IEXPLORER.EXE virus pls översyn Hijack log

nitingaur · #1 21 Sep 2008, 12:02

Loggfil av Trend Micro HijackThis v2.0.2
Scan sparades vid 12:01:37 den 9/21/2008
Plattform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Kör processer:
C: \ WINDOWS \ System32 \ Smss.exe
C: \ WINDOWS \ system32 \ csrss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ WINDOWS \ system32 \ Spoolsv.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Centenn.ial \ kontrollkommittén \ CAgent32.exe
C: \ Centenn.ial \ kontrollkommittén \ xferwan.exe
C: \ Program Files \ Cisco VPN Client \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Program \ Delade filer \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ System32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
c: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ system update \ suservice.exe
C: \ WINDOWS \ System32 \ alg.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ calc.exe
c: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ system32 \ tp4mon.exe
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ NWTRAY.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ progra ~ 1 \ SYMANT ~ 1 \ VPTray.exe
C: \ Program Files \ Lenovo \ snabbtangent \ TPOSDSVC.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ progra ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ progra ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ WINDOWS \ system32 \ TpShocks.exe
C: \ Program Files \ Lenovo \ snabbtangent \ TPONSCR.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
C: \ Program Files \ Lenovo \ zoom \ TpScrex.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ Program \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ WINDOWS \ system32 \ taskmgr.exe
C: \ Program \ Internet Explorer \ IEXPLORE.EXE
C: \ Program \ Internet Explorer \ IEXPLORE.EXE
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
F2 - REG: system.ini: UserInit = c: \ windows \ system32 \ userinit.exe C: \ _inte gra \ bin \ shstart.exe
O2 - BHO: AcroIEHlprObj Class - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [Persistence] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ progra ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Program \ Lenovo \ snabbtangent \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ progra ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ progra ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT Scheduler Proxy] C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Pager] "C: \ Program \ Yahoo! \ Messenger \ YahooMessenger.exe" tyst
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Program \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Program \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Program \ Microsoft Office Communicator \ Communicator.exe" (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Program \ Microsoft Office Communicator \ Communicator.exe" (User 'Default user')
O8 - Extra sammanhang menyobjektet: E & xportera till Microsoft Excel - res: / / C: \ progra ~ 1 \ mikro ~ 2 \ Office11 \ EXCEL.EXE/3000
Ø9 - Extra button: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ progra ~ 1 \ mikro ~ 2 \ Office11 \ REFIEBAR.DLL
Ø9 - Extra button: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
Ø9 - Extra 'Tools' MENUITEM: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Unknown ägaren - C: \ Program.exe (fil saknas)
O23 - Service: BHCP Service (BHsrv) - Unknown ägaren - C: \ Program.exe (fil saknas)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C: \ Centenn.ial \ kontrollkommittén \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C: \ Centenn.ial \ kontrollkommittén \ xferwan.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C: \ WINDOWS \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C: \ Program Files \ Cisco VPN Client \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) PROSet / Wireless Event Log (EvtEng) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ WINDOWS \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C: \ progra ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) PROSet / Wireless Registry Service (RegSrvc) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
O23 - Service: Intel (R) PROSet / Wireless Service (S24EventMonitor) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C: \ Program \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C: \ Program Files \ Lenovo \ system update \ suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C: \ WINDOWS \ System32 \ TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
O23 - Service: Symantec LiveState ombud för Windows (WControl) - Symantec Corporation - c: \ _integra \ bin \ ccmagent.exe
--
End of file - 8621 bytes

**evilfantasy** · #2 21 Sep 2008, 15:30

Hämta Malwarebytes' Anti-Malware (MBAM)

Dubbelklicka mbam-setup.exe och följer anvisningarna för att installera programmet.
I slutet ska du en bockmärke placeras bredvid följande:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Klicka sedan på Mål.
Om en uppdatering finns, kommer det att hämta och installera den senaste versionen.
När programmet har laddats, välj Utför Quick Scan, Klicka på Scan.
När sökningen är klar klickar du på OKOch sedan Visa resultat att visa resultat.
Var noga med att allt är kontrollerat, och klicka Ta bort valda.
När desinficeringen är slutförd, en logg kommer att öppna i Anteckningar och du kan bli ombedd att starta om. (Se Extra Not)
Loggen sparas automatiskt genom MBAM och kan läsas genom att klicka på Logs-fliken i MBAM.
Kopiera och klistra in hela rapporten i ditt nästa svar.

