IEXPLORER.EXE virus pls revizuire hijack log

nitingaur · #1 21 Sep 2008, 12:02

Logfile de Trend Micro HijackThis v2.0.2
Scan salvate la 12:01:37, pe 9/21/2008
Platforma: Windows XP SP2 (WINNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Rularea procese:
C: \ Windows \ system32 \ smss.exe
C: \ Windows \ system32 \ csrss.exe
C: \ Windows \ system32 \ winlogon.exe
C: \ Windows \ system32 \ services.exe
C: \ Windows \ system32 \ lsass.exe
C: \ Windows \ system32 \ ibmpmsvc.exe
C: \ Windows \ system32 \ svchost.exe
C: \ Windows \ system32 \ svchost.exe
C: \ Program Files \ Intel \ Wireless \ bin \ S24EvMon.exe
C: \ Windows \ system32 \ svchost.exe
C: \ Windows \ system32 \ svchost.exe
C: \ Windows \ system32 \ svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Conştient \ aawservice.exe
C: \ Windows \ system32 \ Spoolsv.exe
C: \ Windows \ system32 \ svchost.exe
C: \ Centenn.ial \ audit \ CAgent32.exe
C: \ Centenn.ial \ audit \ xferwan.exe
C: \ Program Files \ Cisco VPN client \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ bin \ RegSrvc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ Windows \ system32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ sistem de update \ suservice.exe
C: \ Windows \ system32 \ alg.exe
C: \ Windows \ system32 \ calc.exe
C: \ Windows \ system32 \ calc.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ Explorer.exe
C: \ Windows \ system32 \ tp4mon.exe
C: \ Windows \ system32 \ igfxtray.exe
C: \ Windows \ system32 \ hkcmd.exe
C: \ Windows \ system32 \ igfxpers.exe
C: \ Windows \ system32 \ NWTRAY.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ PROGRA ~ 1 \ symant ~ 1 \ VPTray.exe
C: \ Program Files \ Lenovo \ HOTKEY \ TPOSDSVC.exe
C: \ Windows \ system32 \ igfxsrvc.exe
C: \ Windows \ system32 \ dla \ tfswctrl.exe
C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ Windows \ system32 \ TpShocks.exe
C: \ Program Files \ Lenovo \ HOTKEY \ TPONSCR.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
C: \ Program Files \ Lenovo \ Mareste \ TpScrex.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ Windows \ system32 \ Ctfmon.exe
C: \ Program Files \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ Windows \ system32 \ taskmgr.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ Windows \ system32 \ wuauclt.exe
C: \ Windows \ system32 \ wbem \ wmiprvse.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe
C: \ Windows \ system32 \ wbem \ wmiprvse.exe
F2 - REG: System.ini: Userinit = c: \ windows \ system32 \ userinit.exe, C: \ _inte GRA \ bin \ shstart.exe
O2 - BHO: AcroIEHlprObj Class - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ Windows \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ Windows \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ Windows \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [Persistenţa] C: \ Windows \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA ~ 1 \ symant ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Program Files \ Lenovo \ HOTKEY \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ Windows \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT Scheduler Proxy] C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ Windows \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Pager] "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe"-quiet
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'Default user')
O8 - Extra context menu item: E & xportaţi la Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ milionimi ~ 2 \ OFFICE11 \ EXCEL.EXE/3000
O9 - Extra button: Cercetare - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ milionimi ~ 2 \ OFFICE11 \ REFIEBAR.DLL
O9 - Extra button: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' MENUITEM: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM \ SYSTEM \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O23 - Service: Lavasoft Ad-Conştient Service (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Conştient \ aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Unknown owner - C: \ Program.exe (fişierul lipseşte)
O23 - Service: BHCP Service (BHsrv) - Unknown owner - C: \ Program.exe (fişierul lipseşte)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centenarul Software Limited - C: \ Centenn.ial \ audit \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centenarul Software Limited - C: \ Centenn.ial \ audit \ xferwan.exe
O23 - Service: Client Service Update pentru Novell (cusrvc) - Novell, Inc - C: \ Windows \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc VPN Service (CVPND) - Cisco Systems, Inc - C: \ Program Files \ Cisco VPN client \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) PROSet / Wireless Event Log (EvtEng) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ Windows \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C: \ PROGRA ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) PROSet / Wireless Registry Service (RegSrvc) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ bin \ RegSrvc.exe
O23 - Service: Intel (R) PROSet / Wireless Service (S24EventMonitor) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C: \ Program Files \ Lenovo \ sistem de update \ suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage registri Monitorul Service - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD SPA Jurnalizarea Service (TPHDEXLGSVC) - Lenovo. - C: \ Windows \ system32 \ TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
O23 - Service: Symantec LiveState Agent pentru Windows (WControl) - Symantec Corporation - C: \ _integra \ bin \ ccmagent.exe
--
Sfârşit de fişier - 8621 bytes

