IEXPLORER.EXE virüs pls inceleme Hijack giriş

nitingaur · #1 21. Eylül 2008, 12:02

Logfile Trend Micro HijackThis v2.0.2 ve
Tarama 12:01:37 at 9/21/2008 kayıtlı
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot modu: Normal
Çalışan süreçleri:
C: \ WINDOWS \ System32 \ Smss.exe
C: \ WINDOWS \ system32 \ csrss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Centenn.ial \ Denetim \ CAgent32.exe
C: \ Centenn.ial \ Denetim \ xferwan.exe
C: \ Program Files \ Cisco VPN istemcisi \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ System32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Zamanlayıcısı \ tvtsched.exe
c: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ system güncelleme \ suservice.exe
C: \ WINDOWS \ System32 \ alg.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ calc.exe
c: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ system32 \ tp4mon.exe
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ NWTRAY.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ progra ~ 1 \ intern SYMANT ~ 1 \ VPTray.exe
C: \ Program Files \ Lenovo \ Hotkey \ TPOSDSVC.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ progra ~ 1 \ intern ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ progra ~ 1 \ intern THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ WINDOWS \ system32 \ TpShocks.exe
C: \ Program Files \ Lenovo \ Hotkey \ TPONSCR.exe
C: \ Program Files \ Common Files \ Lenovo \ Zamanlayıcısı \ scheduler_proxy.exe
C: \ Program Files \ Lenovo \ Zoom \ TpScrex.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ Program Files \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ WINDOWS \ system32 \ Taskmgr.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
F2 - REG: System.ini: UserInit = c: \ windows \ system32 \ userinit.exe, c: \ _inte Gra \ bin \ shstart.exe
O2 - BHO: AcroIEHlprObj Sınıf - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [Persistence] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ progra ~ 1 \ intern SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Program Files \ Lenovo \ Hotkey \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ progra ~ 1 \ intern ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ progra ~ 1 \ intern THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT Zamanlayıcısı Proxy] C: \ Program Files \ Common Files \ Lenovo \ Zamanlayıcısı \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ system32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Çağrı] "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe"-sessiz
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (Kullanıcı 'SİSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (Kullanıcı 'Varsayılan kullanıcı')
O8 - Extra menü item: E & Microsoft Excel'e xport - res: / / C: \ progra ~ 1 \ intern mikro ~ 2 \ Office11 \ EXCEL.EXE/3000
O9 - Extra düğmesi: Araştırma - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ progra ~ 1 \ intern mikro ~ 2 \ Office11 \ REFIEBAR.DLL
O9 - Extra düğmesi: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' MENUITEM: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
O23 - Service: Uygulama Yönetimi Hizmeti (AppMgSvc) - Bilinmeyen sahibi - C: \ Program.exe (eksik) dosyası
O23 - Service: BHCP Servisi (BHsrv) - Bilinmeyen sahibi - C: \ Program.exe (eksik) dosyası
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Asırlık Yazılım Limited - C: \ Centenn.ial \ Denetim \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Asırlık Yazılım Limited - C: \ Centenn.ial \ Denetim \ xferwan.exe
O23 - Service: Müşteri Güncelleme Servisi Novell (cusrvc için) - Novell, Inc - C: \ WINDOWS \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc VPN Hizmeti (CVPND) - Cisco Systems, Inc - C: \ Program Files \ Cisco VPN istemcisi \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition gözlemcisi (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) PROSet / Kablosuz Olay Günlüğü (EvtEng) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ WINDOWS \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C: \ progra ~ 1 \ intern Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) PROSet / Kablosuz Kayıt Defteri Hizmeti (RegSrvc) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
O23 - Service: Intel (R) PROSet / Kablosuz Servisi (S24EventMonitor) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: Sistem Güncelleştirmesi (SUService) - Lenovo Group Limited - C: \ Program Files \ Lenovo \ system güncelleme \ suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage Kayıt Monitör Servisi - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Günlüğü Hizmeti (TPHDEXLGSVC) - Lenovo. - C: \ WINDOWS \ System32 \ TPHDEXLG.exe
O23 - Service: TVT Zamanlayıcısı - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ Zamanlayıcısı \ tvtsched.exe
O23 - Service: Symantec LiveState Temsilcisi (Windows için WControl) - Symantec Corporation - c: \ _integra \ bin \ ccmagent.exe
--
Dosya sonu - 8621 byte

**evilfantasy** · #2 21. Eylül 2008, 15:30

Indirmek Malwarebytes' Anti-Malware (MBAM)

Çift tıklayın mbam-setup.exe ve takip programı yüklemenizi ister.
Sonunda, emin olun onay işareti aşağıdaki yanında yer alıyor:
- Güncelleme Malwarebytes' Anti-Malware
- Fırlatılma Malwarebytes' Anti-Malware
Sonra Son.
Eğer bir güncelleştirme bulunursa, indirebilirsiniz ve en son sürümünü yükleyin.
Sonra programı seçin yüklü vardır Gerçekleştirin hızlı taramaTıklayın Tarama.
Bir tıklayın tamamlandığında tarama Tamam, Sonra Sonuçları göster sonuçları görmek için.
Her şeyin, kontrol ve tıklayın emin olun Kaldır Seçilen.
Ne zaman dezenfekte tamamlandığında, bir günlük Not Defteri'nde ve açık size yeniden istenebilir. (Ekstra) Not bakın
Günlük MBAM tarafından otomatik olarak kaydedilir ve MBAM olarak Günlüklerin sekmesini tıklayarak görebilirsiniz.
Bir sonraki yanıtınıza Kopyala ve Yapıştır tüm rapor.

