Gå til innhold

kan noen sjekke gjennom combofix loggen min?

arwex

Av arwex
i IKT-drift og sikkerhet

Anbefalte innlegg

arwex

arwex

Skrevet
Skrevet

får sanne såkalte cid popups. kan noen sjekke ka som kan vere grunnen? :) takk!

 

 

 

her er loggen:

 

 

C:\WINDOWS\system32\Desktop_.ini

 

.

((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))

.

 

2008-07-02 19:09 . 2008-07-02 19:39 <DIR> d-------- C:\Programfiler\Unlocker

2008-07-02 19:09 . 2008-07-02 19:09 <DIR> d-------- C:\Documents and Settings\Didier\Programdata\Desktopicon

2008-07-02 13:57 . 2008-07-02 13:57 <DIR> d-------- C:\Programfiler\Trend Micro

2008-07-02 12:11 . 2008-07-02 12:11 0 --a------ C:\WINDOWS\nsreg.dat

2008-07-01 12:03 . 2008-07-02 19:12 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-07-01 12:03 . 2008-07-02 19:12 <DIR> d-------- C:\Documents and Settings\Didier\Programdata\SUPERAntiSpyware.com

2008-07-01 12:03 . 2008-07-01 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-07-01 11:00 . 2008-07-01 11:00 3,400 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP

2008-06-30 12:29 . 2008-06-30 12:29 268 --ah----- C:\sqmdata03.sqm

2008-06-30 12:29 . 2008-06-30 12:29 244 --ah----- C:\sqmnoopt03.sqm

2008-06-30 12:29 . 2008-06-30 12:29 172 --ah----- C:\sqmnoopt04.sqm

2008-06-30 12:29 . 2008-06-30 12:29 148 --ah----- C:\sqmdata04.sqm

2008-06-29 22:27 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll

2008-06-29 22:26 . 2008-06-29 22:26 <DIR> d-------- C:\Programfiler\Microsoft Works

2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Programfiler\MSBuild

2008-06-29 22:24 . 2008-06-29 22:24 <DIR> d-------- C:\Programfiler\Microsoft.NET

2008-06-29 22:21 . 2008-06-29 22:21 <DIR> d-------- C:\Programfiler\Microsoft Visual Studio 8

2008-06-29 22:20 . 2008-06-29 22:25 <DIR> d-------- C:\WINDOWS\SHELLNEW

2008-06-29 22:19 . 2008-06-29 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Microsoft Help

2008-06-29 22:18 . 2008-06-29 22:18 <DIR> dr-h----- C:\MSOCache

2008-06-29 21:55 . 2008-06-29 21:55 <DIR> d-------- C:\Documents and Settings\Didier\Programdata\DAEMON Tools

2008-06-29 21:55 . 2008-06-29 21:55 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-06-29 18:28 . 2008-06-29 21:51 <DIR> d-------- C:\Programfiler\BitComet

2008-06-29 18:28 . 2008-07-02 19:35 <DIR> d-------- C:\Downloads

2008-06-29 18:28 . 2008-06-29 18:28 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll

2008-06-24 16:35 . 2008-06-24 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-06-24 11:59 . 2008-06-24 11:59 <DIR> d-------- C:\Programfiler\Fellesfiler\Skype

2008-06-24 11:59 . 2008-06-24 11:59 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat

2008-06-20 23:47 . 2008-06-20 23:47 <DIR> d-------- C:\WINDOWS\Options

2008-06-20 23:47 . 2008-06-20 23:47 <DIR> d-------- C:\Documents and Settings\Didier\Programdata\InstallShield

2008-06-20 23:46 . 2008-06-20 23:46 <DIR> d-------- C:\Programfiler\Gigabyte

2008-06-20 22:15 . 2008-06-20 23:45 <DIR> d-------- C:\Programfiler\SAGEM(2)

2008-06-20 19:19 . 2005-08-02 00:06 2,048 --a------ C:\WINDOWS\system32\drivers\rt73.bin