**evilfantasy** · #2 21 Sep 2008, 15:30

Descărca Malwarebytes' Anti-Malware (MBAM)

Faceţi dublu-clic pe mbam-setup.exe şi urmăriţi solicitările pentru a instala programul.
La sfârşitul, asiguraţi-vă că un checkmark este plasat lângă următoarele:
- Update Malwarebytes' Anti-Malware
- Lansarea Malwarebytes' Anti-Malware
Apoi, faceţi clic pe Terminare.
Dacă o actualizare este găsit, va descărca şi instala ultima versiune.
După ce programul a încărcat, selectaţi Efectuaţi rapid de scanare, Apoi faceţi clic pe Scanare.
Când scanarea este completă, faceţi clic pe OK, Apoi Afişare rezultate pentru a vedea rezultatele.
Asiguraţi-vă că totul este verificată, şi faceţi clic pe Eliminaţi selectate.
Când este completat de dezinfecţie, un jurnal se va deschide în Notepad şi aţi putea să vi se ceară să Repornire. (A se vedea Nota Extra)
De jurnal este salvat automat de MBAM şi pot fi vizualizate, făcând clic pe tab-ul Rapoarte în MBAM.
Copiaţi şi inseraţi întregul raport în următoarea replică.

Extra Notă: Dacă MBAM întâlneşte un fişier care este dificil de a elimina, va fi prezentat cu 1 din 2 solicită, faceţi clic pe OK să fie şi să MBAM continua cu procesul de dezinfecţie, dacă este solicitat pentru a reporni computerul, vă rugăm să faceţi acest lucru imediat.

nitingaur · #3 21 Sep 2008, 18:18

Nu malware găsit, aici este raportul
-------------------------------------------------- ----
Windows 5.1.2600 Service Pack 2
9/21/2008 6:16:07 PM
mbam-log-2008-09-21 (18-16-07). txt
Scan type: Quick Scan
Obiecte scanate: 52621
Timpul scurs: 4 minute (s), 41 secunde (s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Chei de Registry Infected: 0
Registry Values Infected: 0
Registrul de date Elemente Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(Nici un rău elemente detectat)
Memory Modules Infected:
(Nici un rău elemente detectat)
Chei de Registry Infected:
(Nici un rău elemente detectat)
Registry Values Infected:
(Nici un rău elemente detectat)
Registrul de date Elemente Infected:
(Nici un rău elemente detectat)
Folders Infected:
(Nici un rău elemente detectat)
Files Infected:
(Nici un rău elemente detectat)

**evilfantasy** · #4 21 Sep 2008, 18:40

Nu există nici un malware-ului, fie să arate în jurnal.

Ce se întâmplă?

nitingaur · #5 21 Sep 2008, 19:23

Multiple IEXPLORER.EXE proces spwaning sunt în proces de lista. Ele apar imediat daca am sa-i omor unul câte unul. Uneori, de asemenea, am auzit nişte sunete ca unul din cele execută orice fereastra browser-ului, dar nu vizibil. Există cu siguranţă greşit în care nu sunt trebuia să existe.

**evilfantasy** · #6 21 Sep 2008, 19:26

Descarca ComboFix de sUBs de la unul din link-urile de mai jos. Asiguraţi-vă că aţi început să-l salvaţi în Spaţiul de lucru.

Link # 1
Link # 2

** Notă: Este important că este salvat direct pe Desktop

Închideţi orice deschide browsere. (Firefox, Internet Explorer, etc), înainte de a începe ComboFix.

Temporar dezactiva al tău antivirus, Precum şi orice antispyware de protecţie în timp real înainte care efectuează o scanare. Faceţi clic pe acest link pentru a vedea o listă de programe de securitate care ar trebui să fie cu handicap şi modul de dezactivare a lor.

Faceţi dublu clic combofix.exe & urmăriţi solicitările.
Când aţi terminat ComboFix va produce un jurnal pentru tine.
Post de ComboFix jurnal şi un nou HijackThis log în următoarea replică.

Important: Nu mouseclick ComboFix de fereastră în timp ce se execută. Care pot determina să-l băga în grajd.