Extra Obs! Om MBAM stöter på en fil som är svår att ta bort, kommer du bli visad 1 av 2 uppmanas att klicka på OK antingen och låta MBAM fortsätta med desinfektion process, om han uppmanas att starta om datorn, gör det omedelbart.

nitingaur · #3 21 Sep 2008, 18:18

Nr sabotageprogram funna, här är ett betänkande
-------------------------------------------------- ----
Windows 5.1.2600 Service Pack 2
9/21/2008 6:16:07 PM
mbam-log-2008-09-21 (18-16-07). txt
Scan type: Quick Scan
Objekt skannade: 52621
Tid som förflutit: 4 minute (s), 41 sekund (er)
Memory Processes Infekterade: 0
Minnesmoduler Infekterade: 0
Registernycklar Infekterade: 0
Registervärdena Infekterade: 0
Registry Data Items Infekterade: 0
Mappar Infekterade: 0
Filer Infekterade: 0
Memory Processes Infekterade:
(Inga illasinnade poster upptäcks)
Minnesmoduler Infekterade:
(Inga illasinnade poster upptäcks)
Registernycklar Infekterade:
(Inga illasinnade poster upptäcks)
Registervärdena Infekterade:
(Inga illasinnade poster upptäcks)
Registry Data Items Infekterade:
(Inga illasinnade poster upptäcks)
Mappar Infekterade:
(Inga illasinnade poster upptäcks)
Filer Infekterade:
(Inga illasinnade poster upptäcks)

**evilfantasy** · #4 21 Sep 2008, 18:40

Det finns ingen malware visar antingen log.

Vad exakt är det som händer?

nitingaur · #5 21 Sep 2008, 19:23

Flera IEXPLORER.EXE process spwaning i processen listan. De omedelbart dyker upp om jag dödar dem en efter en. Ibland kan jag också höra några låter som en av de som driver alla fönster men ingen synlig. Det är definitivt fel att de inte ska existera.

**evilfantasy** · #6 21 Sep 2008, 19:26

Ladda ner ComboFix av följande från en av nedanstående länkar. Var noga med början spara det till Desktop.

Länk # 1
Länk # 2

** Observera: Det är viktigt att det sparas direkt på skrivbordet

Stäng alla öppna webbläsare. (Firefox, Internet Explorer, etc.) innan du startar ComboFix.

Tillfälligt inaktivera din antivirus, Och varje AntiSpyware realtid skydd innan utför en genomsökning. Klicka denna länk vill se en lista över säkerhetsprogram som bör funktionshindrade och hur man kan inaktivera dem.

Dubbelklicka combofix.exe & följ anvisningarna.
När du är klar ComboFix kommer att lägga fram en logga åt dig.
Post den ComboFix log och en ny HijackThis log i ditt nästa svar.

Viktigt: Don't mouseclick ComboFix fönster medan det körs. Det kan orsaka att stanna.

Tänk på att åter aktivera ditt antivirus-och antispionprogram skydd när ComboFix är klar.

nitingaur · #7 21 Sep 2008, 19:42

ComboFix Logg
-----------------------
ComboFix 08-09-20.05 - 012466 2008-09-21 19:31:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.473 [GMT -7:00]
Running from: C: \ Keanetools \ ComboFix.exe
* Skapat en ny återställningspunkt
VARNING-Den här maskinen har inte Återställningskonsolen INSTALLERADE!
.
((((((((((((((((((((((((((((((((((((((( Andra Strykningar ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ Documents and Settings \ LocalService \ Cookies \ system@ad.yieldmanag er [1]. Txt
C: \ WINDOWS \ system32 \ x64
.
((((((((((((((((((((((((((((((((((((((( Drivers / Services )))))))) )))))))))))))))))))))))))))))))))))))))))
.
------- \ Legacy_BHSRV
------- \ Service_BHsrv

