FrozenFish Skrevet 27. april 2009 Del Skrevet 27. april 2009 Jeg skulle installere et program på min maskin (et sikkert program) og fikk melding om at jeg måtte lukke iexplorer. Men, jeg kjører ikke IE, så jeg åpner oppgavebehandling og ser riktignok at ieksplrer.exe kjører. Jeg avslutter prosessen, men like for starter den igjen. Jeg har nå styrert litt rundt, kjørt Hijackthis, Spybot S&D, RootAlyzer, sjekket i RegAlyzer... og CCleaner. I Ccleaner ser jeg "HKLM:Run C:WINDOWS:Z_PI.EXE". Mystisk! Jeg googler etter Z_PI.EXE men finner ingenting!! Den "mystiske" iexplorer.exe prossessen ser ut til å kommunisere med IP: 80.192.6.23:3461 Heller ikke der finner jeg noe når jeg søker på google. Tenker jo umiddelbart på Malware....! I bakgrunnen kjører NOD32,SB S&D og Prevx v3. Ingen av de reagerer. Min Hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:35:17, on 27.04.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Bonjour\mDNSResponder.exe C:\Programfiler\Prevx\prevx.exe C:\Programfiler\ESET\ESET Smart Security\ekrn.exe C:\Programfiler\Canon\IJPLM\IJPLMSVC.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Programfiler\Prevx\prevx.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Programfiler\ESET\ESET Smart Security\egui.exe C:\Programfiler\Analog Devices\Core\smax4pnp.exe C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe C:\Programfiler\Fellesfiler\ACD Systems\EN\DevDetect.exe C:\Programfiler\Canon\MyPrinter\BJMyPrt.exe C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Skype\Phone\Skype.exe C:\Documents and Settings\Joe\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe C:\Programfiler\Skype\Plugin Manager\skypePM.exe C:\Documents and Settings\Joe\Programdata\NiftyStats\stats.exe C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe C:\Programfiler\CCleaner\CCleaner.exe C:\Programfiler\CCleaner\CCleaner.exe [b]C:\Programfiler\Internet Explorer\IEXPLORE.EXE[/b] C:\Programfiler\Mozilla Firefox\firefox.exe C:\Documents and Settings\Joe\Lokale innstillinger\Programdata\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Joe\Lokale innstillinger\Programdata\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Joe\Lokale innstillinger\Programdata\Google\Chrome\Application\chrome.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.ru/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programfiler\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programfiler\Microsoft Office\Office12\GrooveShellExtensions.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programfiler\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [egui] "C:\Programfiler\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Programfiler\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programfiler\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [u][b]O4 - HKLM\..\Run: [HKLM] C:\WINDOWS:Z_PI.EXE[/b][/u] O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Joe\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [RoboForm] "C:\Programfiler\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: Customize Menu - file://C:\Programfiler\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Programfiler\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Programfiler\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Programfiler\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programfiler\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programfiler\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programfiler\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programfiler\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programfiler\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programfiler\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240659316359 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programfiler\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe O23 - Service: CSIScanner - Prevx - C:\Programfiler\Prevx\prevx.