Amintiţi-vă să vă reactiva de protecţie antivirus şi antispyware, atunci când ComboFix este completă.

nitingaur · #7 21 Sep 2008, 19:42

ComboFix Autentificare
-----------------------
ComboFix 08-09-20.05 - 012466 2008-09-21 19:31:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.473 [GMT -7:00]
Rularea de la: C: \ Keanetools \ ComboFix.exe
* Creat un nou punct de restabilire
AVERTISMENT-această maşină nu are instalat Consola de recuperare!!
.
Alte ((((((((((((((((((((((((((((((((((((((( ştergerile ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ Documents and Settings \ LocalService \ Cookies \ system@ad.yieldmanag is [1]. Txt
C: \ Windows \ system32 \ x64
.
((((((((((((((((((((((((((((((((((((((( Drivere / Servicii )))))))) )))))))))))))))))))))))))))))))))))))))))
.
------- \ Legacy_BHSRV
------- \ Service_BHsrv

((((((((((((((((((((((((( Fişierele create de 2008-08-22 la 2008-09-22 ))))))))))) ))))))))))))))))))))
.
2008-09-21 18:09. 2008-09-21 18:10 <DIR> d -------- C: \ Program Files \ Malwarebytes' Anti-Malware
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \012466 \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-10 00:04 38,528 - a ------ C: \ Windows \ system32 \ drivers \ mbamswissarmy.sys
2008-09-21 18:09. 2008-09-10 00:03 17,200 - a ------ C: \ Windows \ system32 \ drivers \ mbam.sys
2008-09-21 11:07. 2008-09-21 11:07 <DIR> d -------- C: \ Program Files \ Lavasoft
2008-09-21 11:07. 2008-09-21 11:08 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008-09-21 11:06. 2008-09-21 11:06 <DIR> d -------- C: \ Program Files \ Common Files \ Wise Installation Wizard
2008-09-20 23:40. 2008-09-20 23:40 <DIR> d -------- C: \ Program Files \ Trend Micro
2008-09-19 09:03. 2008-09-19 09:08 <DIR> d -------- C: \ WINDOWS \ SxsCaPendDel
2008-09-19 00:49. 2008-09-19 00:52 <DIR> d -------- C: \ Documents and Settings \012466 \. Housecall6.6
2008-09-19 00:27. 2008-09-19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-09-18 20:25. 2002-02-04 06:22 1,230,336 - a ------ C: \ Windows \ system32 \ msxml4.dll
2008-09-18 20:25. 2007-09-14 05:01 922,920 --------- C: \ Windows \ system32 \ ahlprun.exe
2008-09-18 20:25. 2002-02-04 06:13 82,432 - a ------ C: \ Windows \ system32 \ msxml4r.dll
2008-09-18 20:25. 2002-02-04 06:13 44,544 - a ------ C: \ Windows \ system32 \ msxml4a.dll
2008-09-18 20:25. 2002-02-07 18:43 9.679 - a ------ C: \ Windows \ system32 \ msxml4r.cat
2008-09-18 20:25. 2002-02-07 18:43 9.675 - a ------ C: \ Windows \ system32 \ msxml4.cat
2008-09-18 20:25. 2002-02-06 20:31 3.489 - o ------ C: \ Windows \ system32 \ msxml4.Manifest
2008-09-18 20:25. 2002-02-06 20:31 500 - a ------ C: \ Windows \ system32 \ msxml4r.Manifest
2008-09-18 20:21. 2008-09-18 20:21 <DIR> d -------- C: \ Program Files \ Common Files \ Lenovo
2008-09-18 18:27. 2008-09-21 11:54 21,272 - a ------ C: \ Windows \ system32 \ bynpea.key
2008-09-18 18:25. 2008-09-18 18:25 1 - a ------ C: \ Windows \ system32 \004fdb9.imi
2008-09-15 14:23. 2008-09-15 14:23 332.800 --- hs ---- C: \ Windows \ system32 \ _Bhsrv.msi
2008-09-15 12:15. 2008-09-18 15:57 69,942 - a ------ C: \ Windows \ system32 \ rrjack.key
2008-09-15 12:15. 2008-09-15 12:15 1 - a ------ C: \ Windows \ system32 \0048444.imi
2008-09-13 19:27. 2008-09-13 19:27 24 - a ------ C: \ WINDOWS \ cdplayer.ini
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Real
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ xing partajate
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Raport )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 02:33 --------- d ----- w C: \ Program Files \ Symantec AntiVirus
2008-09-22 02:33 --------- d ----- w C: \ Program Files \ Cisco VPN client
2008-09-21 18:56 16 - sh - r C: \ MSCIOTL.SYS
2008-09-21 18:55 8.416 ---- Aw C: \ Windows \ system32 \ drivers \ CDProbe.SYS
2008-09-20 19:26 430.816 - sh - w C: \ Program Files \ _MsInfo.msi
2008-09-19 03:25 --------- d - h - w C: \ Program Files \ InstallShield Installation Information
2008-09-19 03:25 --------- d ----- w C: \ Program Files \ ThinkVantage
2008-09-19 03:21 --------- d ----- w C: \ Program Files \ Lenovo
.
((((((((((((((((((((((((((((((((((((( Reg Se incarca Puncte )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Nota * gol intrări & legit default intrări nu sunt afişate
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ Windows \ system32 \ Ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager" = "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"IgfxTray" = "C: \ Windows \ system32 \ igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds" = "C: \ Windows \ system32 \ hkcmd.exe" [2007-08-15 162328]