2008-06-20 19:19 . 2005-08-19 15:51 138 --a------ C:\WINDOWS\filespec7x

2008-06-20 14:48 . 2008-06-20 23:46 <DIR> d-------- C:\Programfiler\Orange

2008-06-20 14:48 . 2008-06-20 14:48 <DIR> d-------- C:\Programfiler\Fellesfiler\France Telecom

2008-06-20 13:29 . 2008-06-20 23:46 <DIR> d-------- C:\Programfiler\Gigabyte(2)

2008-06-11 20:46 . 2008-06-11 20:46 <DIR> d-------- C:\Programfiler\MSECache

2008-06-11 20:45 . 2008-06-11 20:45 27,100,264 --a------ C:\PowerPointViewer.exe

2008-06-11 16:41 . 2008-06-11 16:41 <DIR> d-------- C:\Programfiler\Alwil Software

2008-06-11 10:06 . 2008-06-11 10:06 <DIR> d-------- C:\Documents and Settings\Didier\Programdata\ItsLabel

2008-06-11 10:04 . 2008-06-14 20:00 272,256 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 10:04 . 2008-06-14 20:00 272,256 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-10 23:15 . 2008-06-11 16:10 <DIR> d-------- C:\Programfiler\OpenOffice.org 2.4

2008-06-10 23:01 . 2008-06-11 16:06 <DIR> d-------- C:\Programfiler\EoRezo

2008-06-10 23:01 . 2008-06-11 16:06 <DIR> d-------- C:\Documents and Settings\Didier\Programdata\EoRezo

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-02 17:30 --------- d-----w C:\Programfiler\Windows Live

2008-07-02 17:12 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-07-02 14:04 --------- d-----w C:\Documents and Settings\Didier\Programdata\skypePM

2008-07-02 10:01 --------- d-----w C:\Documents and Settings\Didier\Programdata\Skype

2008-06-29 16:24 --------- d-----w C:\Documents and Settings\Didier\Programdata\LimeWire

2008-06-27 09:51 20 ---h--w C:\Documents and Settings\All Users\Programdata\PKP_DLec.DAT

2008-06-27 09:51 20 ---h--w C:\Documents and Settings\All Users\Programdata\PKP_DLds.DAT

2008-06-25 18:06 --------- d-----w C:\Documents and Settings\Didier\Programdata\FLAG BIKE

2008-06-20 21:47 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-06-20 21:47 --------- d-----w C:\Programfiler\Atheros

2008-06-18 09:16 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-06-17 11:23 --------- d-----w C:\Documents and Settings\Didier\Programdata\Uniblue

2008-06-11 18:05 --------- d-----w C:\Documents and Settings\All Users\Programdata\avg8

2008-05-29 14:11 --------- d-----w C:\Documents and Settings\Didier\Programdata\SPAMfighter

2008-05-22 21:31 --------- d-----w C:\Documents and Settings\Didier\Programdata\AVGTOOLBAR

2008-05-18 17:46 --------- d-----w C:\Documents and Settings\Didier\Programdata\dvdcss

2008-05-18 11:22 --------- d-----w C:\Programfiler\Uniblue

2008-05-18 11:19 4,511,232 ----a-w C:\speedupmypc3aff.exe

2008-05-16 16:45 --------- d-----w C:\Programfiler\AVG

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-03-13 12:09 32 ----a-w C:\Documents and Settings\All Users\Programdata\ezsid.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-08-02 14:00 15360]

"Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]

"View Bird"="C:\DOCUME~1\Didier\PROGRA~1\FLAGBI~1\sixthbookkind.exe" [2008-06-25 20:03 523264]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-08-02 14:00 15360]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

GN-WB01GS Utility.lnk - C:\Programfiler\Gigabyte\Gigabyte WB01GS Wireless USB Adapter\Installer\WINXP\GNConfig.exe [2008-04-25 22:33:52 720896]

Laptop Battery Power Monitor.lnk - C:\WINDOWS\Installer\{52384794-3FAE-456F-921E-CCB6F9D2BC18}\_F2F1DBB19E950C4AA5F9FC.exe [2008-03-10 23:28:59 26694]