Ekstra Not: Eğer bu MBAM kaldırmak için zor bir dosya karşılaştığında, 1 2 karşılaşacaksınız tıklayın da Tamam'ı ve bilgisayarı yeniden başlatmanız istenir MBAM ve dezenfeksiyon işlemi ile devam izin ister, lütfen bunu hemen.

nitingaur · #3 21. Eylül 2008, 18:18

Hayır kötü amaçlı yazılım bulundu, burada rapordur
-------------------------------------------------- ----
5/1/2600 Windows Service Pack 2
9/21/2008 6:16:07
mbam-log-2008-09-21 (18-16-07). txt
Tarama tipi: Hızlı Tarama
Nesneler taranabilir: 52621
Zaman geçti: 4 dakika (lar), 41 (lar) ikinci
Bellek Süreçleri Infected: 0
Memory Modules Infected: 0
Kayıt Anahtarları Infected: 0
Kayıt Defteri Değerleri Infected: 0
Registry Data Items Infected: 0
Klasörler Infected: 0
Dosyalar Infected: 0
Bellek Süreçleri Infected:
(Hayır zararlı öğeler tespit)
Memory Modules Infected:
(Hayır zararlı öğeler tespit)
Kayıt Anahtarları Infected:
(Hayır zararlı öğeler tespit)
Kayıt Defteri Değerleri Infected:
(Hayır zararlı öğeler tespit)
Registry Data Items Infected:
(Hayır zararlı öğeler tespit)
Klasörler Infected:
(Hayır zararlı öğeler tespit)
Dosyalar Infected:
(Hayır zararlı öğeler tespit)

**evilfantasy** · #4 21. Eylül 2008, 18:40

Her iki günlüğüne hiçbir kötü amaçlı yazılım gösteriliyor.

Ne oluyor?

nitingaur · #5 21. Eylül 2008, 19:23

Çoklu IEXPLORER.EXE işlem süreci listesinde spwaning vardır. Eğer tek tek onları öldürmek Onlar hemen açılır. Bazen de bu herhangi bir tarayıcı penceresi çalışıyor ama görünür gibi bazı sesler duydum. Burada kesinlikle yanlış onlar var gerekiyordu bulunmaktadır.

**evilfantasy** · #6 21. Eylül 2008, 19:26

Download ComboFix subs tarafından birini bağlantılar altı. Be üst emin için kaydedin Masaüstü.

Bağlantı # 1
Bağlantı # 2

** Not: Bu doğrudan Masaüstü kaydedilir önemlidir

Kapat açık Web tarayıcıları. (Firefox, Internet Explorer vb) ComboFix başlamadan önce.

Geçici devre dışı bırakmak senin antivirüsVe herhangi bir AntiSpyware gerçek zamanlı koruma önce bir tarama yapmak. Tıklayın Bu bağlantıyı güvenlik programları ve engelli gerektiğini nasıl devre dışı bırakmak için bir listesini görebilirsiniz.

Combofix.exe çift tıklayın ve talimatları izleyin.
ComboFix ne zaman sizin için bir giriş oluşturur tamamladı.
Gönderi ComboFix giriş ve yeni bir HijackThis günlük Bir sonraki yanıtınıza.

Önemli: Süre Çalışıyorsa ComboFix pencere mouseclick etmeyin. İşte bu geciktirmek neden olabilir.

Yeniden hatırla-virüsten koruma ve AntiSpyware koruma zaman ComboFix tamamlandığında etkinleştirin.

nitingaur · #7 21. Eylül 2008, 19:42

ComboFix Girişi
-----------------------
ComboFix 08-09-20.05 - 012466 2008-09-21 19:31:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.473 [GMT -7:00]
Koşturuyorlar: C: \ Keanetools \ ComboFix.exe
* Yeni bir geri yükleme noktası Oluşturuldu
UYARI-Bu makine değil HAVEN'T Kurtarma Konsolu'nu Installed!
.
((((((((((((((((((((((((((((((((((((((( Diğer Deletions ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ Documents and Settings \ LocalService \ Çerezler \ am system@ad.yieldmanag [1]. Txt
C: \ WINDOWS \ system32 \ x64
.
((((((((((((((((((((((((((((((((((((((( Sürücüler / Hizmetler )))))))) )))))))))))))))))))))))))))))))))))))))))
.
------- \ Legacy_BHSRV
------- \ Service_BHsrv