((((((((((((((((((((((((( Files Created från 2008-08-22 till 2008-09-22 ))))))))))) ))))))))))))))))))))
.
2008-09-21 18:09. 2008-09-21 18:10 <DIR> d -------- C: \ Program Files \ Malwarebytes' Anti-Malware
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \012466 \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-10 00:04 38.528 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008-09-21 18:09. 2008-09-10 00:03 17.200 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008-09-21 11:07. 2008-09-21 11:07 <DIR> d -------- C: \ Program Files \ Lavasoft
2008-09-21 11:07. 2008-09-21 11:08 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008-09-21 11:06. 2008-09-21 11:06 <DIR> d -------- C: \ Program Files \ Common Files \ Wise Installation Wizard
2008-09-20 23:40. 2008-09-20 23:40 <DIR> d -------- C: \ Program Files \ Trend Micro
2008-09-19 09:03. 2008-09-19 09:08 <DIR> d -------- C: \ WINDOWS \ SxsCaPendDel
2008-09-19 00:49. 2008-09-19 00:52 <DIR> d -------- C: \ Documents and Settings \012466 \. Housecall6.6
2008-09-19 00:27. 2008-09-19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-09-18 20:25. 2002-02-04 06:22 1,230,336 - a ------ C: \ WINDOWS \ system32 \ Msxml4.dll
2008-09-18 20:25. 2007-09-14 05:01 922,920 --------- C: \ WINDOWS \ system32 \ ahlprun.exe
2008-09-18 20:25. 2002-02-04 06:13 82,432 - a ------ C: \ WINDOWS \ system32 \ Msxml4r.dll
2008-09-18 20:25. 2002-02-04 06:13 44,544 - a ------ C: \ WINDOWS \ system32 \ msxml4a.dll
2008-09-18 20:25. 2002-02-07 18:43 9.679 - a ------ C: \ WINDOWS \ system32 \ msxml4r.cat
2008-09-18 20:25. 2002-02-07 18:43 9.675 - a ------ C: \ WINDOWS \ system32 \ msxml4.cat
2008-09-18 20:25. 2002-02-06 20:31 3.489 - a ------ C: \ WINDOWS \ system32 \ msxml4.Manifest
2008-09-18 20:25. 2002-02-06 20:31 500 - a ------ C: \ WINDOWS \ system32 \ msxml4r.Manifest
2008-09-18 20:21. 2008-09-18 20:21 <DIR> d -------- C: \ Program Files \ Common Files \ Lenovo
2008-09-18 18:27. 2008-09-21 11:54 21.272 - a ------ C: \ WINDOWS \ system32 \ bynpea.key
2008-09-18 18:25. 2008-09-18 18:25 1 - a ------ C: \ WINDOWS \ system32 \004fdb9.imi
2008-09-15 14:23. 2008-09-15 14:23 332.800 --- hs ---- C: \ WINDOWS \ system32 \ _Bhsrv.msi
2008-09-15 12:15. 2008-09-18 15:57 69.942 - a ------ C: \ WINDOWS \ system32 \ rrjack.key
2008-09-15 12:15. 2008-09-15 12:15 1 - a ------ C: \ WINDOWS \ system32 \0048444.imi
2008-09-13 19:27. 2008-09-13 19:27 24 - a ------ C: \ WINDOWS \ cdplayer.ini
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Real
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ Xing delas
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 02:33 --------- d ----- w C: \ Program Files \ Symantec AntiVirus
2008-09-22 02:33 --------- d ----- w C: \ Program Files \ Cisco VPN-klient
2008-09-21 18:56 16 - sh - r C: \ MSCIOTL.SYS
2008-09-21 18:55 8.416 ---- aw C: \ WINDOWS \ system32 \ drivers \ CDProbe.SYS
2008-09-20 19:26 430.816 - sh - w C: \ Program Files \ _MsInfo.msi
2008-09-19 03:25 --------- d - h - w C: \ Program Files \ InstallShield Installation Information
2008-09-19 03:25 --------- d ----- w C: \ Program \ ThinkVantage
2008-09-19 03:21 --------- d ----- w C: \ Program Files \ Lenovo
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Not * tomma poster & legit default poster visas inte
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager" = "C: \ Program \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"IgfxTray" = "C: \ WINDOWS \ system32 \ igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds" = "C: \ WINDOWS \ system32 \ hkcmd.exe" [2007-08-15 162328]
"Persistence" = "C: \ WINDOWS \ system32 \ igfxpers.ex e" [2007-08-15 137752]
"ccApp" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2006-03-24 53408]
"vptray" = "C: \ progra ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2006-06-14 124656]
"TPHOTKEY" = "C: \ Program Files \ Lenovo \ snabbtangent \ TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager" = "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" [2003-08-18 110592]
"dla" = "C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP" = "C: \ progra ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007-04-26 243248]
"LPManager" = "C: \ progra ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007-03-22 120368]
"TVT Scheduler Proxy" = "C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe" = "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" [2008-09-13 185896]
"TrackPointSrv" = "tp4mon.exe" [2004-08-03 C: \ WINDOWS \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002-03-12 C: \ WINDOWS \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007-03-29 C: \ WINDOWS \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Program \ Microsoft Office Communicator \ Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Curr entversion \ Policies \ System]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. Default \ Software \ Microsoft \ windows \ cur rentversion \ Policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ anmäla \ tpfnf2]
2006-09-06 13:37 34344 C: \ Program Files \ Lenovo \ snabbtangent \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ anmäla \ tphotkey]
2006-12-14 08:06 28672 C: \ Program Files \ Lenovo \ snabbtangent \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
[HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Program \ \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ \ Program \ \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf, C: \ WINDOWS \ system32 \ drivers \ Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN; TPDIGIMN, C: \ WINDOWS \ system32 \ drivers \ ApsH M86.sys [2007-03-02 19760]
R2 smefs; SMEFileSystem, C: \ WINDOWS \ system32 \ drivers \ sm efs.sys [2006-02-08 20508]
R3 CdProbe; CdProbe, C: \ WINDOWS \ system32 \ drivers \ cdprob e.sys [2008-09-21 8416]
R3 smedrv; SMEDriver, C: \ WINDOWS \ system32 \ drivers \ smedr v.sys [2006-02-08 9516]
S2 AppMgSvc, Application Management Service; C: \ Program \ Delade filer \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008-09-20 430816]
S2 yraebbgi; yraebbgi, C: \ WINDOWS \ system32 \ drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh, C: \ WINDOWS \ system32 \ drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main, Start Page = hxxp: / / www.google.com/
O8 -: E & xportera till Microsoft Excel - C: \ progra ~ 1 \ mikro ~ 2 \ Office11 \ EXCEL.EXE/3000
.
************************************************** ************************
CatchMe 0.3.1361 W2K/XP/Vista - rootkit / stealth malware detector av Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 19:35:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning dolda processer ...
scanning dold autostart poster ...
scanning dolda filer ...
scan completed successfully
dolda filer: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ A ppMgSvc]
"ImagePath" = "C: \ Program \ Delade filer \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLL-filer Loaded Under Running Processes ---------------------
PROCESS: C: \ WINDOWS \ system32 \ Winlogon.exe
-> C: \ Program Files \ Lenovo \ snabbtangent \ tphklock.dll
.
------------------------ Andra pågående processer ----------------------- --
.
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ snabbtangent \ TPONSCR.exe
C: \ Program Files \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Program Files \ Symantec AntiVirus \ DoScan.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ CENTENN.IAL \ REVISION \ CAgent32.exe
C: \ CENTENN.IAL \ REVISION \ xferwan.exe
C: \ Program Files \ Cisco VPN Client \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Program \ Delade filer \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Program \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ System Update \ SUService.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Tid: 2008-09-21 19:36:58 - maskinen startas
ComboFix-karantän-files.txt 2008-09-22 02:36:54
Pre-Run: 64333811712 bytes gratis
Post-Run: 64523264000 bytes gratis
175