NkbMonitor.exe.lnk - C:\Programfiler\Nikon\PictureProject\NkbMonitor.exe [2008-03-13 17:06:19 118784]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= ffdshow.ax

"msacm.ac3filter"= ac3filter.acm

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\Programfiler\\BitComet\\BitComet.exe"=

"C:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8932:TCP"= 8932:TCP:BitComet 8932 TCP

"8932:UDP"= 8932:UDP:BitComet 8932 UDP

 

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]

R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 12:27]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]

S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []

S3 POWERKEY;POWERKEY;C:\Programfiler\Launch Manager\POWERKEY.sys [2000-12-19 19:29]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\rt2870.sys [2007-03-13 13:35]

 

.

Contents of the 'Scheduled Tasks' folder

"2008-07-02 17:00:00 C:\WINDOWS\Tasks\ABB0808690733D66.job"

- c:\docume~1\didier\progra~1\flagbi~1\link hole grey.exe

"2008-06-28 08:09:34 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"

- C:\Programfiler\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

"2008-05-18 11:23:08 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"

- C:\Programfiler\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-Second bat creative peak - C:\Documents and Settings\All Users\Programdata\Axis Readme Second Bat\wipe this.exe

HKLM-Run-UnlockerAssistant - C:\Programfiler\Unlocker\UnlockerAssistant.exe

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-02 19:41:31

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Duomart.com\Laptop Battery Power Monitor\BatteryMonitor.exe

C:\Programfiler\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2008-07-02 19:44:39 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-02 17:44:36

 

Pre-Run: 37,526,134,784 byte ledig

Post-Run: 37,769,977,856 byte ledig

 

166 --- E O F --- 2008-06-29 21:38:59

Videoannonse

Videoannonse
Annonse
norbat

norbat

Skrevet
Skrevet

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

cfscriptyt1.gif

 

File::

C:\DOCUME~1\Didier\PROGRA~1\FLAGBI~1

C:\WINDOWS\Tasks\ABB0808690733D66.job

 

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"View Bird"=-

 

Sjekk deretter om hosts-fila inneholder noen linjer knyttet til CiD:

Klikk: Start->Kjør

Skriv/lim inn: notepad %systemroot%\system32\drivers\etc\hosts og klikk Ok

 

Hosts-fila vil åpnes i notisblokk. Den siste linja som skal stå der er 127.0.0.1 localhost

Fjern evt. oppføringer med CiD.

 

Fortell hvordan det går med problemet.

arwex

arwex

Skrevet
  • Forfatter
Skrevet

ser ut som alt er borte! har ikkje fått nokken popups på lenge. internetten går litt fortere med no...

norbat

norbat

Skrevet
Skrevet

Hvis alt kjører greit, så fjerner du combofix ved å skrive combofix /u i kjør-feltet. Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere.

arwex

arwex

Skrevet
  • Forfatter
Skrevet

ok. er det farlig visst eg ikkje sletta det med å skrive combofix /u i kjørfeltet? eg bere sletta det sann vanlig fordi eg sletta det før eg leste svaret ditt

norbat

norbat

Skrevet
Skrevet

Farlig er det ikke :), men jeg vil tro at du da kanskje må sjekke om du har ei mappe e.l som heter combofix etc. Den sletter du manuelt også.

 

I tillegg kan det være lurt å nullstille systemgjenopprettingen:

 

Opprett et nytt systemgjenopprettingspunkt:

Tilbehør->systemverktøy->systemgjenoppretting . Velg å opprette

et nytt. Navgi det og klikk opprett.

 

Slett gamle systemgjenopprettingspunkt unntatt det siste:

Tilbehør->systemverktøy->diskopprydding

Velg stasjon c:. Etter en sjekk åpnes et vindu der du velger 'Flere alternativer'.

Der klikker du på 'Rydd opp...' i Systemgjenopprettings-feltet.

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Start en konto

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå
Gå til emneliste

  • Hvem er aktive   0 medlemmer

    • Ingen innloggede medlemmer aktive
×
×
  • Opprett ny...