IEXPLORER.EXE virus pls anmeldelse kapre logg

nitingaur · #1 21. sep 2008, 12:02

Logfile of Trend Micro HijackThis v2.0.2
Scan lagret 12:01:37, på 9/21/2008
Plattform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Kjører prosesser:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ Csrss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Programfiler \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccSetMgr.exe
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccEvtMgr.exe
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Programfiler \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ WINDOWS \ system32 \ Spoolsv.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Centenn.ial \ Tilsyn \ CAgent32.exe
C: \ Centenn.ial \ Tilsyn \ xferwan.exe
C: \ Programfiler \ Cisco VPN Client \ cvpnd.exe
C: \ Programfiler \ Symantec AntiVirus \ DefWatch.exe
C: \ Programfiler \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Programfiler \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Programfiler \ Symantec AntiVirus \ SavRoam.exe
C: \ Programfiler \ Symantec AntiVirus \ Rtvscan.exe
C: \ Programfiler \ Fellesfiler \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Programfiler \ Fellesfiler \ Lenovo \ Scheduler \ tvtsched.exe
c: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ System Update \ suservice.exe
C: \ WINDOWS \ System32 \ alg.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ calc.exe
c: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ Explorer.exe
C: \ WINDOWS \ system32 \ tp4mon.exe
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ NWTRAY.EXE
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccApp.exe
C: \ progra ~ 1 \ SYMANT ~ 1 \ VPTray.exe
C: \ Programfiler \ Lenovo \ Hurtigtast \ TPOSDSVC.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ progra ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ progra ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ WINDOWS \ system32 \ TpShocks.exe
C: \ Programfiler \ Lenovo \ Hurtigtast \ TPONSCR.exe
C: \ Programfiler \ Fellesfiler \ Lenovo \ Scheduler \ scheduler_proxy.exe
C: \ Programfiler \ Lenovo \ Zoom \ TpScrex.exe
C: \ Programfiler \ Fellesfiler \ Real \ Update_OB \ realsched.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ Programfiler \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ WINDOWS \ system32 \ taskmgr.exe
C: \ Programfiler \ Internet Explorer \ IEXPLORE.EXE
C: \ Programfiler \ Internet Explorer \ IEXPLORE.EXE
C: \ Programfiler \ Internet Explorer \ IEXPLORE.EXE
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
C: \ Programfiler \ Trend Micro \ HijackThis \ HijackThis.exe
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
F2 - REG: system.ini: UserInit = c: \ windows \ system32 \ userinit.exe, c: \ _inte GRA \ bin \ shstart.exe
O2 - BHO: AcroIEHlprObj Class - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Programfiler \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [utholdenhet] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ progra ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Programfiler \ Lenovo \ Hurtigtast \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Programfiler \ Fellesfiler \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ progra ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ progra ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT Scheduler Proxy] C: \ Programfiler \ Fellesfiler \ Lenovo \ Scheduler \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Programfiler \ Fellesfiler \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Personsøker] "C: \ Programfiler \ Yahoo! \ Messenger \ YahooMessenger.exe" stille
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Programfiler \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Programfiler \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Programfiler \ Microsoft Office Communicator \ Communicator.exe" (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Programfiler \ Microsoft Office Communicator \ Communicator.exe" (User 'Default user')
O8 - Extra sammenheng menyelement: E & ksporter til Microsoft Excel - res: / / c: \ progra ~ 1 \ micros ~ 2 \ Office11 \ EXCEL.EXE/3000
O9 - Extra knappen: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ progra ~ 1 \ micros ~ 2 \ Office11 \ REFIEBAR.DLL
O9 - Extra-knappen: @ C: \ Programfiler \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Programfiler \ Messenger \ msmsgs.exe
O9 - Extra "Verktøy" MENUITEM: @ C: \ Programfiler \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Programfiler \ Messenger \ msmsgs.exe
O16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C: \ Programfiler \ Lavasoft \ Ad-Aware \ aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Unknown owner - C: \ Program.exe (fil mangler)
O23 - Service: BHCP Service (BHsrv) - Unknown owner - C: \ Program.exe (fil mangler)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C: \ Centenn.ial \ Tilsyn \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C: \ Centenn.ial \ Tilsyn \ xferwan.exe
O23 - Service: Klientoppdatering Service for Novell (cusrvc) - Novell, Inc. - C: \ WINDOWS \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C: \ Programfiler \ Cisco VPN Client \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Programfiler \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) PROSet / Wireless Event Log (EvtEng) - Intel Corporation - C: \ Programfiler \ Intel \ Wireless \ Bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ WINDOWS \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c: \ progra ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) PROSet / Wireless Registry Service (RegSrvc) - Intel Corporation - C: \ Programfiler \ Intel \ Wireless \ Bin \ RegSrvc.exe
O23 - Service: Intel (R) PROSet / Wireless Service (S24EventMonitor) - Intel Corporation - C: \ Programfiler \ Intel \ Wireless \ Bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Programfiler \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Programfiler \ Fellesfiler \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Programfiler \ Fellesfiler \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C: \ Program Files \ Lenovo \ System Update \ suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Programfiler \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C: \ Programfiler \ Fellesfiler \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C: \ WINDOWS \ system32 \ TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C: \ Programfiler \ Fellesfiler \ Lenovo \ Scheduler \ tvtsched.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c: \ _integra \ bin \ ccmagent.exe
--
End of file - 8621 bytes

