion \ Policies \ SYSTEM]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. Default \ Software \ Microsoft \ Windows \ cur rentversion \ Policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ paziņot \ tpfnf2]
2006/09/06 13:37 34.344 C: \ Program Files \ Lenovo \ Hotkey \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ paziņot \ tphotkey]
2006/12/14 08:06 28.672 C: \ Program Files \ Lenovo \ Hotkey \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ LSA]
Autentifikācijas Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = DWORD: 00000001
[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf, C: \ WINDOWS \ system32 \ drivers \ Apsx 86.sys [2007/03/02 100.656]
R0 TPDIGIMN; TPDIGIMN, C: \ WINDOWS \ system32 \ drivers \ ApsH M86.sys [2007/03/02 19.760]
R2 smefs; SMEFileSystem, C: \ WINDOWS \ system32 \ drivers \ sm efs.sys [2006/02/08 20.508]
R3 CdProbe; CdProbe, C: \ WINDOWS \ system32 \ drivers \ cdprob e.sys [2008/09/21 8.416]
R3 smedrv; SMEDriver, C: \ WINDOWS \ system32 \ drivers \ smedr v.sys [2006/02/08 9.516]
S2 AppMgSvc; Application Management Service, C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008/09/20 430.816]
S2 yraebbgi; yraebbgi, C: \ WINDOWS \ system32 \ drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh, C: \ WINDOWS \ system32 \ drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit / Stealth malware detektoru, ar Gmer, http://www.gmer.net
Rootkit scan 2008/09/21 22:16:04
Windows 5.1.2600 Service Pack 2 NTFS
skenēšana slēptās procesi ...
skenēšana slēptās palaišana ieraksti ...
skenēšana slēptos failus ...

C: \ WINDOWS \ system32 \ calc.exe
scan sekmīgi pabeigta
slēptos failus: 1
************************************************** ************************
[HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ ppMgSvc]
"ImagePath" = "C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLL Loaded Under Running Processes ---------------------
PROCESS: C: \ WINDOWS \ system32 \ winlogon.exe
-> C: \ Program Files \ Lenovo \ Hotkey \ tphklock.dll
.
------------------------ Citi Running Processes ----------------------- --
.
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ Program Files \ Intel \ Bezvadu \ Bin \ S24EvMon.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ CENTENN.IAL \ AUDIT \ CAgent32.exe
C: \ CENTENN.IAL \ AUDIT \ xferwan.exe
C: \ Program Files \ Cisco VPN klients \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Bezvadu \ Bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Bezvadu \ Bin \ RegSrvc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ plānotājs \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ System Update \ SUService.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ Hotkey \ TPONSCR.exe
C: \ Program Files \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Program Files \ Symantec AntiVirus \ DoScan.exe
C: \ Program Files \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Izpildes laiks: 2008-09-21 22:17:28 - mašīna bija rebooted
ComboFix-karantīnā-files.txt 2008/09/22 05:17:23
ComboFix2.txt 2008/09/22 02:36:59
Pre-Run: 64509464576 bytes free
Post-Run: 64505421824 bytes free
181

**evilfantasy** · #10 Septembris 21, 2008, 22:26

Lejupielādēt OTMoveIt2 ar oldtimerun saglabājiet to savā Desktop.

Piezīme: Ja jūs izmantojat uz Vista, ar peles labo pogu noklikšķiniet uz OTMoveIt2.exe un izvēlēties Run As Administrator.

1. Veiciet dubultklikšķi uz OTMoveIt2.exe lai tā varētu darboties.
2. Kopija ar codebox zem līnijas.

Kods:

[kill explorer] C: \ WINDOWS \ system32 \ calc.exe HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ AppMgSvc EmptyTemp [sākums Explorer]

3. Atgriezties OTMoveIt2 labo klikšķi Ielīmēt saraksts failus / mapes Pārvietot logu (ar dzeltenu joslu) un izvēlieties Ielīmēt
4. Click sarkans Moveit! pogu.
5. Kopija viss Rezultāti loga (zem zaļā josla) un ielīmējiet to savā nākamajā atbildi.
6. Aizvērt OTMoveIt2

Atzīmēt: Ja faila vai mapes nevar pārvietot tieši jums var lūgt pārstartēt datoru lai pabeigtu pārvietoties procesu. Ja lūdza reboot, izvēlieties Jā. Ja ne, reboot anyway.

Similar Threads
Pavediens	Thread Starter	Forums	Replies	Last Post
Noņemot iexplore.exe vīruss / nolaupīt log	xalice15x	Vīrusu, spiegprogrammatūru un drošība	16	12 novembris 2008 19:43
Iexplorer.exe vīruss - Please help me!	Giant Panda	Vīrusu, spiegprogrammatūru un drošība	2	6 oktobris 2008 14:55
Es saņemu bone.exe vīrusu manu iexplorer	damandg	Vīrusu, spiegprogrammatūru un drošība	12	14 jūlijs 2008 14:31
Iexplorer.exe vīruss	iuboy2006	Vīrusu, spiegprogrammatūru un drošība	9	26 marts 2008 08:12
Avssytemcare popup vīrusu un līdzīgi - (includes nolaupīt this)	izmanīgs	Vīrusu, spiegprogrammatūru un drošība	23	Septembris 4, 2007 16:15