((((((((((((((((((((((((( Dosyalar 2008/08/22 için 2008/09/22 ))))))))))) kimden Oluşturuldu ))))))))))))))))))))
.
2008-09-21 18:09. 2008/09/21 18:10 <DIR> D -------- C: \ Program Files \ Malwarebytes' Anti-Malware
2008-09-21 18:09. 2008/09/21 18:09 <DIR> D -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008/09/21 18:09 <DIR> D -------- C: \ Documents and Settings \012466 \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008/09/10 00:04 38528 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008-09-21 18:09. 2008/09/10 00:03 17200 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008-09-21 11:07. 2008/09/21 11:07 <DIR> D -------- C: \ Program Files \ Lavasoft
2008-09-21 11:07. 2008/09/21 11:08 <DIR> D -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008-09-21 11:06. 2008/09/21 11:06 <DIR> D -------- C: \ Program Files \ Common Files \ Wise Kurulum Sihirbazı
2008-09-20 23:40. 2008/09/20 23:40 <DIR> D -------- C: \ Program Files \ Trend Micro
2008/09/19 09:03. 2008/09/19 09:08 <DIR> D -------- C: \ WINDOWS \ SxsCaPendDel
2008-09-19 00:49. 2008/09/19 00:52 <DIR> D -------- C: \ Documents and Settings \012466 \. Housecall6.6
2008-09-19 00:27. 2008/09/19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-09-18 20:25. 2002/02/04 06:22 1230336 - a ------ C: \ Windows \ system32 \ msxml4.dll
2008-09-18 20:25. 2007/09/14 05:01 922.920 --------- C: \ WINDOWS \ system32 \ ahlprun.exe
2008-09-18 20:25. 2002/02/04 06:13 82432 - a ------ C: \ WINDOWS \ system32 \ msxml4r.dll
2008-09-18 20:25. 2002/02/04 06:13 44544 - a ------ C: \ WINDOWS \ system32 \ msxml4a.dll
2008-09-18 20:25. 2002/02/07 18:43 9679 - a ------ C: \ WINDOWS \ system32 \ msxml4r.cat
2008-09-18 20:25. 2002/02/07 18:43 9675 - a ------ C: \ WINDOWS \ system32 \ msxml4.cat
2008-09-18 20:25. 2002/02/06 20:31 3489 - a ------ C: \ WINDOWS \ system32 \ msxml4.Manifest
2008-09-18 20:25. 2002/02/06 20:31 500 - a ------ C: \ WINDOWS \ system32 \ msxml4r.Manifest
2008-09-18 20:21. 2008/09/18 20:21 <DIR> D -------- C: \ Program Files \ Common Files \ Lenovo
2008-09-18 18:27. 2008/09/21 11:54 21272 - a ------ C: \ WINDOWS \ system32 \ bynpea.key
2008-09-18 18:25. 2008/09/18 18:25 1 - a ------ C: \ WINDOWS \ system32 \004fdb9.imi
2008-09-15 14:23. 2008/09/15 14:23 332800 --- HS ---- C: \ WINDOWS \ system32 \ _Bhsrv.msi
2008-09-15 12:15. 2008/09/18 15:57 69942 - a ------ C: \ WINDOWS \ system32 \ rrjack.key
2008-09-15 12:15. 2008/09/15 12:15 1 - a ------ C: \ WINDOWS \ system32 \0048444.imi
2008-09-13 19:27. 2008/09/13 19:27 24 - a ------ C: \ WINDOWS \ cdplayer.ini
2008-09-13 19:26. 2008/09/13 19:26 <DIR> D -------- C: \ Program Files \ Real
2008-09-13 19:26. 2008/09/13 19:26 <DIR> D -------- C: \ Program Files \ Common Files \ paylaşılan XING
2008-09-13 19:26. 2008/09/13 19:26 <DIR> D -------- C: \ Program Files \ Common Files \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapor )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 02:33 --------- ----- D W C: \ Program Files \ Symantec AntiVirus
2008-09-22 02:33 --------- ----- D W C: \ Program Files \ Cisco VPN istemcisi
2008/09/21 18:56 16 - Sh - r C: \ MSCIOTL.SYS
2008/09/21 18:55 8416 ---- Aw C: \ WINDOWS \ system32 \ drivers \ CDProbe.SYS
2008/09/20 19:26 430816 - SH - W C: \ Program Files \ _MsInfo.msi
2008-09-19 03:25 --------- d - S - W C: \ Program Files \ InstallShield Yükleme Bilgileri
2008-09-19 03:25 --------- ----- D W C: \ Program Files \ ThinkVantage
2008-09-19 03:21 --------- ----- D W C: \ Program Files \ Lenovo
.
((((((((((((((((((((((((((((((((((((( Reg Loading Puan )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Not * boş girişler ve yasal varsayılan girişler gösterilir değildir
REGEDIT4
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Curre ntVersion \ Run]
"ctfmon.exe" = "C: \ Windows \ system32 \ ctfmon.exe" [2004-08-04 15360]
"Yahoo! Çağrı" = "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"IgfxTray" = "C: \ Windows \ system32 \ igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds" = "C: \ Windows \ system32 \ hkcmd.exe" [2007-08-15 162328]
"Persistence" = "C: \ Windows \ system32 \ igfxpers.ex e" [2007-08-15 137752]
"ccApp" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2006-03-24 53408]
"vptray" = "C: \ progra ~ 1 \ intern SYMANT ~ 1 \ VPTray.exe" [2006-06-14 124656]
"TPHOTKEY" = "C: \ Program Files \ Lenovo \ Hotkey \ TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager" = "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" [2003-08-18 110592]
"dla" = "C: \ Windows \ system32 \ dla \ tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP" = "C: \ progra ~ 1 \ intern ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007-04-26 243248]
"LPManager" = "C: \ progra ~ 1 \ intern THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007-03-22 120368]
"TVT Zamanlayıcısı Proxy" = "C: \ Program Files \ Common Files \ Lenovo \ Zamanlayıcısı \ scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe" = "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" [2008-09-13 185896]
"TrackPointSrv" = "tp4mon.exe" [2004/08/03 C: \ WINDOWS \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002/03/12 C: \ WINDOWS \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007/03/29 C: \ WINDOWS \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ curr entversion \ Policies \ System]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ fark rentversion \ Policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ tpfnf2]
2006/09/06 13:37 34344 C: \ Program Files \ Lenovo \ Hotkey \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ tphotkey]
2006/12/14 08:06 28672 C: \ Program Files \ Lenovo \ Hotkey \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro L \ LSA]
Doğrulama paketleri REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
[HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ Listesi]
"% windir% \ \ system32 \ \" = Sessmgr.exe
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf; C: \ Windows \ System32 \ drivers \ Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN; TPDIGIMN; C: \ Windows \ System32 \ drivers \ ApsH M86.sys [2007-03-02 19760]
R2 smefs; SMEFileSystem; C: \ WINDOWS \ system32 \ drivers \ SM efs.sys [2006-02-08 20508]
R3 CdProbe; CdProbe; C: \ Windows \ System32 \ drivers \ cdprob e.sys [2008/09/21 8416]
R3 smedrv; SMEDriver; C: \ WINDOWS \ system32 \ drivers \ smedr v.sys [2006/02/08 9516]
S2 AppMgSvc; Uygulama Yönetimi Hizmeti; C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008-09-20 430816]
S2 yraebbgi; yraebbgi; C: \ WINDOWS \ system32 \ drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh; C: \ WINDOWS \ system32 \ drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost]
REG_MULTI_SZ wrtxzg wrtxzg
REG_MULTI_SZ nraebb nraebb
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main, Start Page = hxxp: / / www.google.com/
O8 -: E & Microsoft Excel'e xport - C: \ progra ~ 1 \ intern mikro ~ 2 \ Office11 \ EXCEL.EXE/3000
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - Rootkit / gizli kötü amaçlı yazılım dedektör Gmer tarafından, http://www.gmer.net
Rootkit 2008/09/21 19:35:12 tarama
5/1/2600 Windows Service Pack 2 NTFS
gizli işlemler tarama ...
Gizli kayıtları otomatik tarama ...
Gizli dosya tarama ...
başarıyla tamamlandı tarama
Gizli dosya: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ A ppMgSvc]
"ImagePath" = "C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLL Yüklü çalışan süreçleri altında ---------------------
SÜRECİ: C: \ WINDOWS \ system32 \ winlogon.exe
-> C: \ Program Files \ Lenovo \ Hotkey \ tphklock.dll
.
------------------------ Diğer çalışan süreçleri ----------------------- --
.
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ Hotkey \ TPONSCR.exe
C: \ Program Files \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Program Files \ Symantec AntiVirus \ DoScan.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ CENTENN.IAL \ DENETİM \ CAgent32.exe
C: \ CENTENN.IAL \ DENETİM \ xferwan.exe
C: \ Program Files \ Cisco VPN istemcisi \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Program Files \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Zamanlayıcısı \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ System Update \ SUService.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Tamamlanma süresi: 2008/09/21 19:36:58 - makine yeniden başlatılması oldu
ComboFix-karantinaya-files.txt 2008/09/22 02:36:54
Ön Çalıştır'ı: 64333811712 bayt boş
Post-Run: 64523264000 bayt boş
175