**evilfantasy** · #2 21. sep 2008, 15:30

Laste ned Malwarebytes' Anti-Malware (MBAM)

Dobbeltklikk mbam-setup.exe og følger instruksjonene for å installere programmet.
Ved utgangen, må du passe på et merke plasseres ved siden av det følgende:
- Oppdater Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Deretter klikker du Fullfør.
Hvis en oppdatering er funnet, vil laste ned og installere den nyeste versjonen.
Når programmet er lastet, velger du Utføre rask skanning, Og klikk Scan.
Når skanningen er fullført, klikker du OK, Deretter Vis resultater å vise resultater.
Pass på at alt er sjekket, og klikk Fjern valgte.
Når desinfeksjon er ferdig, en logg åpnes i Notepad, og du kan bli bedt om å starte. (Se Extra Note)
Loggen lagres automatisk ved MBAM og kan vises ved å klikke Logger kategorien i MBAM.
Kopier og lim inn hele rapporten i neste svaret.

Ekstra Merk: Hvis MBAM finner en fil som er vanskelig å fjerne, vil du bli presentert med 1 av 2 ledetekster, klikk OK for å enten og la MBAM fortsette med desinfeksjon prosessen, hvis du blir bedt om å starte datamaskinen på nytt, kan du gjøre det umiddelbart.

nitingaur · #3 21. sep 2008, 18:18

Ingen malware funnet, her er rapporten
-------------------------------------------------- ----
Windows 5.1.2600 Service Pack 2
9/21/2008 6:16:07 PM
mbam-log-2008-09-21 (18-16-07). txt
Scan type: Quick Scan
Objekter skannet: 52621
Tid brukt: 4 minutt (er), 41 sekund (er)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registernøkler Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(Ingen skadelige eks oppdaget)
Memory Modules Infected:
(Ingen skadelige eks oppdaget)
Registernøkler Infected:
(Ingen skadelige eks oppdaget)
Registry Values Infected:
(Ingen skadelige eks oppdaget)
Registry Data Items Infected:
(Ingen skadelige eks oppdaget)
Folders Infected:
(Ingen skadelige eks oppdaget)
Files Infected:
(Ingen skadelige eks oppdaget)

**evilfantasy** · #4 21. sep 2008, 18:40

Det er ingen malware vises enten i loggen.

Hva skjer?

nitingaur · #5 21. sep 2008, 19:23

Flere IEXPLORER.EXE prosessen spwaning i prosessen listen. De straks dukke opp om jeg drepe dem én etter én. Noen ganger kan jeg også høre enkelte lyder som en av de som kjører webleservinduer men ingen synlige. Det er definitivt feil de ikke lov til å eksistere.

**evilfantasy** · #6 21. sep 2008, 19:26

Last ned ComboFix av ubåter fra én av de nedenfor koblinger. Pass på at toppen lagre det til Desktop.

Link # 1
Link # 2

** Merk: Det er viktig at det er lagret direkte til skrivebordet ditt

Lukk alle åpne weblesere. (Firefox, Internet Explorer, osv.) før du starter ComboFix.

Midlertidig deaktivere din antivirus, Og eventuelle antispyware sanntid beskyttelse før utføre en skanning. Klikk denne koblingen å se en liste over sikkerhetsprogrammer som skal være deaktivert og hvordan du deaktiverer dem.

Dobbeltklikk combofix.exe og følg instruksjonene.
Når du er ferdig ComboFix vil produsere en logg for deg.
Poste ComboFix logg og en ny HijackThis log i neste svaret.

Viktig: Ikke mouseclick ComboFix's vinduet mens den kjører. Det kan føre til stall.