HijackThis-logg
-----------------------------------
Loggfil av Trend Micro HijackThis v2.0.2
Scan sparas på 7:38:41 PM om 9/21/2008
Plattform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Kör processer:
C: \ WINDOWS \ System32 \ Smss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ WINDOWS \ system32 \ Spoolsv.exe
c: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ tp4mon.exe
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ NWTRAY.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ progra ~ 1 \ SYMANT ~ 1 \ VPTray.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ snabbtangent \ TPOSDSVC.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ progra ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ Program Files \ Lenovo \ snabbtangent \ TPONSCR.exe
C: \ Program Files \ Lenovo \ zoom \ TpScrex.exe
C: \ progra ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ WINDOWS \ system32 \ TpShocks.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ Program \ Internet Explorer \ IEXPLORE.EXE
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Centenn.ial \ kontrollkommittén \ CAgent32.exe
C: \ Centenn.ial \ kontrollkommittén \ xferwan.exe
C: \ Program Files \ Cisco VPN Client \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Program \ Delade filer \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Program \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ System32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
c: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ system update \ suservice.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ Explorer.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [Persistence] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ progra ~ 1 \ SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Program \ Lenovo \ snabbtangent \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ progra ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ progra ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT Scheduler Proxy] C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Pager] "C: \ Program \ Yahoo! \ Messenger \ YahooMessenger.exe" tyst
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Program \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Program \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Program \ Microsoft Office Communicator \ Communicator.exe" (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Program \ Microsoft Office Communicator \ Communicator.exe" (User 'Default user')
O8 - Extra sammanhang menyobjektet: E & xportera till Microsoft Excel - res: / / C: \ progra ~ 1 \ mikro ~ 2 \ Office11 \ EXCEL.EXE/3000
Ø9 - Extra button: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ progra ~ 1 \ mikro ~ 2 \ Office11 \ REFIEBAR.DLL
Ø9 - Extra button: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
Ø9 - Extra 'Tools' MENUITEM: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (D239A412-22C2-4683-95BC-1FFAA687D0DF): NameServer = 172.21.18.101,172.21.18.102
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Unknown ägaren - C: \ Program.exe (fil saknas)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C: \ Centenn.ial \ kontrollkommittén \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C: \ Centenn.ial \ kontrollkommittén \ xferwan.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C: \ WINDOWS \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C: \ Program Files \ Cisco VPN Client \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) PROSet / Wireless Event Log (EvtEng) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ WINDOWS \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C: \ progra ~ 1 \ Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) PROSet / Wireless Registry Service (RegSrvc) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
O23 - Service: Intel (R) PROSet / Wireless Service (S24EventMonitor) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C: \ Program \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C: \ Program Files \ Lenovo \ system update \ suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C: \ WINDOWS \ System32 \ TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
O23 - Service: Symantec LiveState ombud för Windows (WControl) - Symantec Corporation - c: \ _integra \ bin \ ccmagent.exe
--
End of file - 8581 bytes