HijackThis Girişi
-----------------------------------
Logfile Trend Micro HijackThis v2.0.2 ve
Tarama 7:38:41 at 9/21/2008 kayıtlı
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot modu: Normal
Çalışan süreçleri:
C: \ WINDOWS \ System32 \ Smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
c: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ tp4mon.exe
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ NWTRAY.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ progra ~ 1 \ intern SYMANT ~ 1 \ VPTray.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ Hotkey \ TPOSDSVC.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ progra ~ 1 \ intern ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
C: \ Program Files \ Lenovo \ Hotkey \ TPONSCR.exe
C: \ Program Files \ Lenovo \ Zoom \ TpScrex.exe
C: \ progra ~ 1 \ intern THINKV ~ 1 \ PrdCtr \ LPMGR.exe
C: \ WINDOWS \ system32 \ TpShocks.exe
C: \ Program Files \ Common Files \ Lenovo \ Zamanlayıcısı \ scheduler_proxy.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ WINDOWS \ system32 \ svchost.exe
C: \ Centenn.ial \ Denetim \ CAgent32.exe
C: \ Centenn.ial \ Denetim \ xferwan.exe
C: \ Program Files \ Cisco VPN istemcisi \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Program Files \ Yahoo! \ Messenger \ ymsgr_tray.exe
C: \ WINDOWS \ system32 \ calc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ System32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Zamanlayıcısı \ tvtsched.exe
c: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ system güncelleme \ suservice.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ Explorer.exe
C: \ Program Files \ Trend Micro \ HijackThis \ HijackThis.exe
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Sınıf - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Program Files \ Adobe \ Acrobat 7.0 \ ActiveX \ AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - (5CA3D70E-1895-11CF-8E15-001234567890) - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O4 - HKLM \ .. \ Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [Persistence] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [vptray] C: \ progra ~ 1 \ intern SYMANT ~ 1 \ VPTray.exe
O4 - HKLM \ .. \ Run: [TPHOTKEY] C: \ Program Files \ Lenovo \ Hotkey \ TPOSDSVC.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [EZEJMNAP] C: \ progra ~ 1 \ intern ThinkPad \ UTILIT ~ 1 \ EzEjMnAp.Exe
O4 - HKLM \ .. \ Run: [LPManager] C: \ progra ~ 1 \ intern THINKV ~ 1 \ PrdCtr \ LPMGR.exe
O4 - HKLM \ .. \ Run: [TpShocks] TpShocks.exe
O4 - HKLM \ .. \ Run: [TVT Zamanlayıcısı Proxy] C: \ Program Files \ Common Files \ Lenovo \ Zamanlayıcısı \ scheduler_proxy.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe"-osboot
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ system32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [Yahoo! Çağrı] "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe"-sessiz
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (Kullanıcı 'SİSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Communicator] "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" (Kullanıcı 'Varsayılan kullanıcı')
O8 - Extra menü item: E & Microsoft Excel'e xport - res: / / C: \ progra ~ 1 \ intern mikro ~ 2 \ Office11 \ EXCEL.EXE/3000
O9 - Extra düğmesi: Araştırma - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ progra ~ 1 \ intern mikro ~ 2 \ Office11 \ REFIEBAR.DLL
O9 - Extra düğmesi: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' MENUITEM: @ C: \ Program Files \ Messenger \ Msgslang.dll, -61144 - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O16 - DPF: (215B8138-A3CF-44C5-803F-8226143CFC0A) (Trend Micro ActiveX Scan Agent 6.6) -- http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (B8E7B489-2160-4DE7-B592-9FD03D16CC74): Domain = keane.com
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (D239A412-22C2-4683-95BC-1FFAA687D0DF): NameServer = 172.21.18.101,172.21.18.102
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
O23 - Service: Uygulama Yönetimi Hizmeti (AppMgSvc) - Bilinmeyen sahibi - C: \ Program.exe (eksik) dosyası
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
O23 - Service: CentennialClientAgent - Asırlık Yazılım Limited - C: \ Centenn.ial \ Denetim \ CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Asırlık Yazılım Limited - C: \ Centenn.ial \ Denetim \ xferwan.exe
O23 - Service: Müşteri Güncelleme Servisi Novell (cusrvc için) - Novell, Inc - C: \ WINDOWS \ system32 \ cusrvc.exe
O23 - Service: Cisco Systems, Inc VPN Hizmeti (CVPND) - Cisco Systems, Inc - C: \ Program Files \ Cisco VPN istemcisi \ cvpnd.exe
O23 - Service: Symantec AntiVirus Definition gözlemcisi (DefWatch) - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
O23 - Service: Intel (R) PROSet / Kablosuz Olay Günlüğü (EvtEng) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C: \ WINDOWS \ system32 \ ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C: \ progra ~ 1 \ intern Symantec \ LIVEUP ~ 1 \ LUCOMS ~ 1.EXE
O23 - Service: Intel (R) PROSet / Kablosuz Kayıt Defteri Hizmeti (RegSrvc) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
O23 - Service: Intel (R) PROSet / Kablosuz Servisi (S24EventMonitor) - Intel Corporation - C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Symantec - C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
O23 - Service: Sistem Güncelleştirmesi (SUService) - Lenovo Group Limited - C: \ Program Files \ Lenovo \ system güncelleme \ suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
O23 - Service: ThinkVantage Kayıt Monitör Servisi - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Günlüğü Hizmeti (TPHDEXLGSVC) - Lenovo. - C: \ WINDOWS \ System32 \ TPHDEXLG.exe
O23 - Service: TVT Zamanlayıcısı - Lenovo Group Limited - C: \ Program Files \ Common Files \ Lenovo \ Zamanlayıcısı \ tvtsched.exe
O23 - Service: Symantec LiveState Temsilcisi (Windows için WControl) - Symantec Corporation - c: \ _integra \ bin \ ccmagent.exe
--
Dosya sonu - 8581 byte