Husk å aktivere din antivirus og antispyware beskyttelse når ComboFix er fullført.

nitingaur · #7 21. sep 2008, 19:42

ComboFix Logg
-----------------------
ComboFix 08-09-20.05 - 012466 2008-09-21 19:31:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.473 [GMT -7:00]
Running from: C: \ Keanetools \ ComboFix.exe
* Opprettet et nytt gjenopprettingspunkt
ADVARSEL-Denne maskinen har ikke gjenopprettingskonsollen INSTALLERT!
.
((((((((((((((((((((((((((((((((((((((( Other slettingene ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ Documents and Settings \ LocalService \ Cookies \ system@ad.yieldmanag er [1]. Txt
C: \ WINDOWS \ system32 \ x64
.
((((((((((((((((((((((((((((((((((((((( Drivers / Services )))))))) )))))))))))))))))))))))))))))))))))))))))
.
------- \ Legacy_BHSRV
------- \ Service_BHsrv

((((((((((((((((((((((((( Files Created fra 2008-08-22 til 2008-09-22 ))))))))))) ))))))))))))))))))))
.
2008-09-21 18:09. 2008-09-21 18:10 <DIR> d -------- C: \ Programfiler \ Malwarebytes' Anti-Malware
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \012466 \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-10 00:04 38.528 - en ------ C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008-09-21 18:09. 2008-09-10 00:03 17.200 - en ------ C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008-09-21 11:07. 2008-09-21 11:07 <DIR> d -------- C: \ Programfiler \ Lavasoft
2008-09-21 11:07. 2008-09-21 11:08 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008-09-21 11:06. 2008-09-21 11:06 <DIR> d -------- C: \ Programfiler \ Fellesfiler \ Wise Installation Wizard
2008-09-20 23:40. 2008-09-20 23:40 <DIR> d -------- C: \ Programfiler \ Trend Micro
2008-09-19 09:03. 2008-09-19 09:08 <DIR> d -------- C: \ WINDOWS \ SxsCaPendDel
2008-09-19 00:49. 2008-09-19 00:52 <DIR> d -------- C: \ Documents and Settings \012466 \. Housecall6.6
2008-09-19 00:27. 2008-09-19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-09-18 20:25. 2002-02-04 06:22 1.230.336 - en ------ C: \ WINDOWS \ system32 \ msxml4.dll
2008-09-18 20:25. 2007-09-14 05:01 922.920 --------- C: \ WINDOWS \ system32 \ ahlprun.exe
2008-09-18 20:25. 2002-02-04 06:13 82.432 - en ------ C: \ WINDOWS \ system32 \ msxml4r.dll
2008-09-18 20:25. 2002-02-04 06:13 44.544 - en ------ C: \ WINDOWS \ system32 \ msxml4a.dll
2008-09-18 20:25. 2002-02-07 18:43 9.679 - en ------ C: \ WINDOWS \ system32 \ msxml4r.cat
2008-09-18 20:25. 2002-02-07 18:43 9.675 - en ------ C: \ WINDOWS \ system32 \ msxml4.cat
2008-09-18 20:25. 2002-02-06 20:31 3.489 - en ------ C: \ WINDOWS \ system32 \ msxml4.Manifest
2008-09-18 20:25. 2002-02-06 20:31 500 - en ------ C: \ WINDOWS \ system32 \ msxml4r.Manifest
2008-09-18 20:21. 2008-09-18 20:21 <DIR> d -------- C: \ Programfiler \ Fellesfiler \ Lenovo
2008-09-18 18:27. 2008-09-21 11:54 21.272 - en ------ C: \ WINDOWS \ system32 \ bynpea.key
2008-09-18 18:25. 2008-09-18 18:25 1 - en ------ C: \ WINDOWS \ system32 \004fdb9.imi
2008-09-15 14:23. 2008-09-15 14:23 332.800 --- hs ---- C: \ WINDOWS \ system32 \ _Bhsrv.msi
2008-09-15 12:15. 2008-09-18 15:57 69.942 - en ------ C: \ WINDOWS \ system32 \ rrjack.key
2008-09-15 12:15. 2008-09-15 12:15 1 - en ------ C: \ WINDOWS \ system32 \0048444.imi
2008-09-13 19:27. 2008-09-13 19:27 24 - en ------ C: \ WINDOWS \ cdplayer.ini
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Programfiler \ Real
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Programfiler \ Fellesfiler \ xing delt
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Programfiler \ Fellesfiler \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 02:33 --------- d ----- w C: \ Programfiler \ Symantec AntiVirus
2008-09-22 02:33 --------- d ----- w C: \ Programfiler \ Cisco VPN-klienten
2008-09-21 18:56 16 - sh - r C: \ MSCIOTL.SYS
2008-09-21 18:55 8.416 ---- aw C: \ WINDOWS \ system32 \ drivers \ CDProbe.SYS
2008-09-20 19:26 430.816 - sh - w C: \ Programfiler \ _MsInfo.msi
2008-09-19 03:25 --------- d - h - w C: \ Programfiler \ InstallShield Installasjonsinformasjon
2008-09-19 03:25 --------- d ----- w C: \ Programfiler \ ThinkVantage
2008-09-19 03:21 --------- d ----- w C: \ Programfiler \ Lenovo
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default entries ikke vises
REGEDIT4
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2004-08-04 15360]
"Yahoo! Personsøker" = "C: \ Programfiler \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"IgfxTray" = "C: \ WINDOWS \ system32 \ igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds" = "C: \ WINDOWS \ system32 \ hkcmd.exe" [2007-08-15 162328]
"Utholdenhet" = "C: \ WINDOWS \ system32 \ igfxpers.ex e" [2007-08-15 137752]
"ccApp" = "C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccApp.exe" [2006-03-24 53408]
"vptray" = "C: \ progra ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2006-06-14 124656]