"Persistenţa" = "C: \ Windows \ system32 \ igfxpers.ex e" [2007-08-15 137752]
"ccApp" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2006-03-24 53408]
"vptray" = "C: \ PROGRA ~ 1 \ symant ~ 1 \ VPTray.exe" [2006-06-14 124656]
"TPHOTKEY" = "C: \ Program Files \ Lenovo \ HOTKEY \ TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager" = "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" [2003-08-18 110592]
"dla" = "C: \ Windows \ system32 \ dla \ tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP" = "C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007-04-26 243248]
"LPManager" = "C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007-03-22 120368]
"TVT Scheduler Proxy" = "C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe" = "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" [2008-09-13 185896]
"TrackPointSrv" = "tp4mon.exe" [2004-08-03 C: \ Windows \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002-03-12 C: \ Windows \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007-03-29 C: \ Windows \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ windows \ curr entversion \ policies \ system]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. Implicit \ SOFTWARE \ Microsoft \ Windows \ actuală rentversion \ Policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ notifice \ tpfnf2]
2006-09-06 13:37 34344 C: \ Program Files \ Lenovo \ HOTKEY \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ notifice \ tphotkey]
2006-12-14 08:06 28672 C: \ Program Files \ Lenovo \ HOTKEY \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ Lsa]
Pachete de autentificare REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center \ Monitorizarea \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ Lista]
"% WINDIR% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf; C: \ WINDOWS \ system32 \ drivers \ Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN; TPDIGIMN; C: \ WINDOWS \ system32 \ drivers \ ApsH M86.sys [2007-03-02 19760]
R2 smefs; SMEFileSystem; C: \ Windows \ system32 \ drivers \ mp efs.sys [2006-02-08 20508]
R3 CdProbe; CdProbe; C: \ WINDOWS \ system32 \ drivers \ cdprob e.sys [2008-09-21 8416]
R3 smedrv; SMEDriver; C: \ Windows \ system32 \ drivers \ smedr v.sys [2006-02-08 9516]
S2 AppMgSvc; Application Management Service; C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008-09-20 430816]
S2 yraebbgi; yraebbgi; C: \ Windows \ system32 \ drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh; C: \ Windows \ system32 \ drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
.
------- Suplimentare Scan -------
.
R0 -: HKCU-Main, Start Page = hxxp: / / www.google.com/
O8 -: E & xportaţi la Microsoft Excel - C: \ PROGRA ~ 1 \ milionimi ~ 2 \ OFFICE11 \ EXCEL.EXE/3000
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit / stealth malware detector de Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 19:35:12
Windows 5.1.2600 Service Pack 2 NTFS
scanare ascuns procese ...
scanare ascuns autostart intrări ...
scanare fişiere ascunse ...
scanare sa finalizat cu succes
fişiere ascunse: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ A ppMgSvc]
"ImagePath" = "C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLLs Loaded Sub Running Processes ---------------------
Proces: C: \ Windows \ system32 \ winlogon.exe
-> C: \ Program Files \ Lenovo \ HOTKEY \ tphklock.dll
.
------------------------ Other Running Processes ----------------------- --
.
C: \ Windows \ system32 \ ibmpmsvc.exe
C: \ Program Files \ Intel \ Wireless \ bin \ S24EvMon.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Conştient \ aawservice.exe
C: \ _integra \ bin \ shstart.exe
C: \ Windows \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ HOTKEY \ TPONSCR.exe
C: \ Program Files \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Program Files \ Symantec AntiVirus \ DoScan.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ CENTENN.IAL \ AUDIT \ CAgent32.exe
C: \ CENTENN.IAL \ AUDIT \ xferwan.exe
C: \ Program Files \ Cisco VPN client \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ bin \ RegSrvc.exe
C: \ Program Files \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ Windows \ system32 \ calc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ Windows \ system32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ System Update \ SUService.exe
C: \ Windows \ system32 \ wscntfy.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Completion time: 2008-09-21 19:36:58 - masina a fost repornită
ComboFix-carantină-files.txt 2008-09-22 02:36:54
Pre-Run: 64333811712 bytes liber
Post-Run: 64523264000 bytes liber
175