**evilfantasy** · #8 21 Sep 2008, 21:24

Obs! nedanstående instruktioner skapades speciellt för den här användaren. Om du inte är här, INTE Följ dessa anvisningar, eftersom de kan skada fungerar systemet

Ta bort dessa filer / mappar på följande sätt:

1. Gå till Start > Springa > Typ Notepad.exe och klicka OK att öppna Anteckningar.
Den måste vara Anteckningar inte WordPad.
2. Kopiera texten i nedanstående nummer fält genom att markera all text och trycka på Ctrl + C

Kod:

Killall: Driver:: BHSRV BHsrv File:: C: \ WINDOWS \ system32 \ bynpea.key C: \ WINDOWS \ system32 \ 004fdb9.imi C: \ WINDOWS \ system32 \ _Bhsrv.msi C: \ WINDOWS \ system32 \ rrjack. viktiga C: \ WINDOWS \ system32 \ 0048444.imi C: \ WINDOWS \ system32 \ drivers \ bynpea.sys C: \ WINDOWS \ system32 \ drivers \ rrjack.sys C: \ WINDOWS \ system32 \ calc.exe

3. Gå till Notepad-fönstret och klicka på Redigera > Klistra in
4. Klicka sedan på Fil > Spara
5. Namnge filen CFScript.txt - Spara filen på skrivbordet
6. Dra sedan CFScript (håll nere vänster musknapp medan du drar filen) och släppa det (release vänster musknapp) i ComboFix.exe som du ser i skärmdumpen nedan. Viktigt: Utför denna instruktion noga!