"TPHOTKEY" = "C: \ Programfiler \ Lenovo \ Hurtigtast \ TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager" = "C: \ Programfiler \ Fellesfiler \ Sonic \ Update Manager \ sgtray.exe" [2003-08-18 110592]
"dla" = "C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP" = "C: \ progra ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007-04-26 243248]
"LPManager" = "C: \ progra ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007-03-22 120368]
"TVT Scheduler Proxy" = "C: \ Programfiler \ Fellesfiler \ Lenovo \ Scheduler \ scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe" = "C: \ Programfiler \ Fellesfiler \ Real \ Update_OB \ realsched.exe" [2008-09-13 185896]
"TrackPointSrv" = "tp4mon.exe" [2004-08-03 C: \ WINDOWS \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002-03-12 C: \ WINDOWS \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007-03-29 C: \ WINDOWS \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Programfiler \ Microsoft Office Communicator \ Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ curr entversion \ policies \ system]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ cur rentversion \ Policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ tpfnf2]
2006-09-06 13:37 34344 C: \ Programfiler \ Lenovo \ Hurtigtast \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ tphotkey]
2006-12-14 08:06 28672 C: \ Programfiler \ Lenovo \ Hurtigtast \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ Lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ security center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf; C: \ WINDOWS \ system32 \ drivers \ Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN; TPDIGIMN; C: \ WINDOWS \ system32 \ drivers \ ApsH M86.sys [2007-03-02 19760]
R2 smefs; SMEFileSystem; C: \ WINDOWS \ system32 \ drivers \ sm efs.sys [2006-02-08 20508]
R3 CdProbe; CdProbe; C: \ WINDOWS \ system32 \ drivers \ cdprob e.sys [2008-09-21 8416]
R3 smedrv; SMEDriver; C: \ WINDOWS \ system32 \ drivers \ smedr v.sys [2006-02-08 9516]
S2 AppMgSvc; Application Management Service, C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008-09-20 430816]
S2 yraebbgi; yraebbgi; C: \ WINDOWS \ system32 \ drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh; C: \ WINDOWS \ system32 \ drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
.
------- Tilleggsavtale Scan -------
.
R0 -: HKCU-Main, Start Page = hxxp: / / www.google.com/
O8 -: E & ksporter til Microsoft Excel - C: \ progra ~ 1 \ micros ~ 2 \ Office11 \ EXCEL.EXE/3000
.
************************************************** ************************
CatchMe 0.3.1361 W2K/XP/Vista - rootkit / skjulemodus malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 19:35:12
Windows 5.1.2600 Service Pack 2 NTFS
skanning skjulte prosesser ...
scanning hidden autostart entries ...
skanning skjulte filer ...
skanning er fullført
skjulte filer: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ A ppMgSvc]
"ImagePath" = "C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLLer Loaded Under Running Processes ---------------------
PROSESSEN: C: \ WINDOWS \ system32 \ Winlogon.exe
-> C: \ Programfiler \ Lenovo \ Hurtigtast \ tphklock.dll
.
------------------------ Other Running Prosesser ----------------------- --
.
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ Programfiler \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccSetMgr.exe
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccEvtMgr.exe
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Programfiler \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Programfiler \ Lenovo \ Hurtigtast \ TPONSCR.exe
C: \ Programfiler \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Programfiler \ Symantec AntiVirus \ DoScan.exe
C: \ Programfiler \ Internet Explorer \ IEXPLORE.EXE
C: \ CENTENN.IAL \ Tilsyn \ CAgent32.exe
C: \ CENTENN.IAL \ Tilsyn \ xferwan.exe
C: \ Programfiler \ Cisco VPN Client \ cvpnd.exe
C: \ Programfiler \ Symantec AntiVirus \ DefWatch.exe
C: \ Programfiler \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Programfiler \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Programfiler \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ Programfiler \ Symantec AntiVirus \ SavRoam.exe
C: \ Programfiler \ Symantec AntiVirus \ Rtvscan.exe
C: \ Programfiler \ Fellesfiler \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Programfiler \ Fellesfiler \ Lenovo \ Scheduler \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Programfiler \ Lenovo \ System Update \ SUService.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Fullføringstidspunkt: 2008-09-21 19:36:58 - maskinen ble startet på nytt
ComboFix-karantene-files.txt 2008-09-22 02:36:54
Pre-Run: 64333811712 bytes gratis
Post-Run: 64523264000 bytes gratis
175