HijackThis Log
-----------------------------------
Logfile de Trend Micro HijackThis v2.0.2
Scan salvat de la 7:38:41, pe 9/21/2008
Platforma: Windows XP SP2 (WINNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Rularea procese:
C: \ Windows \ system32 \ smss.exe
C: \ Windows \ system32 \ winlogon.exe
C: \ Windows \ system32 \ services.exe
C: \ Windows \ system32 \ lsass.exe
C: \ Windows \ system32 \ ibmpmsvc.exe
C: \ Windows \ system32 \ svchost.exe
C: \ Program Files \ Intel \ Wireless \ bin \ S24EvMon.exe
C: \ Windows \ system32 \ svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Conştient \ aawservice.exe
C: \ Windows \ system32 \ Spoolsv.exe
C: \ _integra \ bin \ shstart.exe
C: \ Windows \ system32 \ tp4mon.exe
C: \ Windows \ system32 \ igfxtray.exe
C: \ Windows \ system32 \ hkcmd.exe
C: \ Windows \ system32 \ igfxpers.exe
C: \ Windows \ system32 \ NWTRAY.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ PROGRA ~ 1 \ symant ~ 1 \ VPTray.exe
C: \ Windows \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ HOTKEY \ TPOSDSVC.exe
C: \ Windows \ system32 \ dla \ tfswctrl.exe
C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ Program Files \ Lenovo \ HOTKEY \ TPONSCR.exe
C: \ Program Files \ Lenovo \ Mareste \ TpScrex.exe
C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ Windows \ system32 \ TpShocks.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ Windows \ system32 \ Ctfmon.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ Windows \ system32 \ svchost.exe
C: \ Centenn.ial \ audit \ CAgent32.exe
C: \ Centenn.ial \ audit \ xferwan.exe
C: \ Program Files \ Cisco VPN client \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ bin \ RegSrvc.exe
C: \ Program Files \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ Windows \ system32 \ calc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ Windows \ system32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ sistem de update \ suservice.exe
C: \ Windows \ system32 \ wscntfy.exe
C: \ Windows \ system32 \ wuauclt.exe
C: \ Windows \ system32 \ wuauclt.exe
C: \ WINDOWS \ Explorer.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe
R1 - HKLM \ SOFTWARE \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ SOFTWARE \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ SOFTWARE \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ Windows \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ Windows \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ Windows \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [Persistenţa] C: \ Windows \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ PROGRA ~ 1 \ symant ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Program Files \ Lenovo \ HOTKEY \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ Windows \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT Scheduler Proxy] C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ Windows \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Pager] "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe"-quiet
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'Default user')
O8 - Extra context menu item: E & xportaţi la Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ milionimi ~ 2 \ OFFICE11 \ EXCEL.EXE/3000
O9 - Extra button: Cercetare - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ milionimi ~ 2 \ OFFICE11 \ REFIEBAR.DLL
O9 - Extra button: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' MENUITEM: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM \ SYSTEM \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O17 - HKLM \ SYSTEM \ CCS \ Services \ Tcpip \ .. \ (D239A412-22C2-4683-95BC-1FFAA687D0DF): nume = 172.21.18.101,172.21.18.102
O23 - Service: Lavasoft Ad-Conştient Service (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Conştient \ aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Unknown owner - C: \ Program.exe (fişierul lipseşte)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centenarul Software Limited - C: \ Centenn.ial \ audit \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centenarul Software Limited - C: \ Centenn.ial \ audit \ xferwan.exe
O23 - Service: Client Service Update pentru Novell (cusrvc) - Novell, Inc - C: \ Windows \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc VPN Service (CVPND) - Cisco Systems, Inc - C: \ Program Files \ Cisco VPN client \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) PROSet / Wireless Event Log (EvtEng) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ Windows \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C: \ PROGRA ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) PROSet / Wireless Registry Service (RegSrvc) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ bin \ RegSrvc.exe
O23 - Service: Intel (R) PROSet / Wireless Service (S24EventMonitor) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C: \ Program Files \ Lenovo \ sistem de update \ suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage registri Monitorul Service - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD SPA Jurnalizarea Service (TPHDEXLGSVC) - Lenovo. - C: \ Windows \ system32 \ TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
O23 - Service: Symantec LiveState Agent pentru Windows (WControl) - Symantec Corporation - C: \ _integra \ bin \ ccmagent.exe
--
Sfârşit de fişier - 8581 bytes

**evilfantasy** · #8 21 Sep 2008, 21:24

Notă: instrucţiunile de mai jos au fost create special pentru acest utilizator. Dacă nu sunteţi acest utilizator, NU urmaţi aceste direcţii în care acestea ar putea deteriora funcţionarea sistemului dvs.