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programfiler\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Programfiler\ESET\ESET Smart Security\ekrn.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programfiler\Canon\IJPLM\IJPLMSVC.EXE O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 9710 bytes ieksplorer kjører igjen, men jeg har ikke startet den... Taskmanager får heller ikke lukket den. Hiajchthis og ccleaner får ikke slettet den.... Noen som vet hva dette er? Lenke til kommentar
Graf1ga Skrevet 27. april 2009 Del Skrevet 27. april 2009 eh noe som du gjør meg svimmel av er at du hele tiden forandrer navnet på denne prossessen. visst det er kun "iexplorer.exe" du mener så skulle dette vere Internet Explorer som er en nettleser som du trenger.. Lenke til kommentar
Graf1ga Skrevet 27. april 2009 Del Skrevet 27. april 2009 Visst du likevel er usikker vil jeg søkt med "Malwarebytes" også "Smitfraudfix" Lenke til kommentar
snippsat Skrevet 27. april 2009 Del Skrevet 27. april 2009 (endret) Start HijackThis "scan" finn disse linjene merk dem,så trykk fix checked. O4 - HKLM\..\Run: [HKLM] C:\WINDOWS:Z_PI.EXE Avinnstalere nvida brannvegg,lager ikke annet enn krøll. C:\Programfiler\NVIDIA Corporation\NetworkAccessManager Last ned MBAM til skrivebordet. Velg Norsk språkdrakt-->kjør hurtig systemskann. Når MBAM er ferdig åpner den en logg,den poster du. --- Last Combofix ned ,legg på skrivebordet. Ikke klikk på vindu mens programmet kjører. post logg C:\combofix.txt Endret 27. april 2009 av SNIPPSAT Lenke til kommentar
2ball_ Skrevet 27. april 2009 Del Skrevet 27. april 2009 fikk ikke helt med meg hva det var du ville, men vist det er en fil du vet navnet på, men ikke får slettet, så kan du legge den i virusvolt og slette den med et filshredder prog. derfra. om jeg i det heletatt hjar fattet poenegt er en annen sak Lenke til kommentar
FrozenFish Skrevet 27. april 2009 Forfatter Del Skrevet 27. april 2009 eh noe som du gjør meg svimmel av er at du hele tiden forandrer navnet på denne prossessen. visst det er kun "iexplorer.exe" du mener så skulle dette vere Internet Explorer som er en nettleser som du trenger.. Et par typos der oppe. Jeg mener iexplore.exe og ja, jeg vet at dette er internet explorer. Poenget er om det kan være et malware/spyware som bruker iexplore til å sende informasjon! Start HijackThis "scan" finn disse linjene merk dem,så trykk fix checked.O4 - HKLM\..\Run: [HKLM] C:\WINDOWS:Z_PI.EXE Avinnstalere nvida brannvegg,lager ikke annet enn krøll. C:\Programfiler\NVIDIA Corporation\NetworkAccessManager Last ned MBAM til skrivebordet. Velg Norsk språkdrakt-->kjør hurtig systemskann. Når MBAM er ferdig åpner den en logg,den poster du. --- Last Combofix ned ,legg på skrivebordet. Ikke klikk på vindu mens programmet kjører. post logg C:\combofix.txt Jeg har prøvd å fikse Z_PI.exew med Hijackthis: funket ikke! Kom like fort tilbake. Sjekket systemet nå og iexplorer.exe har ikke startet. Z_PI.exe er også borte. Mulig ComboFix fjernet dem? Eller scanner den bare og skriver log? Kjører ny ComboFix allikevel. Lenke til kommentar