**evilfantasy** · #8 21. Eylül 2008, 21:24

Not: talimatları altında özellikle bu kullanıcı için oluşturulmuştur. Bu kullanıcı değilseniz DON'T gibi sisteminizin çalışmalarına zarar verebilir bu yönergeleri izleyin

Bu dosyaları sil / klasörler aşağıdaki gibidir:

1. Git Başlatmak > Çalıştırmak > Türü Notepad.exe tıklayın Tamam Not Defteri'nde açın.
O zorunlu Not Defteri, Wordpad olmaz.
2. Kod kutusu altındaki tüm metin ve basılarak vurgulayarak olarak metin kopyalama Ctrl + C

Kodu:

Killall:: Sürücü:: BHSRV BHsrv File:: C: \ WINDOWS \ system32 \ bynpea.key C: \ WINDOWS \ system32 \ 004fdb9.imi C: \ WINDOWS \ system32 \ _Bhsrv.msi C: \ WINDOWS \ system32 \ rrjack. tuşu C: \ WINDOWS \ system32 \ 0048444.imi C: \ WINDOWS \ system32 \ drivers \ bynpea.sys C: \ WINDOWS \ system32 \ drivers \ rrjack.sys C: \ WINDOWS \ system32 \ calc.exe

3. Bir Not Defteri penceresi tıklayın git Düzenle > Yapıştır
4. Sonra Dosya > Kaydetmek
5. Adı dosya CFScript.txt - Masaüstü için dosyayı kaydedin
6. Sonra sürükleyin CFScript sırasında dosya sürükleyerek () sol fare tuşunu basılı tutun ve (sol fare düğmesini bırakın bırakın) ComboFix.exe doğru aşağıdaki ekran görüntüsünde görebilirsiniz. Önemli: Dikkatle talimat gerçekleştirin!