Ştergeţi aceste fişiere / foldere, după cum urmează:

1. Du-te la Porni > Fugi > Tip Notepad.exe şi faceţi clic pe OK pentru a deschide Notepad.
El / ea trebui fi Notepad, nu Wordpad.
2. Copia textul în caseta de mai jos codul de evidenţă tot textul şi apăsând Ctrl + C

Cod:

Killall:: Drivere:: BHSRV BHsrv File:: C: \ Windows \ system32 \ bynpea.key C: \ Windows \ system32 \ 004fdb9.imi C: \ Windows \ system32 \ _Bhsrv.msi C: \ Windows \ system32 \ rrjack. cheie C: \ Windows \ system32 \ 0048444.imi C: \ Windows \ system32 \ drivers \ bynpea.sys C: \ Windows \ system32 \ drivers \ rrjack.sys C: \ Windows \ system32 \ calc.exe

3. Du-te la fereastră şi faceţi clic pe Notepad Editare > Lipire
4. Apoi, faceţi clic pe Dosar > Economisi
5. Nume de fişier CFScript.txt - Salvaţi fişierul pe spaţiul de lucru
6. Apoi, glisaţi CFScript (ţineţi butonul stânga al mouse-ului în timp ce fişierul de lungă durată) şi fixaţi-l (de eliberare din stânga mouse-ul) în ComboFix.exe după cum puteţi vedea în imaginea de mai jos. Important: Efectua această instrucţiune cu atenţie!

ComboFix vor începe să execute, urmaţi solicitările.
După repornirea sistemului (în cazul în care le cere să reporniţi), aceasta va produce un jurnal pentru tine.
Post că jurnal (Combofix.txt) în următoarea replică.

Notă: Nu mouseclick ComboFix de fereastră în timp ce se execută. Care pot determina sistemul dvs. pentru a se congela