ComboFix kommer att börja köra, bara följ anvisningarna.
Efter omstart (om man begär att starta om), kommer att ta fram en logga åt dig.
Post som log (Combofix.txt) i din nästa replik.

Obs! Don't mouseclick ComboFix fönster medan det körs. Det kan göra att ditt system fryser

nitingaur · #9 21 Sep 2008, 22:20

ComboFix log efterbränningsperioden CFSCript
-------------------------------------------------- --------
ComboFix 08-09-20.05 - 012466 2008-09-21 22:11:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.598 [GMT -7:00]
Running from: C: \ Keanetools \ ComboFix.exe
Kommando växlar används:: C: \ Documents and Settings \012466 \ Desktop \ CFScript.txt
* Skapat en ny återställningspunkt
VARNING-Den här maskinen har inte Återställningskonsolen INSTALLERADE!
FILE:
C: \ WINDOWS \ system32 \ _Bhsrv.msi
C: \ WINDOWS \ system32 \0048444.imi
C: \ WINDOWS \ system32 \004fdb9.imi
C: \ WINDOWS \ system32 \ bynpea.key
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ drivers \ bynpea.sys
C: \ WINDOWS \ system32 \ drivers \ rrjack.sys
C: \ WINDOWS \ system32 \ rrjack.key
.
((((((((((((((((((((((((((((((((((((((( Andra Strykningar ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ WINDOWS \ system32 \ _Bhsrv.msi
C: \ WINDOWS \ system32 \0048444.imi
C: \ WINDOWS \ system32 \004fdb9.imi
C: \ WINDOWS \ system32 \ bynpea.key
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ rrjack.key
.
((((((((((((((((((((((((( Files Created från 2008-08-22 till 2008-09-22 ))))))))))) ))))))))))))))))))))
.
2008-09-21 18:09. 2008-09-21 18:10 <DIR> d -------- C: \ Program Files \ Malwarebytes' Anti-Malware
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-21 18:09 <DIR> d -------- C: \ Documents and Settings \012466 \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008-09-10 00:04 38.528 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008-09-21 18:09. 2008-09-10 00:03 17.200 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008-09-21 11:07. 2008-09-21 11:07 <DIR> d -------- C: \ Program Files \ Lavasoft
2008-09-21 11:07. 2008-09-21 11:08 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008-09-21 11:06. 2008-09-21 11:06 <DIR> d -------- C: \ Program Files \ Common Files \ Wise Installation Wizard
2008-09-20 23:40. 2008-09-20 23:40 <DIR> d -------- C: \ Program Files \ Trend Micro
2008-09-19 09:03. 2008-09-19 09:08 <DIR> d -------- C: \ WINDOWS \ SxsCaPendDel
2008-09-19 00:49. 2008-09-19 00:52 <DIR> d -------- C: \ Documents and Settings \012466 \. Housecall6.6
2008-09-19 00:27. 2008-09-19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-09-18 20:25. 2002-02-04 06:22 1,230,336 - a ------ C: \ WINDOWS \ system32 \ Msxml4.dll
2008-09-18 20:25. 2007-09-14 05:01 922,920 --------- C: \ WINDOWS \ system32 \ ahlprun.exe
2008-09-18 20:25. 2002-02-04 06:13 82,432 - a ------ C: \ WINDOWS \ system32 \ Msxml4r.dll
2008-09-18 20:25. 2002-02-04 06:13 44,544 - a ------ C: \ WINDOWS \ system32 \ msxml4a.dll
2008-09-18 20:25. 2002-02-07 18:43 9.679 - a ------ C: \ WINDOWS \ system32 \ msxml4r.cat
2008-09-18 20:25. 2002-02-07 18:43 9.675 - a ------ C: \ WINDOWS \ system32 \ msxml4.cat
2008-09-18 20:25. 2002-02-06 20:31 3.489 - a ------ C: \ WINDOWS \ system32 \ msxml4.Manifest
2008-09-18 20:25. 2002-02-06 20:31 500 - a ------ C: \ WINDOWS \ system32 \ msxml4r.Manifest
2008-09-18 20:21. 2008-09-18 20:21 <DIR> d -------- C: \ Program Files \ Common Files \ Lenovo
2008-09-13 19:27. 2008-09-13 19:27 24 - a ------ C: \ WINDOWS \ cdplayer.ini
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Real
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ Xing delas
2008-09-13 19:26. 2008-09-13 19:26 <DIR> d -------- C: \ Program Files \ Common Files \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 05:14 8.416 ---- aw C: \ WINDOWS \ system32 \ drivers \ CDProbe.SYS
2008-09-22 05:14 16 - sh - r C: \ MSCIOTL.SYS
2008-09-22 05:14 --------- d ----- w C: \ Program Files \ Symantec AntiVirus
2008-09-22 03:07 --------- d ----- w C: \ Program Files \ Cisco VPN-klient
2008-09-20 19:26 430.816 - sh - w C: \ Program Files \ _MsInfo.msi