ComboFix çalıştırmak için, sadece istemleri takip başlar.
Yeniden doğmuş sonra (bu yeniden başlatma ister durumda), bu sizin için bir giriş oluşturur.
Yazı o (Combofix.txt) sonraki cevap giriş.

Not: Süre Çalışıyorsa ComboFix pencere mouseclick etmeyin. Bu dondurma için sistem neden olabilir

nitingaur · #9 21. Eylül 2008, 22:20

CFSCript çalıştırdıktan sonra ComboFix giriş
-------------------------------------------------- --------
ComboFix 08-09-20.05 - 012466 2008-09-21 22:11:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.598 [GMT -7:00]
Koşturuyorlar: C: \ Keanetools \ ComboFix.exe
Komuta kullanılan anahtarlar:: C: \ Documents and Settings \012466 \ Desktop \ CFScript.txt
* Yeni bir geri yükleme noktası Oluşturuldu
UYARI-Bu makine değil HAVEN'T Kurtarma Konsolu'nu Installed!
Resim::
C: \ WINDOWS \ system32 \ _Bhsrv.msi
C: \ WINDOWS \ system32 \0048444.imi
C: \ WINDOWS \ system32 \004fdb9.imi
C: \ WINDOWS \ system32 \ bynpea.key
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ drivers \ bynpea.sys
C: \ WINDOWS \ system32 \ drivers \ rrjack.sys
C: \ WINDOWS \ system32 \ rrjack.key
.
((((((((((((((((((((((((((((((((((((((( Diğer Deletions ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ WINDOWS \ system32 \ _Bhsrv.msi
C: \ WINDOWS \ system32 \0048444.imi
C: \ WINDOWS \ system32 \004fdb9.imi
C: \ WINDOWS \ system32 \ bynpea.key
C: \ WINDOWS \ system32 \ calc.exe
C: \ WINDOWS \ system32 \ rrjack.key
.
((((((((((((((((((((((((( Dosyalar 2008/08/22 için 2008/09/22 ))))))))))) kimden Oluşturuldu ))))))))))))))))))))
.
2008-09-21 18:09. 2008/09/21 18:10 <DIR> D -------- C: \ Program Files \ Malwarebytes' Anti-Malware
2008-09-21 18:09. 2008/09/21 18:09 <DIR> D -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008/09/21 18:09 <DIR> D -------- C: \ Documents and Settings \012466 \ Application Data \ Malwarebytes
2008-09-21 18:09. 2008/09/10 00:04 38528 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008-09-21 18:09. 2008/09/10 00:03 17200 - a ------ C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008-09-21 11:07. 2008/09/21 11:07 <DIR> D -------- C: \ Program Files \ Lavasoft
2008-09-21 11:07. 2008/09/21 11:08 <DIR> D -------- C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008-09-21 11:06. 2008/09/21 11:06 <DIR> D -------- C: \ Program Files \ Common Files \ Wise Kurulum Sihirbazı
2008-09-20 23:40. 2008/09/20 23:40 <DIR> D -------- C: \ Program Files \ Trend Micro
2008/09/19 09:03. 2008/09/19 09:08 <DIR> D -------- C: \ WINDOWS \ SxsCaPendDel
2008-09-19 00:49. 2008/09/19 00:52 <DIR> D -------- C: \ Documents and Settings \012466 \. Housecall6.6
2008-09-19 00:27. 2008/09/19 09:04 <DIR> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-09-18 20:25. 2002/02/04 06:22 1230336 - a ------ C: \ Windows \ system32 \ msxml4.dll
2008-09-18 20:25. 2007/09/14 05:01 922.920 --------- C: \ WINDOWS \ system32 \ ahlprun.exe
2008-09-18 20:25. 2002/02/04 06:13 82432 - a ------ C: \ WINDOWS \ system32 \ msxml4r.dll
2008-09-18 20:25. 2002/02/04 06:13 44544 - a ------ C: \ WINDOWS \ system32 \ msxml4a.dll
2008-09-18 20:25. 2002/02/07 18:43 9679 - a ------ C: \ WINDOWS \ system32 \ msxml4r.cat
2008-09-18 20:25. 2002/02/07 18:43 9675 - a ------ C: \ WINDOWS \ system32 \ msxml4.cat
2008-09-18 20:25. 2002/02/06 20:31 3489 - a ------ C: \ WINDOWS \ system32 \ msxml4.Manifest
2008-09-18 20:25. 2002/02/06 20:31 500 - a ------ C: \ WINDOWS \ system32 \ msxml4r.Manifest
2008-09-18 20:21. 2008/09/18 20:21 <DIR> D -------- C: \ Program Files \ Common Files \ Lenovo
2008-09-13 19:27. 2008/09/13 19:27 24 - a ------ C: \ WINDOWS \ cdplayer.ini
2008-09-13 19:26. 2008/09/13 19:26 <DIR> D -------- C: \ Program Files \ Real
2008-09-13 19:26. 2008/09/13 19:26 <DIR> D -------- C: \ Program Files \ Common Files \ paylaşılan XING
2008-09-13 19:26. 2008/09/13 19:26 <DIR> D -------- C: \ Program Files \ Common Files \ Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapor )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008/09/22 05:14 8416 ---- Aw C: \ WINDOWS \ system32 \ drivers \ CDProbe.SYS
2008/09/22 05:14 16 - Sh - r C: \ MSCIOTL.SYS
2008-09-22 05:14 --------- ----- D W C: \ Program Files \ Symantec AntiVirus
2008-09-22 03:07 --------- ----- D W C: \ Program Files \ Cisco VPN istemcisi
2008/09/20 19:26 430816 - SH - W C: \ Program Files \ _MsInfo.msi
2008-09-19 03:25 --------- d - S - W C: \ Program Files \ InstallShield Yükleme Bilgileri