nitingaur · #9 21 Sep 2008, 22:20

ComboFix jurnal după ce a fost lansat CFSCript
-------------------------------------------------- --------
ComboFix 08-09-20.05 - 012466 2008-09-21 22:11:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.598 [GMT -7:00]
Rularea de la: C: \ Keanetools \ ComboFix.exe
Command comutatoare utilizat:: C: \ Documents and Settings \012466 \ Desktop \ CFScript.txt
* Creat un nou punct de restabilire
AVERTISMENT-această maşină nu are instalat Consola de recuperare!!
Imaginea::
C: \ Windows \ system32 \ _Bhsrv.msi
C: \ Windows \ system32 \0048444.imi
C: \ Windows \ system32 \004fdb9.imi
C: \ Windows \ system32 \ bynpea.key
C: \ Windows \ system32 \ calc.exe
C: \ Windows \ system32 \ drivers \ bynpea.sys
C: \ Windows \ system32 \ drivers \ rrjack.sys
C: \ Windows \ system32 \ rrjack.key
.
Alte ((((((((((((((((((((((((((((((((((((((( ştergerile ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ Windows \ system32 \ _Bhsrv.msi
C: \ Windows \ system32 \0048444.imi
C: \ Windows \ system32 \004fdb9.imi
C: \ Windows \ system32 \ bynpea.key
C: \ Windows \ system32 \ calc.exe
C: \ Windows \ system32 \ rrjack.key
.
((((((((((((((((((((((((( Fişierele create de 2008-08-22 la 2008-09-22 ))))))))))) ))))))))))))))))))))
.
2008-09-21 18:09. 2008-09-21 18:10 <DIR> d -------- C: \ Program Files \ Malwarebytes' Anti-Malware
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \012466 \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-10 00:04 38,528 - a ------ C: \ Windows \ system32 \ drivers \ mbamswissarmy.sys
2008-09-21 18:09. 2008-09-10 00:03 17,200 - a ------ C: \ Windows \ system32 \ drivers \ mbam.sys
2008-09-21 11:07. 2008-09-21 11:07 <DIR> d -------- C: \ Program Files \ Lavasoft
2008-09-21 11:07. 2008-09-21 11:08 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008-09-21 11:06. 2008-09-21 11:06 <DIR> d -------- C: \ Program Files \ Common Files \ Wise Installation Wizard
2008-09-20 23:40. 2008-09-20 23:40 <DIR> d -------- C: \ Program Files \ Trend Micro
2008-09-19 09:03. 2008-09-19 09:08 <DIR> d -------- C: \ WINDOWS \ SxsCaPendDel
2008-09-19 00:49. 2008-09-19 00:52 <DIR> d -------- C: \ Documents and Settings \012466 \. Housecall6.6
2008-09-19 00:27. 2008-09-19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-09-18 20:25. 2002-02-04 06:22 1,230,336 - a ------ C: \ Windows \ system32 \ msxml4.dll
2008-09-18 20:25. 2007-09-14 05:01 922,920 --------- C: \ Windows \ system32 \ ahlprun.exe
2008-09-18 20:25. 2002-02-04 06:13 82,432 - a ------ C: \ Windows \ system32 \ msxml4r.dll
2008-09-18 20:25. 2002-02-04 06:13 44,544 - a ------ C: \ Windows \ system32 \ msxml4a.dll
2008-09-18 20:25. 2002-02-07 18:43 9.679 - a ------ C: \ Windows \ system32 \ msxml4r.cat
2008-09-18 20:25. 2002-02-07 18:43 9.675 - a ------ C: \ Windows \ system32 \ msxml4.cat
2008-09-18 20:25. 2002-02-06 20:31 3.489 - o ------ C: \ Windows \ system32 \ msxml4.Manifest
2008-09-18 20:25. 2002-02-06 20:31 500 - a ------ C: \ Windows \ system32 \ msxml4r.Manifest
2008-09-18 20:21. 2008-09-18 20:21 <DIR> d -------- C: \ Program Files \ Common Files \ Lenovo
2008-09-13 19:27. 2008-09-13 19:27 24 - a ------ C: \ WINDOWS \ cdplayer.ini
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Real
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ xing partajate
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Raport )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 05:14 8.416 ---- Aw C: \ Windows \ system32 \ drivers \ CDProbe.SYS
2008-09-22 05:14 16 - sh - r C: \ MSCIOTL.SYS
2008-09-22 05:14 --------- d ----- w C: \ Program Files \ Symantec AntiVirus
2008-09-22 03:07 --------- d ----- w C: \ Program Files \ Cisco VPN client
2008-09-20 19:26 430.816 - sh - w C: \ Program Files \ _MsInfo.msi
2008-09-19 03:25 --------- d - h - w C: \ Program Files \ InstallShield Installation Information
2008-09-19 03:25 --------- d ----- w C: \ Program Files \ ThinkVantage
2008-09-19 03:21 --------- d ----- w C: \ Program Files \ Lenovo
.
((((((((((((((((((((((((((((( Snapshot@2008-09-21_19.36.38.64 )))))))))) )))))))))))))))))))))))))))))))
.
- 2008-09-21 18:59:45 71.370 ---- Aw C: \ Windows \ system32 \ perfc009.dat
+ 2008-09-22 02:39:43 71.370 ---- Aw C: \ Windows \ system32 \ perfc009.dat
- 2008-09-21 18:59:45 439.832 ---- Aw C: \ Windows \ system32 \ perfh009.dat
+ 2008-09-22 02:39:43 439.832 ---- Aw C: \ Windows \ system32 \ perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Se incarca Puncte )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Nota * gol intrări & legit default intrări nu sunt afişate
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ Windows \ system32 \ Ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager" = "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"IgfxTray" = "C: \ Windows \ system32 \ igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds" = "C: \ Windows \ system32 \ hkcmd.exe" [2007-08-15 162328]
"Persistenţa" = "C: \ Windows \ system32 \ igfxpers.ex e" [2007-08-15 137752]
"ccApp" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2006-03-24 53408]
"vptray" = "C: \ PROGRA ~ 1 \ symant ~ 1 \ VPTray.exe" [2006-06-14 124656]
"TPHOTKEY" = "C: \ Program Files \ Lenovo \ HOTKEY \ TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager" = "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" [2003-08-18 110592]
"dla" = "C: \ Windows \ system32 \ dla \ tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP" = "C: \ PROGRA ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007-04-26 243248]
"LPManager" = "C: \ PROGRA ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007-03-22 120368]
"TVT Scheduler Proxy" = "C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe" = "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" [2008-09-13 185896]
"TrackPointSrv" = "tp4mon.exe" [2004-08-03 C: \ Windows \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002-03-12 C: \ Windows \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007-03-29 C: \ Windows \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ windows \ curr entversion \ policies \ system]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. Implicit \ SOFTWARE \ Microsoft \ Windows \ actuală rentversion \ Policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ notifice \ tpfnf2]
2006-09-06 13:37 34344 C: \ Program Files \ Lenovo \ HOTKEY \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ notifice \ tphotkey]
2006-12-14 08:06 28672 C: \ Program Files \ Lenovo \ HOTKEY \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ Lsa]
Pachete de autentificare REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center \ Monitorizarea \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ Lista]
"% WINDIR% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf; C: \ WINDOWS \ system32 \ drivers \ Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN; TPDIGIMN; C: \ WINDOWS \ system32 \ drivers \ ApsH M86.sys [2007-03-02 19760]
R2 smefs; SMEFileSystem; C: \ Windows \ system32 \ drivers \ mp efs.sys [2006-02-08 20508]
R3 CdProbe; CdProbe; C: \ WINDOWS \ system32 \ drivers \ cdprob e.sys [2008-09-21 8416]
R3 smedrv; SMEDriver; C: \ Windows \ system32 \ drivers \ smedr v.sys [2006-02-08 9516]
S2 AppMgSvc; Application Management Service; C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008-09-20 430816]
S2 yraebbgi; yraebbgi; C: \ Windows \ system32 \ drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh; C: \ Windows \ system32 \ drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit / stealth malware detector de Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 22:16:04
Windows 5.1.2600 Service Pack 2 NTFS
scanare ascuns procese ...
scanare ascuns autostart intrări ...
scanare fişiere ascunse ...