HijackThis Logg
-----------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan lagret 7:38:41 PM, on 9/21/2008
Plattform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Kjører prosesser:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Programfiler \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccSetMgr.exe
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccEvtMgr.exe
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Programfiler \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ WINDOWS \ system32 \ Spoolsv.exe
c: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ tp4mon.exe
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ NWTRAY.EXE
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccApp.exe
C: \ progra ~ 1 \ SYMANT ~ 1 \ VPTray.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Programfiler \ Lenovo \ Hurtigtast \ TPOSDSVC.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ progra ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ Programfiler \ Lenovo \ Hurtigtast \ TPONSCR.exe
C: \ Programfiler \ Lenovo \ Zoom \ TpScrex.exe
C: \ progra ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ WINDOWS \ system32 \ TpShocks.exe
C: \ Programfiler \ Fellesfiler \ Lenovo \ Scheduler \ scheduler_proxy.exe
C: \ Programfiler \ Fellesfiler \ Real \ Update_OB \ realsched.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ Programfiler \ Internet Explorer \ IEXPLORE.EXE
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Centenn.ial \ Tilsyn \ CAgent32.exe
C: \ Centenn.ial \ Tilsyn \ xferwan.exe
C: \ Programfiler \ Cisco VPN Client \ cvpnd.exe
C: \ Programfiler \ Symantec AntiVirus \ DefWatch.exe
C: \ Programfiler \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Programfiler \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Programfiler \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ Programfiler \ Symantec AntiVirus \ SavRoam.exe
C: \ Programfiler \ Symantec AntiVirus \ Rtvscan.exe
C: \ Programfiler \ Fellesfiler \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Programfiler \ Fellesfiler \ Lenovo \ Scheduler \ tvtsched.exe
c: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ System Update \ suservice.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ Explorer.exe
C: \ Programfiler \ Trend Micro \ HijackThis \ HijackThis.exe
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Programfiler \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [utholdenhet] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ progra ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Programfiler \ Lenovo \ Hurtigtast \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Programfiler \ Fellesfiler \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ progra ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ progra ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT Scheduler Proxy] C: \ Programfiler \ Fellesfiler \ Lenovo \ Scheduler \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Programfiler \ Fellesfiler \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Personsøker] "C: \ Programfiler \ Yahoo! \ Messenger \ YahooMessenger.exe" stille
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Programfiler \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Programfiler \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Programfiler \ Microsoft Office Communicator \ Communicator.exe" (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Programfiler \ Microsoft Office Communicator \ Communicator.exe" (User 'Default user')
O8 - Extra sammenheng menyelement: E & ksporter til Microsoft Excel - res: / / c: \ progra ~ 1 \ micros ~ 2 \ Office11 \ EXCEL.EXE/3000
O9 - Extra knappen: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ progra ~ 1 \ micros ~ 2 \ Office11 \ REFIEBAR.DLL
O9 - Extra-knappen: @ C: \ Programfiler \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Programfiler \ Messenger \ msmsgs.exe
O9 - Extra "Verktøy" MENUITEM: @ C: \ Programfiler \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Programfiler \ Messenger \ msmsgs.exe
O16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (D239A412-22C2-4683-95BC-1FFAA687D0DF): NameServer = 172.21.18.101,172.21.18.102
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C: \ Programfiler \ Lavasoft \ Ad-Aware \ aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Unknown owner - C: \ Program.exe (fil mangler)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C: \ Centenn.ial \ Tilsyn \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C: \ Centenn.ial \ Tilsyn \ xferwan.exe
O23 - Service: Klientoppdatering Service for Novell (cusrvc) - Novell, Inc. - C: \ WINDOWS \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C: \ Programfiler \ Cisco VPN Client \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Programfiler \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) PROSet / Wireless Event Log (EvtEng) - Intel Corporation - C: \ Programfiler \ Intel \ Wireless \ Bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ WINDOWS \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c: \ progra ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) PROSet / Wireless Registry Service (RegSrvc) - Intel Corporation - C: \ Programfiler \ Intel \ Wireless \ Bin \ RegSrvc.exe
O23 - Service: Intel (R) PROSet / Wireless Service (S24EventMonitor) - Intel Corporation - C: \ Programfiler \ Intel \ Wireless \ Bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Programfiler \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Programfiler \ Fellesfiler \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Programfiler \ Fellesfiler \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C: \ Program Files \ Lenovo \ System Update \ suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Programfiler \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C: \ Programfiler \ Fellesfiler \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C: \ WINDOWS \ system32 \ TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C: \ Programfiler \ Fellesfiler \ Lenovo \ Scheduler \ tvtsched.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c: \ _integra \ bin \ ccmagent.exe
--
End of file - 8581 bytes