2008-09-19 03:25 --------- ----- D W C: \ Program Files \ ThinkVantage
2008-09-19 03:21 --------- ----- D W C: \ Program Files \ Lenovo
.
((((((((((((((((((((((((((((( Snapshot@2008-09-21_19.36.38.64 )))))))))) )))))))))))))))))))))))))))))))
.
- 2008/09/21 18:59:45 71.370 ---- Aw C: \ WINDOWS \ system32 \ Perfc009.dat
+ 2008/09/22 02:39:43 71.370 ---- Aw C: \ WINDOWS \ system32 \ Perfc009.dat
- 2008/09/21 18:59:45 439832 ---- Aw C: \ WINDOWS \ system32 \ Perfh009.dat
+ 2008/09/22 02:39:43 439832 ---- Aw C: \ WINDOWS \ system32 \ Perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Puan )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Not * boş girişler ve yasal varsayılan girişler gösterilir değildir
REGEDIT4
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Curre ntVersion \ Run]
"ctfmon.exe" = "C: \ Windows \ system32 \ ctfmon.exe" [2004-08-04 15360]
"Yahoo! Çağrı" = "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"IgfxTray" = "C: \ Windows \ system32 \ igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds" = "C: \ Windows \ system32 \ hkcmd.exe" [2007-08-15 162328]
"Persistence" = "C: \ Windows \ system32 \ igfxpers.ex e" [2007-08-15 137752]
"ccApp" = "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe" [2006-03-24 53408]
"vptray" = "C: \ progra ~ 1 \ intern SYMANT ~ 1 \ VPTray.exe" [2006-06-14 124656]
"TPHOTKEY" = "C: \ Program Files \ Lenovo \ Hotkey \ TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager" = "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" [2003-08-18 110592]
"dla" = "C: \ Windows \ system32 \ dla \ tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP" = "C: \ progra ~ 1 \ intern ThinkPad \ UTILIT ~ 1 \ EzEjMnAp. Exe" [2007-04-26 243248]
"LPManager" = "C: \ progra ~ 1 \ intern THINKV ~ 1 \ PrdCtr \ LPMGR.exe" [2007-03-22 120368]
"TVT Zamanlayıcısı Proxy" = "C: \ Program Files \ Common Files \ Lenovo \ Zamanlayıcısı \ scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe" = "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" [2008-09-13 185896]
"TrackPointSrv" = "tp4mon.exe" [2004/08/03 C: \ WINDOWS \ system32 \ tp4mon.exe]
"NWTRAY" = "NWTRAY.EXE" [2002/03/12 C: \ WINDOWS \ system32 \ nwtray.exe]
"TpShocks" = "TpShocks.exe" [2007/03/29 C: \ WINDOWS \ system32 \ TpShocks.exe]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Communicator" = "C: \ Program Files \ Microsoft Office Communicator \ Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ curr entversion \ Policies \ System]
"CompatibleRUPSecurity" = 1 (0x1)
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ fark rentversion \ Policies \ Explorer]
"StartMenuLogOff" = 1 (0x1)
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ tpfnf2]
2006/09/06 13:37 34344 C: \ Program Files \ Lenovo \ Hotkey \ notifyf2.dll
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ tphotkey]
2006/12/14 08:06 28672 C: \ Program Files \ Lenovo \ Hotkey \ tphklock.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro L \ LSA]
Doğrulama paketleri REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001
[HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ Listesi]
"% windir% \ \ system32 \ \" = Sessmgr.exe
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YahooMessenger.exe" =
"C: \ \ Program Files \ \ Yahoo! \ \ Messenger \ \ YServer.exe" =
R0 Shockprf; Shockprf; C: \ Windows \ System32 \ drivers \ Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN; TPDIGIMN; C: \ Windows \ System32 \ drivers \ ApsH M86.sys [2007-03-02 19760]
R2 smefs; SMEFileSystem; C: \ WINDOWS \ system32 \ drivers \ SM efs.sys [2006-02-08 20508]
R3 CdProbe; CdProbe; C: \ Windows \ System32 \ drivers \ cdprob e.sys [2008/09/21 8416]
R3 smedrv; SMEDriver; C: \ WINDOWS \ system32 \ drivers \ smedr v.sys [2006/02/08 9516]
S2 AppMgSvc; Uygulama Yönetimi Hizmeti; C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi [2008-09-20 430816]
S2 yraebbgi; yraebbgi; C: \ WINDOWS \ system32 \ drivers \ bynp ea.sys []
S2 yrtxzgwh; yrtxzgwh; C: \ WINDOWS \ system32 \ drivers \ rrja ck.sys []
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost]
REG_MULTI_SZ wrtxzg wrtxzg
REG_MULTI_SZ nraebb nraebb
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - Rootkit / gizli kötü amaçlı yazılım dedektör Gmer tarafından, http://www.gmer.net
Rootkit 2008/09/21 22:16:04 tarama
5/1/2600 Windows Service Pack 2 NTFS
gizli işlemler tarama ...
Gizli kayıtları otomatik tarama ...
Gizli dosya tarama ...

C: \ WINDOWS \ system32 \ calc.exe
başarıyla tamamlandı tarama
Gizli dosyalar: 1
************************************************** ************************
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ A ppMgSvc]
"ImagePath" = "C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ MsInfo.msi"
.
--------------------- DLL Yüklü çalışan süreçleri altında ---------------------
SÜRECİ: C: \ WINDOWS \ system32 \ winlogon.exe
-> C: \ Program Files \ Lenovo \ Hotkey \ tphklock.dll
.
------------------------ Diğer çalışan süreçleri ----------------------- --
.
C: \ WINDOWS \ system32 \ ibmpmsvc.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ S24EvMon.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ SPBBC \ SPBBCSvc.exe
C: \ Program Files \ Lavasoft \ Ad-Aware \ aawservice.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ CENTENN.IAL \ DENETİM \ CAgent32.exe
C: \ CENTENN.IAL \ DENETİM \ xferwan.exe
C: \ Program Files \ Cisco VPN istemcisi \ cvpnd.exe
C: \ Program Files \ Symantec AntiVirus \ DefWatch.exe
C: \ Program Files \ Intel \ Wireless \ Bin \ EvtEng.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ Program Files \ Intel \ Wireless \ Bin \ RegSrvc.exe
C: \ Program Files \ Symantec AntiVirus \ SavRoam.exe
C: \ Program Files \ Symantec AntiVirus \ Rtvscan.exe
C: \ Program Files \ Common Files \ Lenovo \ tvt_reg_monitor_svc.exe
C: \ WINDOWS \ system32 \ TPHDEXLG.exe
C: \ Program Files \ Common Files \ Lenovo \ Zamanlayıcısı \ tvtsched.exe
C: \ _integra \ bin \ ccmagent.exe
C: \ Program Files \ Lenovo \ System Update \ SUService.exe
C: \ _integra \ bin \ shstart.exe
C: \ WINDOWS \ system32 \ igfxsrvc.exe
C: \ Program Files \ Lenovo \ Hotkey \ TPONSCR.exe
C: \ Program Files \ Lenovo \ ZOOM \ TpScrex.exe
C: \ Program Files \ Symantec AntiVirus \ DoScan.exe
C: \ Program Files \ Yahoo! \ Messenger \ Ymsgr_tray.exe
C: \ ComboFix \ pv.cfexe
.
************************************************** ************************
.
Tamamlanma süresi: 2008/09/21 22:17:28 - makine yeniden başlatılması oldu
ComboFix-karantinaya-files.txt 2008/09/22 05:17:23
ComboFix2.txt 2008/09/22 02:36:59
Ön Çalıştır'ı: 64509464576 bayt boş
Post-Run: 64505421824 bayt boş
181

**evilfantasy** · #10 21. Eylül 2008, 22:26

Indirmek Oldtimer tarafından OTMoveIt2ve kaydetmek için Masaüstü.

Not: Eğer Vista sağ OTMoveIt2.exe tıklayın ve tercih çalışan Çalıştır'ı olarak Administrator.

1. Çift tıklayın OTMoveIt2.exe çalıştırmak için.
2. Aşağıdaki codebox olarak satırları kopyalayın.

Kodu:

[öldürmek Explorer] C: \ WINDOWS \ system32 \ calc.exe HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ AppMgSvc EmptyTemp [başlatmak gezginini]

3. Aylarında OTMoveIt2 dön sağ tıklayıp Dosyaların Yapıştır Listesi / Klasörler taşı pencere sarı çubuğu (altında) ve tercih Yapıştır
4. Tıklayın kırmızı Moveit! düğmesini tıklayın.
5. Sonuçlar pencerede Kopyala herşeyi yeşil çubuğu (altında) ve sonraki yanıtınıza yapıştırın.
6. Kapatmak OTMoveIt2

Not: Bu hareketi tamamlamak için bir dosya veya klasörü taşımak mümkün olmaz hemen bilgisayarınızı yeniden başlatmanız istenebilir. Eğer, seçim yeniden başlatmanız istenir Evet. Zaten yeniden doğmuş Değilse.

Benzer Konular
Iplik	Konuyu Başlatan	Forum	Cevaplar	Son Mesaj
Iexplore.exe virüs kaldırma / kaçırmak günlüğü	xalice15x	Virüs, Spyware ve Güvenlik	16	12. Kasım 2008 19:43
Iexplorer.exe virüs - Bana yardım et!	Dev Panda	Virüs, Spyware ve Güvenlik	2	6. Ekim 2008 14:55
Ben iexplorer için bone.exe virüs alıyorum	damandg	Virüs, Spyware ve Güvenlik	12	14. Temmuz 2008 14:31
Iexplorer.exe virüs	iuboy2006	Virüs, Spyware ve Güvenlik	9	26. Mart 2008 08:12
Avssytemcare Popup virüs ve benzeri - (gasp içerir bu)	kaypak	Virüs, Spyware ve Güvenlik	23	4. Eylül 2007 16:15

Konu Araçları
Göster Yazdırılabilir Sürüm E-posta Bu Sayfa