C: \ Windows \ system32 \ calc.exe
scanare sa finalizat cu succes
fişiere ascunse: 1
************************************************** ************************
[HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ A ppMgSvc]
"ImagePath" = "C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLLs Loaded Sub Running Processes ---------------------
Proces: C: \ Windows \ system32 \ winlogon.exe
-> C: \ Program Files \ Lenovo \ HOTKEY \ tphklock.dll
.
------------------------ Other Running Processes ----------------------- --
.
C: \ Windows \ system32 \ ibmpmsvc.exe
C: \ Program Files \ Intel \ Wireless \ bin \ S24EvMon.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Conştient \ aawservice.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ CENTENN.IAL \ AUDIT \ CAgent32.exe
C: \ CENTENN.IAL \ AUDIT \ xferwan.exe
C: \ Program Files \ Cisco VPN client \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ bin \ RegSrvc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ Windows \ system32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ System Update \ SUService.exe
C: \ _integra \ bin \ shstart.exe
C: \ Windows \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ HOTKEY \ TPONSCR.exe
C: \ Program Files \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Program Files \ Symantec AntiVirus \ DoScan.exe
C: \ Program Files \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Completion time: 2008-09-21 22:17:28 - masina a fost repornită
ComboFix-carantină-files.txt 2008-09-22 05:17:23
ComboFix2.txt 2008-09-22 02:36:59
Pre-Run: 64509464576 bytes liber
Post-Run: 64505421824 bytes liber
181

**evilfantasy** · #10 21 Sep 2008, 22:26

Descărca OTMoveIt2 de Oldtimerşi salvaţi-o să-ţi Spaţiul de lucru.

Notă: Dacă rulaţi pe Vista, faceţi clic dreapta pe OTMoveIt2.exe şi alegeţi Executare ca administrator.

1. Faceţi dublu-clic pe OTMoveIt2.exe să îl rulaţi.
2. Copiere de linii în codebox de mai jos.

Cod:

[ucide Explorer] C: \ Windows \ system32 \ calc.exe HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ AppMgSvc EmptyTemp [începe Explorer]

3. Întoarceţi-vă la OTMoveIt2, click dreapta în Lipire Lista de fişiere / foldere pentru a Mutare fereastră (în galben bar) şi alegeţi Lipire
4. Faceţi clic pe roşu Moveit! buton.
5. Copiaţi totul în Rezultatele fereastra (sub bara verde) şi inseraţi-l în următoarea replică.
6. Închide OTMoveIt2

Notă: Dacă un fişier sau un dosar nu poate fi mutat imediat ce i se poate cere să reporniţi computerul pentru a termina procesul de mutare. Dacă a cerut pentru a reporni, alegeţi Da. Dacă nu, oricum reboot.

Similar Threads
Fir	Thread Starter	Forum	Răspunsurile	Ultimul mesaj
Eliminarea virusului iexplore.exe / hijack log	xalice15x	Nume, Spyware & Securitate	16	12 noiembrie 2008 19:43
Iexplorer.exe virus - te rog ajută-mă!!	Giant Panda	Nume, Spyware & Securitate	2	6 octombrie 2008 14:55
Sunt obtinerea bone.exe virus pentru meu iexplorer	damandg	Nume, Spyware & Securitate	12	14 iulie 2008 14:31
Iexplorer.exe virus	iuboy2006	Nume, Spyware & Securitate	9	26 martie 2008 08:12
Avssytemcare popup virus şi, deopotrivă - (include acest hijack)	perfid	Nume, Spyware & Securitate	23	4a Sep 2007 16:15