**evilfantasy** · #8 21. sep 2008, 21:24

Merk: nedenstående instruksjoner ble laget spesielt for denne brukeren. Hvis du ikke bruker, IKKE Følg disse skiltene fordi de kan ødelegge hjemkomsten til systemet

Slett disse filer / mapper som følger:

1. Gå til Start > Løpe > Type Notepad.exe og klikk OK å åpne Notisblokk.
Det må være Notisblokk ikke Wordpad.
2. Kopier teksten i under kode boksen ved å markere all teksten og trykke Ctrl + C

Code:

KillAll:: Driver:: BHSRV BHsrv File:: C: \ WINDOWS \ system32 \ bynpea.key C: \ WINDOWS \ system32 \ 004fdb9.imi C: \ WINDOWS \ system32 \ _Bhsrv.msi C: \ WINDOWS \ system32 \ rrjack. tasten C: \ WINDOWS \ system32 \ 0048444.imi C: \ WINDOWS \ system32 \ drivers \ bynpea.sys C: \ WINDOWS \ system32 \ drivers \ rrjack.sys C: \ WINDOWS \ system32 \ calc.exe

3. Gå til Notisblokk-vinduet og klikk Rediger > Lim
4. Deretter klikker du Fil > Lagre
5. Navn filen CFScript.txt - Lagre filen på skrivebordet
6. Dra CFScript (hold venstre museknapp mens du dra filen) og slipp den (release venstre museknapp) i ComboFix.exe som du ser i skjermbildet nedenfor. Viktig: Utføre denne instruksjonen nøye!

ComboFix begynner å kjøre, bare følg instruksjonene.
Etter reboot (i tilfelle den ber om å reboot), vil det generere en loggfil for deg.
Innlegg som log (Combofix.txt) i neste svaret.

Merk: Ikke mouseclick ComboFix's vinduet mens den kjører. Som kan føre til systemet ditt til å fryse