2008-09-19 03:25 --------- d - h - w C: \ Program Files \ InstallShield Installation Information
2008-09-19 03:25 --------- d ----- w C: \ Program \ ThinkVantage
2008-09-19 03:21 --------- d ----- w C: \ Program Files \ Lenovo
.
((((((((((((((((((((((((((((( Snapshot@2008-09-21_19.36.38.64 )))))))))) )))))))))))))))))))))))))))))))
.
- 2008-09-21 18:59:45 71.370 ---- aw C: \ WINDOWS \ system32 \ perfc009.dat
+ 2008-09-22 02:39:43 71.370 ---- aw C: \ WINDOWS \ system32 \ perfc009.dat
- 2008-09-21 18:59:45 439.832 ---- aw C: \ WINDOWS \ system32 \ perfh009.dat
+ 2008-09-22 02:39:43 439.832 ---- aw C: \ WINDOWS \ system32 \ perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Not * tomma poster & legit default poster visas inte
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager" = "C: \ Program \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"IgfxTray" = "C: \ WINDOWS \ system32 \ igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds" = "C: \ WINDOWS \ system32 \ hkcmd.exe" [2007-08-15 162328]
"Persistence" = "C: \ WINDOWS \ system32 \ igfxpers.ex e" [2007-08-15 137752]
"ccApp" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2006-03-24 53408]
"vptray" = "C: \ progra ~ 1 \ SYMANT ~ 1 \ VPTray.exe" [2006-06-14 124656]
"TPHOTKEY" = "C: \ Program Files \ Lenovo \ snabbtangent \ TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager" = "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" [2003-08-18 110592]
"dla" = "C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP" = "C: \ progra ~ 1 \ ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007-04-26 243248]
"LPManager" = "C: \ progra ~ 1 \ THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007-03-22 120368]
"TVT Scheduler Proxy" = "C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe" = "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" [2008-09-13 185896]
"TrackPointSrv" = "tp4mon.exe" [2004-08-03 C: \ WINDOWS \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002-03-12 C: \ WINDOWS \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007-03-29 C: \ WINDOWS \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Program \ Microsoft Office Communicator \ Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Curr entversion \ Policies \ System]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. Default \ Software \ Microsoft \ windows \ cur rentversion \ Policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ anmäla \ tpfnf2]
2006-09-06 13:37 34344 C: \ Program Files \ Lenovo \ snabbtangent \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ anmäla \ tphotkey]
2006-12-14 08:06 28672 C: \ Program Files \ Lenovo \ snabbtangent \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
[HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Program \ \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ \ Program \ \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf, C: \ WINDOWS \ system32 \ drivers \ Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN; TPDIGIMN, C: \ WINDOWS \ system32 \ drivers \ ApsH M86.sys [2007-03-02 19760]
R2 smefs; SMEFileSystem, C: \ WINDOWS \ system32 \ drivers \ sm efs.sys [2006-02-08 20508]
R3 CdProbe; CdProbe, C: \ WINDOWS \ system32 \ drivers \ cdprob e.sys [2008-09-21 8416]
R3 smedrv; SMEDriver, C: \ WINDOWS \ system32 \ drivers \ smedr v.sys [2006-02-08 9516]
S2 AppMgSvc, Application Management Service; C: \ Program \ Delade filer \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008-09-20 430816]
S2 yraebbgi; yraebbgi, C: \ WINDOWS \ system32 \ drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh, C: \ WINDOWS \ system32 \ drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
************************************************** ************************
CatchMe 0.3.1361 W2K/XP/Vista - rootkit / stealth malware detector av Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 22:16:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning dolda processer ...
scanning dold autostart poster ...
scanning dolda filer ...