FrozenFish Skrevet 27. april 2009 Forfatter Del Skrevet 27. april 2009 fikk ikke helt med meg hva det var du ville, men vist det er en fil du vet navnet på, men ikke får slettet, så kan du legge den i virusvolt og slette den med et filshredder prog. derfra. om jeg i det heletatt hjar fattet poenegt er en annen sak Nja, litt av problemet er at selv om jeg ser path til filen, så finner jeg den ikke der (ja, jeg har haket av for å vise skjulte filer OG systemfiler). Her er loggen fra ComboFix: ComboFix 09-04-25.A3 - Joe 27.04.2009 14:03.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.47.1044.18.3326.2691 [GMT 2:00] Kjører fra: c:\documents and settings\Joe\Skrivebord\ComboFix.exe AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) AV: Prevx 3.0 *On-access scanning enabled* (Updated) FW: ESET personlig brannmur *enabled* . ((((((((((((((((((((((((((( Filer Opprettet Fra 2009-05-27 til 2009-4-27 ))))))))))))))))))))))))))))))))) . 2009-04-27 10:58 . 2009-04-27 10:58 -------- d-----w c:\documents and settings\Joe\Lokale innstillinger\Programdata\ESET 2009-04-27 10:15 . 2009-04-27 10:35 -------- d--h--r c:\documents and settings\Joe\Siste 2009-04-27 09:42 . 2009-04-27 09:42 -------- d-----w c:\documents and settings\Joe\Programdata\Safer Networking 2009-04-27 09:42 . 2009-04-27 09:42 -------- d-----w c:\programfiler\Safer Networking 2009-04-27 09:35 . 2009-04-27 09:36 -------- d-----w c:\programfiler\CCleaner 2009-04-27 09:27 . 2009-04-27 10:15 -------- d-----w c:\documents and settings\All Users\Programdata\Spybot - Search & Destroy 2009-04-27 09:27 . 2009-04-27 09:28 -------- d-----w c:\programfiler\Spybot - Search & Destroy 2009-04-26 23:52 . 2009-04-26 23:52 -------- d-----w c:\programfiler\Siber Systems 2009-04-26 23:46 . 2009-04-26 23:46 -------- d-----w c:\documents and settings\All Users\Programdata\RoboForm 2009-04-26 07:45 . 2008-10-16 12:06 268648 ----a-w c:\windows\system32\mucltui.dll 2009-04-26 07:45 . 2008-10-16 12:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui 2009-04-25 21:56 . 2009-04-25 21:56 -------- d-----w c:\programfiler\Foxit Software 2009-04-25 21:56 . 2009-04-25 21:56 -------- d-----w c:\documents and settings\Joe\Programdata\Foxit 2009-04-25 21:55 . 2006-10-26 17:56 32592 ----a-w c:\windows\system32\msonpmon.dll 2009-04-25 21:54 . 2009-04-25 21:54 -------- d-----w c:\programfiler\Microsoft Works 2009-04-25 21:54 . 2009-04-25 21:54 -------- d-----w c:\programfiler\MSBuild 2009-04-25 21:53 . 2009-04-25 21:53 -------- d-----w c:\programfiler\Microsoft.NET 2009-04-25 21:52 . 2009-04-25 21:52 -------- d-----w c:\programfiler\Microsoft Visual Studio 8 2009-04-25 21:52 . 2009-04-25 21:54 -------- d-----w c:\windows\SHELLNEW 2009-04-25 21:52 . 2009-04-25 21:52 -------- d-----w c:\documents and settings\Joe\Lokale innstillinger\Programdata\Microsoft Help 2009-04-25 21:52 . 2009-04-26 14:57 -------- d-----w c:\documents and settings\All Users\Programdata\Microsoft Help 2009-04-25 21:51 . 2009-04-25 21:51 -------- d--h--r C:\MSOCache 2009-04-25 18:33 . 2009-04-25 18:33 -------- d--h--w c:\documents and settings\All Users\Programdata\CanonIJSolutionMenu 2009-04-25 18:33 . 2009-04-25 18:33 -------- d--h--w c:\documents and settings\All Users\Programdata\CanonIJMyPrinter 2009-04-25 18:33 . 