nitingaur · #9 21. sep 2008, 22:20

ComboFix loggen etter publisering CFSCript
-------------------------------------------------- --------
ComboFix 08-09-20.05 - 012466 2008-09-21 22:11:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.598 [GMT -7:00]
Running from: C: \ Keanetools \ ComboFix.exe
Command brytere brukes:: C: \ Documents and Settings \012466 \ Skrivebord \ CFScript.txt
* Opprettet et nytt gjenopprettingspunkt
ADVARSEL-Denne maskinen har ikke gjenopprettingskonsollen INSTALLERT!
FIL::
C: \ WINDOWS \ system32 \ _Bhsrv.msi
C: \ WINDOWS \ system32 \0048444.imi
C: \ WINDOWS \ system32 \004fdb9.imi
C: \ WINDOWS \ system32 \ bynpea.key
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ drivers \ bynpea.sys
C: \ WINDOWS \ system32 \ drivers \ rrjack.sys
C: \ WINDOWS \ system32 \ rrjack.key
.
((((((((((((((((((((((((((((((((((((((( Other slettingene ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ WINDOWS \ system32 \ _Bhsrv.msi
C: \ WINDOWS \ system32 \0048444.imi
C: \ WINDOWS \ system32 \004fdb9.imi
C: \ WINDOWS \ system32 \ bynpea.key
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ rrjack.key
.
((((((((((((((((((((((((( Files Created fra 2008-08-22 til 2008-09-22 ))))))))))) ))))))))))))))))))))
.
2008-09-21 18:09. 2008-09-21 18:10 <DIR> d -------- C: \ Programfiler \ Malwarebytes' Anti-Malware
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \012466 \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-10 00:04 38.528 - en ------ C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008-09-21 18:09. 2008-09-10 00:03 17.200 - en ------ C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008-09-21 11:07. 2008-09-21 11:07 <DIR> d -------- C: \ Programfiler \ Lavasoft
2008-09-21 11:07. 2008-09-21 11:08 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008-09-21 11:06. 2008-09-21 11:06 <DIR> d -------- C: \ Programfiler \ Fellesfiler \ Wise Installation Wizard
2008-09-20 23:40. 2008-09-20 23:40 <DIR> d -------- C: \ Programfiler \ Trend Micro
2008-09-19 09:03. 2008-09-19 09:08 <DIR> d -------- C: \ WINDOWS \ SxsCaPendDel
2008-09-19 00:49. 2008-09-19 00:52 <DIR> d -------- C: \ Documents and Settings \012466 \. Housecall6.6
2008-09-19 00:27. 2008-09-19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-09-18 20:25. 2002-02-04 06:22 1.230.336 - en ------ C: \ WINDOWS \ system32 \ msxml4.dll
2008-09-18 20:25. 2007-09-14 05:01 922.920 --------- C: \ WINDOWS \ system32 \ ahlprun.exe
2008-09-18 20:25. 2002-02-04 06:13 82.432 - en ------ C: \ WINDOWS \ system32 \ msxml4r.dll
2008-09-18 20:25. 2002-02-04 06:13 44.544 - en ------ C: \ WINDOWS \ system32 \ msxml4a.dll
2008-09-18 20:25. 2002-02-07 18:43 9.679 - en ------ C: \ WINDOWS \ system32 \ msxml4r.cat
2008-09-18 20:25. 2002-02-07 18:43 9.675 - en ------ C: \ WINDOWS \ system32 \ msxml4.cat
2008-09-18 20:25. 2002-02-06 20:31 3.489 - en ------ C: \ WINDOWS \ system32 \ msxml4.Manifest
2008-09-18 20:25. 2002-02-06 20:31 500 - en ------ C: \ WINDOWS \ system32 \ msxml4r.Manifest
2008-09-18 20:21. 2008-09-18 20:21 <DIR> d -------- C: \ Programfiler \ Fellesfiler \ Lenovo
2008-09-13 19:27. 2008-09-13 19:27 24 - en ------ C: \ WINDOWS \ cdplayer.ini
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Programfiler \ Real
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Programfiler \ Fellesfiler \ xing delt
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Programfiler \ Fellesfiler \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 05:14 8.416 ---- aw C: \ WINDOWS \ system32 \ drivers \ CDProbe.SYS
2008-09-22 05:14 16 - sh - r C: \ MSCIOTL.SYS
2008-09-22 05:14 --------- d ----- w C: \ Programfiler \ Symantec AntiVirus
2008-09-22 03:07 --------- d ----- w C: \ Programfiler \ Cisco VPN-klienten
2008-09-20 19:26 430.816 - sh - w C: \ Programfiler \ _MsInfo.msi
2008-09-19 03:25 --------- d - h - w C: \ Programfiler \ InstallShield Installasjonsinformasjon
2008-09-19 03:25 --------- d ----- w C: \ Programfiler \ ThinkVantage
2008-09-19 03:21 --------- d ----- w C: \ Programfiler \ Lenovo
.
((((((((((((((((((((((((((((( Snapshot@2008-09-21_19.36.38.64 )))))))))) )))))))))))))))))))))))))))))))
.
- 2008-09-21 18:59:45 71.370 ---- aw C: \ WINDOWS \ system32 \ perfc009.dat
+ 2008-09-22 02:39:43 71.370 ---- aw C: \ WINDOWS \ system32 \ perfc009.dat
- 2008-09-21 18:59:45 439.832 ---- aw C: \ WINDOWS \ system32 \ perfh009.dat
+ 2008-09-22 02:39:43 439.832 ---- aw C: \ WINDOWS \ system32 \ perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default entries ikke vises
REGEDIT4
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2004-08-04 15360]
"Yahoo! Personsøker" = "C: \ Programfiler \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"IgfxTray" = "C: \ WINDOWS \ system32 \ igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds" = "C: \ WINDOWS \ system32 \ hkcmd.exe" [2007-08-15 162328]
"Utholdenhet" = "C: \ WINDOWS \ system32 \ igfxpers.ex e" [2007-08-15 137752]
"ccApp" = "C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccApp.exe" [2006-03-24 53408]
"vptray" = "C: \ progra ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2006-06-14 124656]
"TPHOTKEY" = "C: \ Programfiler \ Lenovo \ Hurtigtast \ TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager" = "C: \ Programfiler \ Fellesfiler \ Sonic \ Update Manager \ sgtray.exe" [2003-08-18 110592]
"dla" = "C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP" = "C: \ progra ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007-04-26 243248]
"LPManager" = "C: \ progra ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007-03-22 120368]
"TVT Scheduler Proxy" = "C: \ Programfiler \ Fellesfiler \ Lenovo \ Scheduler \ scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe" = "C: \ Programfiler \ Fellesfiler \ Real \ Update_OB \ realsched.exe" [2008-09-13 185896]
"TrackPointSrv" = "tp4mon.exe" [2004-08-03 C: \ WINDOWS \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002-03-12 C: \ WINDOWS \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007-03-29 C: \ WINDOWS \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Programfiler \ Microsoft Office Communicator \ Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ curr entversion \ policies \ system]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ cur rentversion \ Policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ tpfnf2]
2006-09-06 13:37 34344 C: \ Programfiler \ Lenovo \ Hurtigtast \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ tphotkey]
2006-12-14 08:06 28672 C: \ Programfiler \ Lenovo \ Hurtigtast \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ Lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ security center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf; C: \ WINDOWS \ system32 \ drivers \ Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN; TPDIGIMN; C: \ WINDOWS \ system32 \ drivers \ ApsH M86.sys [2007-03-02 19760]
R2 smefs; SMEFileSystem; C: \ WINDOWS \ system32 \ drivers \ sm efs.sys [2006-02-08 20508]
R3 CdProbe; CdProbe; C: \ WINDOWS \ system32 \ drivers \ cdprob e.sys [2008-09-21 8416]
R3 smedrv; SMEDriver; C: \ WINDOWS \ system32 \ drivers \ smedr v.sys [2006-02-08 9516]
S2 AppMgSvc; Application Management Service, C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008-09-20 430816]
S2 yraebbgi; yraebbgi; C: \ WINDOWS \ system32 \ drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh; C: \ WINDOWS \ system32 \ drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
************************************************** ************************
CatchMe 0.3.1361 W2K/XP/Vista - rootkit / skjulemodus malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 22:16:04
Windows 5.1.2600 Service Pack 2 NTFS
skanning skjulte prosesser ...
scanning hidden autostart entries ...
skanning skjulte filer ...

C: \ WINDOWS \ system32 \ calc.exe
skanning er fullført
skjulte filer: 1
************************************************** ************************
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ A ppMgSvc]
"ImagePath" = "C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLLer Loaded Under Running Processes ---------------------
PROSESSEN: C: \ WINDOWS \ system32 \ Winlogon.exe
-> C: \ Programfiler \ Lenovo \ Hurtigtast \ tphklock.dll
.
------------------------ Other Running Prosesser ----------------------- --
.
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ Programfiler \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccSetMgr.exe
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ ccEvtMgr.exe
C: \ Programfiler \ Fellesfiler \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Programfiler \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ Programfiler \ Internet Explorer \ IEXPLORE.EXE
C: \ CENTENN.IAL \ Tilsyn \ CAgent32.exe
C: \ CENTENN.IAL \ Tilsyn \ xferwan.exe
C: \ Programfiler \ Cisco VPN Client \ cvpnd.exe
C: \ Programfiler \ Symantec AntiVirus \ DefWatch.exe
C: \ Programfiler \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Programfiler \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Programfiler \ Symantec AntiVirus \ SavRoam.exe
C: \ Programfiler \ Symantec AntiVirus \ Rtvscan.exe
C: \ Programfiler \ Fellesfiler \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Programfiler \ Fellesfiler \ Lenovo \ Scheduler \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Programfiler \ Lenovo \ System Update \ SUService.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Programfiler \ Lenovo \ Hurtigtast \ TPONSCR.exe
C: \ Programfiler \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Programfiler \ Symantec AntiVirus \ DoScan.exe
C: \ Programfiler \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Fullføringstidspunkt: 2008-09-21 22:17:28 - maskinen ble startet på nytt
ComboFix-karantene-files.txt 2008-09-22 05:17:23
ComboFix2.txt 2008-09-22 02:36:59
Pre-Run: 64509464576 bytes gratis
Post-Run: 64505421824 bytes gratis
181

**evilfantasy** · #10 21. sep 2008, 22:26

Laste ned OTMoveIt2 av OldTimerog lagre den på Desktop.

Merk: Hvis du kjører på Vista, høyreklikk på OTMoveIt2.exe og velge Kjør som Administrator.

1. Dobbeltklikk OTMoveIt2.exe å kjøre den.
2. Kopier linjene i codebox nedenfor.

Code:

[drepe explorer] C: \ WINDOWS \ system32 \ calc.exe HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ AppMgSvc EmptyTemp [start explorer]

3. Gå tilbake til OTMoveIt2, høyreklikk på Lim Liste over filer / mapper til Flytt vinduet (under den gule linjen), og velg Lim
4. Klikk på den røde Moveit! knappen.
5. Kopier alt i resultatene vinduet (under den grønne linjen) og lime den inn i din neste svar.
6. Lukke OTMoveIt2

Merk: Hvis en fil eller mappe som ikke kan flyttes umiddelbart kan du bli bedt om å starte datamaskinen på nytt for å fullføre flyttingen prosessen. Hvis du blir bedt om å starte på nytt, velger Ja. Hvis ikke, reboot uansett.

Lignende Tråder
Tråd	Tråd startet	Forum	Svar	Siste innlegg
Fjerne iexplore.exe virus / kapre logg	xalice15x	Virus, spionprogrammer og sikkerhet	16	12 nov 2008 19:43
Iexplorer.exe virus - behage hjelpe meg!	Giant Panda	Virus, spionprogrammer og sikkerhet	2	6 okt 2008 14:55
Jeg får bone.exe viruset for min iexplorer	damandg	Virus, spionprogrammer og sikkerhet	12	14 juli 2008 14:31
Iexplorer.exe virus	iuboy2006	Virus, spionprogrammer og sikkerhet	9	26 mars 2008 08:12
Avssytemcare popup virus og alike - (inkluderer kapre dette)	upålitelig	Virus, spionprogrammer og sikkerhet	23	4de Sep 2007 16:15