C: \ WINDOWS \ system32 \ calc.exe
scan completed successfully
dolda filer: 1
************************************************** ************************
[HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ A ppMgSvc]
"ImagePath" = "C: \ Program \ Delade filer \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLL-filer Loaded Under Running Processes ---------------------
PROCESS: C: \ WINDOWS \ system32 \ Winlogon.exe
-> C: \ Program Files \ Lenovo \ snabbtangent \ tphklock.dll
.
------------------------ Andra pågående processer ----------------------- --
.
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ CENTENN.IAL \ REVISION \ CAgent32.exe
C: \ CENTENN.IAL \ REVISION \ xferwan.exe
C: \ Program Files \ Cisco VPN Client \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Program \ Delade filer \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Scheduler \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ System Update \ SUService.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ snabbtangent \ TPONSCR.exe
C: \ Program Files \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Program Files \ Symantec AntiVirus \ DoScan.exe
C: \ Program \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Tid: 2008-09-21 22:17:28 - maskinen startas
ComboFix-karantän-files.txt 2008-09-22 05:17:23
ComboFix2.txt 2008-09-22 02:36:59
Pre-Run: 64509464576 bytes gratis
Post-Run: 64505421824 bytes gratis
181

**evilfantasy** · #10 21 Sep 2008, 22:26

Hämta OTMoveIt2 av OldTimeroch spara den till din Desktop.

Obs! Om du kör på Vista, högerklicka på OTMoveIt2.exe och välj Kör som administratör.

1. Dubbelklicka OTMoveIt2.exe för att köra den.
2. Kopiera rader i codebox nedan.

Kod:

[döda Explorer] C: \ WINDOWS \ system32 \ calc.exe HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ AppMgSvc EmptyTemp [start Explorer]

3. Återgå till OTMoveIt2 högerklickar du på Klistra filförteckning / mappar till Flytta fönstret (under det gula fältet) och välj Klistra in
4. Klicka på den röda Moveit! knappen.
5. Kopiera allt i Resultat fönstret (under den gröna linjen) och klistra in den i din nästa replik.
6. Nära OTMoveIt2

Obs!: Om en fil eller mapp kan inte flyttas omedelbart kan du bli ombedd att starta om datorn för att slutföra övergången process. Om du blir ombedd att starta om, välja Ja. Om inte, starta ändå.

Liknande Trådar
Tråd	Thread Starter	Forum	Svar	Senaste Inlägg
Ta bort iexplore.exe virus / hijack logg	xalice15x	Virus, spionprogram och säkerhet	16	12 november 2008 19:43
Iexplorer.exe virus - Snälla hjälp mig!	Giant Panda	Virus, spionprogram och säkerhet	2	6 oktober 2008 14:55
Jag får det bone.exe virus för min iexplorer	damandg	Virus, spionprogram och säkerhet	12	14 juli 2008 14:31
Iexplorer.exe virus	iuboy2006	Virus, spionprogram och säkerhet	9	26 mars 2008 08:12
Avssytemcare popup virus och liknande - (omfattar kapning detta)	slug	Virus, spionprogram och säkerhet	23	4:e sep 2007 16:15