2009-04-26 21:18 -------- d-----w c:\documents and settings\All Users\Programdata\CanonIJPLM 2009-04-25 18:32 . 2008-04-13 18:45 26368 -c--a-w c:\windows\system32\dllcache\usbstor.sys 2009-04-25 18:32 . 2008-04-13 18:47 25856 -c--a-w c:\windows\system32\dllcache\usbprint.sys 2009-04-25 18:32 . 2008-04-13 18:47 25856 ----a-w c:\windows\system32\drivers\usbprint.sys 2009-04-25 18:32 . 2008-04-13 18:45 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys 2009-04-25 18:32 . 2008-04-13 18:45 15104 ----a-w c:\windows\system32\drivers\usbscan.sys 2009-04-25 18:30 . 2009-04-25 18:30 -------- d-----w c:\programfiler\Fellesfiler\CANON 2009-04-25 18:27 . 2009-04-25 18:27 -------- d--h--w c:\documents and settings\All Users\Programdata\CanonBJ 2009-04-25 18:26 . 2008-10-08 20:00 230912 ----a-w c:\windows\system32\CNMLM9D.DLL 2009-04-25 18:26 . 2009-04-25 18:26 -------- d--h--w c:\windows\system32\CanonIJ Uninstaller Information 2009-04-25 18:26 . 2008-05-30 00:27 270336 ----a-w c:\windows\system32\CNC620L.DLL 2009-04-25 18:26 . 2008-04-07 05:58 1339392 ----a-w c:\windows\system32\CNC620C.DLL 2009-04-25 18:26 . 2008-04-07 05:58 98304 ----a-w c:\windows\system32\CNC620I.DLL 2009-04-25 18:26 . 2007-03-15 05:12 188416 ----a-w c:\windows\system32\CNC620O.DLL 2009-04-25 18:26 . 2009-04-25 18:26 -------- d--h--w c:\programfiler\CanonBJ 2009-04-25 18:26 . 2007-05-14 06:49 142336 ----a-w c:\windows\system32\CNMNPUI.DLL 2009-04-25 18:26 . 2007-05-14 06:49 362496 ----a-w c:\windows\system32\CNMNPPM.DLL 2009-04-25 18:26 . 2007-03-19 15:14 117850 ----a-w c:\windows\system32\Cnmnput.chm 2009-04-25 18:25 . 2009-04-25 18:33 -------- d-----w c:\programfiler\Canon 2009-04-25 18:16 . 2009-04-25 18:16 -------- d-----w c:\documents and settings\Joe\Lokale innstillinger\Programdata\Google 2009-04-25 15:20 . 2009-04-25 15:20 -------- d-----w c:\documents and settings\All Users\Programdata\FLEXnet 2009-04-25 15:20 . 2009-04-25 15:30 -------- d-----w c:\documents and settings\Joe\Lokale innstillinger\Programdata\Adobe 2009-04-25 15:19 . 2009-04-25 15:19 -------- d-----w c:\documents and settings\Joe\Lokale innstillinger\Programdata\ACD Systems 2009-04-25 15:19 . 2009-04-25 15:19 -------- d-----w c:\documents and settings\Joe\Programdata\ACD Systems 2009-04-25 15:18 . 2009-04-25 15:18 -------- d-----w c:\documents and settings\All Users\Programdata\ACD Systems 2009-04-25 15:18 . 2009-04-25 15:18 -------- d-----w c:\programfiler\Fellesfiler\ACD Systems 2009-04-25 15:18 . 2009-04-25 15:18 -------- d-----w c:\programfiler\ACD Systems 2009-04-25 15:14 . 2009-04-25 15:14 -------- d-----w c:\programfiler\Bonjour 2009-04-25 15:08 . 2009-04-25 15:08 -------- d-----w c:\programfiler\Fellesfiler\Macrovision Shared 2009-04-25 15:07 . 2009-04-25 15:14 -------- d-----w c:\programfiler\Fellesfiler\Adobe 2009-04-25 14:41 . 2009-04-25 14:41 -------- d-----w c:\programfiler\uTorrent 2009-04-25 14:40 . 2009-04-27 00:07 -------- d-----w c:\documents and settings\Joe\Programdata\uTorrent 2009-04-25 13:06 . 2008-04-14 15:43 57600 ----a-w c:\windows\system32\drivers\redbook.sys 2009-04-25 13:06 . 2001-08-17 21:46 6400 ----a-w c:\windows\system32\drivers\enum1394.sys 2009-04-25 13:05 . 2008-04-14 16:22 74240 ----a-w c:\windows\system32\usbui.dll 2009-04-25 13:03 . 2009-04-27 09:26 -------- d-----r c:\documents and settings\All Users\Dokumenter 2009-04-25 13:02 . 2004-08-04 12:00 8599 -c--a-w c:\windows\system32\dllcache\IASNT4.CAT 2009-04-25 13:02 . 2004-08-04 12:00 7407 -c--a-w c:\windows\system32\dllcache\OEMBIOS.CAT 2009-04-25 13:02 . 2004-08-04 12:00 809684 -c--a-w c:\windows\system32\dllcache\NT5IIS.CAT 2009-04-25 13:02 . 2004-08-04 12:00 7334 -c--a-w c:\windows\system32\dllcache\wmerrenu.cat 2009-04-25 13:02 . 2004-08-04 12:00 399670 -c--a-w c:\windows\system32\dllcache\MAPIMIG.CAT 2009-04-25 13:02 . 2004-08-04 12:00 37509 -c--a-w c:\windows\system32\dllcache\MW770.CAT 2009-04-25 13:02 . 2004-08-04 12:00 13497 -c--a-w c:\windows\system32\dllcache\HPCRDP.CAT 2009-04-25 13:02 . 2004-08-04 12:00 1014193 -c--a-w c:\windows\system32\dllcache\SP2.CAT 2009-04-25 13:02 . 2004-08-04 12:00 14043 ----a-r c:\windows\SET8.tmp 2009-04-25 13:02 . 2004-08-04 12:00 1086058 ----a-r c:\windows\SET4.tmp 2009-04-25 13:02 . 2004-08-04 12:00 1014193 ----a-r c:\windows\SET3.tmp 2009-04-25 13:02 . 2009-04-27 12:03 -------- d-----w c:\windows\system32\CatRoot2 2009-04-25 13:02 . 2009-04-26 14:54 -------- d-----w c:\windows\system32\CatRoot 2009-04-25 13:01 . 2009-04-27 09:27 -------- d--h--r c:\documents and settings\All Users\Programdata 2009-04-25 13:01 . 2009-04-25 13:03 -------- d--h--r c:\documents and settings\Default User\Programdata 2009-04-25 13:01 . 2009-04-27 07:43 -------- d-----w c:\documents and settings\Joe\Programdata\skypePM 2009-04-25 13:01 . 2009-04-25 13:01 56 ---ha-w c:\windows\system32\ezsidmv.dat 2009-04-25 13:01 . 2009-04-25 12:29 -------- d--h--w c:\documents and settings\Default User 2009-04-25 13:01 . 2009-04-25 11:19 -------- d-----w C:\Documents and Settings 2009-04-25 13:01 . 2009-04-25 11:14 -------- d-----w c:\documents and settings\All Users 2009-04-25 13:00 . 2009-04-27 11:26 -------- d-----w c:\documents and settings\Joe\Programdata\Skype 2009-04-25 13:00 . 2009-04-25 13:00 -------- d-----w c:\programfiler\Fellesfiler\Skype 2009-04-25 13:00 . 2009-04-25 13:00 -------- d-----r c:\programfiler\Skype 2009-04-25 13:00 . 2009-04-25 11:17 261 ----a-w c:\windows\system32\$winnt$.inf 2009-04-25 13:00 . 2009-04-25 13:00 -------- d-----w c:\documents and settings\All Users\Programdata\Skype . (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-27 12:03 . 2009-04-25 12:09 -------- d-----w c:\documents and settings\Joe\Programdata\NiftyStats 2009-04-27 12:02 . 2009-04-25 12:53 -------- d-----w c:\documents and settings\All Users\Programdata\PrevxCSI 2009-04-26 16:13 . 2004-08-04 12:00 67530 ----a-w c:\windows\system32\perfc014.dat 2009-04-26 16:13 . 2004-08-04 12:00 399490 ----a-w c:\windows\system32\perfh014.dat 2009-04-26 10:16 . 2009-04-25 12:09 69232 ----a-w c:\documents and settings\Joe\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT 2009-04-25 12:53 . 2009-04-25 12:53 27656 ----a-w c:\windows\system32\drivers\pxsec.sys 2009-04-25 12:53 . 2009-04-25 12:53 22024 ----a-w c:\windows\system32\drivers\pxscan.sys 2009-04-25 12:53 . 2009-04-25 12:53 -------- d-----w c:\programfiler\Prevx 2009-04-25 12:24 . 2009-04-25 11:14 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-04-25 12:18 . 2004-08-04 12:00 250560 --sha-r C:\ntldr 2009-04-25 12:07 . 2009-04-25 12:07 -------- d-----w c:\programfiler\Trend Micro 2009-04-25 11:29 . 2009-04-25 11:29 -------- d-----w c:\programfiler\Analog Devices 2009-04-25 11:29 . 2009-04-25 11:27 -------- d--h--w c:\programfiler\InstallShield Installation Information 2009-04-25 11:27 . 2009-04-25 11:27 -------- d-----w c:\programfiler\NVIDIA Corporation 2009-04-25 11:27 . 2009-04-25 11:20 -------- d-----w c:\programfiler\Fellesfiler\InstallShield 2009-04-25 11:24 . 2009-04-25 11:24 -------- d-----w c:\documents and settings\Joe\Programdata\ESET 2009-04-25 11:23 . 2009-04-25 11:23 -------- d-----w c:\programfiler\ESET 2009-04-25 11:23 . 2009-04-25 11:23 -------- d-----w c:\documents and settings\All Users\Programdata\ESET 2009-04-25 11:15 . 2009-04-25 11:15 -------- d-----w c:\programfiler\microsoft frontpage 2009-04-25 11:14 . 2009-04-25 11:14 -------- d-----w c:\programfiler\Elektroniske tjenester 2009-04-25 11:12 . 2009-04-25 11:12 -------- d-----w c:\programfiler\Fellesfiler\Tjenester 2009-04-25 11:11 . 2009-04-25 11:11 21704 ----a-w c:\windows\system32\emptyregdb.dat 2009-03-06 14:24 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-03 00:16 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-20 17:17 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-09 14:08 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-09 11:27 . 2004-08-04 00:58 2025984 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-09 11:27 . 2004-08-04 12:00 2147328 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-09 11:27 . 2004-08-04 12:00 111104 ----a-w c:\windows\system32\services.exe 2009-02-09 10:56 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 10:56 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 10:56 . 2004-08-04 12:00 710656 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 10:56 . 2004-08-04 12:00 680448 ----a-w c:\windows\system32\advapi32.dll 2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe 2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll . (((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret ))))))))))))))))))))))))))))))))))))))))))))) . . *Merk* tomme oppføringer & gyldige standardoppføringer vises ikke REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Skype"="c:\programfiler\Skype\Phone\Skype.exe" [2009-04-16 24264488] "Google Update"="c:\documents and settings\Joe\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe" [2009-04-25 133104] "RoboForm"="c:\programfiler\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-04-26 160592] "SpybotSD TeaTimer"="c:\programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-27 8425472] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-03-27 81920] "egui"="c:\programfiler\ESET\ESET Smart Security\egui.exe" [2008-10-24 1451264] "SoundMAXPnP"="c:\programfiler\Analog Devices\Core\smax4pnp.exe" [2006-10-05 868352] "CanonSolutionMenu"="c:\programfiler\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488] "CanonMyPrinter"="c:\programfiler\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648] "GrooveMonitor"="c:\programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-03-27 1622016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Programfiler\\uTorrent\\uTorrent.exe"= "c:\\Programfiler\\Bonjour\\mDNSResponder.exe"= "c:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Programfiler\\Skype\\Phone\\Skype.exe"= R2 CSIScanner;CSIScanner;c:\programfiler\Prevx\prevx.exe [2009-04-25 4368440] R3 PciCon;PciCon; [x] S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2009-04-25 22024] S0 pxsec;pxsec;c:\windows\System32\drivers\pxsec.sys [2009-04-25 27656] S2 ekrn;Eset Service;c:\programfiler\ESET\ESET Smart Security\ekrn.exe [2008-10-24 468224] S3 OMNUSB;Omnikey AG CardMan 2020 USB-smartkortleser;c:\windows\system32\DRIVERS\sccmusbm.sys [2001-08-17 23936] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4826488A-C27E-C9F1-3882-5432F7D2F471}] [b]C:\WINDOWS:Z_PI.EXE[/b] . Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver) 2009-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-630328440-839522115-1003.job - c:\documents and settings\Joe\Lokale innstillinger\Programdata\Google\Update\GoogleUpdate.exe [2009-04-25 18:16] . . ------- Tilleggsskanning ------- . uInternet Settings,ProxyOverride = *.local LSP: %SYSTEMROOT%\system32\nvappfilter.dll FF - ProfilePath - c:\documents and settings\Joe\Programdata\Mozilla\Firefox\Profiles\2w4lybnj.default\ FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/#inbox FF - plugin: c:\documents and settings\Joe\Lokale innstillinger\Programdata\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\programfiler\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-27 14:04 Windows 5.1.2600 Service Pack 3 NTFS skanner skjulte prosesser ... skanner skjulte autostart-oppføringer ... skanner skjulte filer ... skanning vellykket skjulte filer: 0 ************************************************************************** . --------------------- DLL'er Lastet Av Kjørende Prosesser --------------------- - - - - - - - > 'lsass.exe'(1212) c:\windows\system32\nvappfilter.dll . Tidspunkt ferdig: 2009-04-27 14:05 ComboFix-quarantined-files.txt 2009-04-27 12:04 ComboFix2.txt 2009-04-27 11:00 Pre-Run: 111 271 608 320 byte ledig Post-Run: 111 289 962 496 byte ledig 209 --- E O F --- 2009-04-26 14:57 Her er Z_PI.exe igjen... Det jeg stusser mest over er at det ikke kommer noen treff når jeg googler Z_PI.EXE ... Lenke til kommentar
snippsat Skrevet 27. april 2009 Del Skrevet 27. april 2009 Det jeg stusser mest over er at det ikke kommer noen treff når jeg googler Z_PI.EXE ... Dette vanlig når det gjelder malware. Den ligger kun som registeroppføring,derfor finner du ikke noe når du søker. Fjerner den med combofix. Kopiere fet tekst under bildet->åpne notisblokk og lim inn. Lagre på skrivebordet som CFScript.txt Gjør som på bildet combofix vil starte,Post logg c:\combofix.txt Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4826488A-C27E-C9F1-3882-5432F7D2F471}] Lenke til kommentar
FrozenFish Skrevet 27. april 2009 Forfatter Del Skrevet 27. april 2009 Kopiere fet tekst under bildet->åpne notisblokk og lim inn.Lagre på skrivebordet som CFScript.txt Gjør som på bildet combofix vil starte,Post logg c:\combofix.txt Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4826488A-C27E-C9F1-3882-5432F7D2F471}] Ah, gode greier for neste gang! I dag så kom plutselig, etter at jeg hadde holdt på et par timer, Prevx opp og erklærte at den hadde funnet Z_PI.EXE på maskinen min (+ 1 til) og tok seg av den. Har søkt gjennom ALT nå og så vidt jeg kan se er det ikke noe skjit igjen på maskinen! Dette får meg til å tenke litt... jeg la jo nettopp inn XP etter at Vistaen min rota litt Tenkte å prøve XP igjen... Kan ikke huske at jeg hadde noe virus/malware krøll i Vista! Også der kjørte jeg NOD32 + standard progs. som SB S&D mm. Er XP såpass mye mer "utsikker" altså? Eller var jeg bare uheldig? Jeg er jo normalt ganske så forsiktig på nett...! Får den nye laptopen snart, da blir det tilbake til linux der, så kan kona slite emd XP Uansett - takk til alle som tok seg tid til å hjelpe i dag! Lenke til kommentar
snippsat Skrevet 28. april 2009 Del Skrevet 28. april 2009 Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Sjekk om software er oppdatert Secunia Surf trygt. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå