Gå til innhold

» Data » IKT-drift og sikkerhet

MBAM og combofix-logger

Oleboloi

Av Oleboloi
2. mai 2009 i IKT-drift og sikkerhet

Anbefalte innlegg

Oleboloi

Oleboloi

Skrevet 2. mai 2009

- Del

Skrevet 2. mai 2009

Hei!

Holder på å gå gjennom en pc for min bestemor, håper noen kan gå gjennom disse loggene for å se at alt er ok...

På forhånd takk for hjelpen!

MBAM-logg:

Malwarebytes' Anti-Malware 1.36

Databaseversjon: 1949

Windows 5.1.2600 Service Pack 2

2009-05-02 21:24:56

mbam-log-2009-05-02 (21-24-56).txt

Skanntype: Full Skann (C:\|D:\|)

Objekter skannet: 128447

Tid tilbakelagt: 28 minute(s), 26 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 0

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 7

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

(Ingen mistenkelige filer funnet)

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

C:\System Volume Information\_restore{7669B713-196C-4B12-9056-730C3AECDBA9}\RP538\A0193946.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7669B713-196C-4B12-9056-730C3AECDBA9}\RP538\A0193948.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7669B713-196C-4B12-9056-730C3AECDBA9}\RP538\A0193949.DLL (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7669B713-196C-4B12-9056-730C3AECDBA9}\RP539\A0197713.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7669B713-196C-4B12-9056-730C3AECDBA9}\RP539\A0197714.dll (Adware.AskSBAR) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7669B713-196C-4B12-9056-730C3AECDBA9}\RP541\A0198807.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7669B713-196C-4B12-9056-730C3AECDBA9}\RP541\A0198810.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Combofix-logg:

ComboFix 09-05-02.4 - Eier 2009-05-02 22:21.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.326 [GMT 2:00]

Kjører fra: c:\documents and settings\Eier\Desktop\ComboFix.exe

* Opprettet nytt gjenopprettingspunkt

ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !!

.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Forrige skanning -------

.

c:\documents and settings\Eier\Application Data\Dxccwrd.dll

c:\documents and settings\Eier\Application Data\Dxcuknwrd.dll

c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Dxc.log

c:\program files\Common Files\{1CCD4~1

c:\program files\Common Files\companion wizard

c:\program files\Common Files\companion wizard\compwiz.exe

c:\program files\Common Files\companion wizard\WapCHK.dll

c:\program files\Common Files\companion wizard\WapCHK{F614A6CE-F3B6-4262-91E3-5E7CB93CCC95}.dll

c:\windows\NDNuninstall5_64.exe

c:\windows\NDNuninstall6_38.exe

c:\windows\NDNuninstall6_90.exe

c:\windows\NDNuninstall6_98.exe

c:\windows\NDNuninstall7_14.exe

c:\windows\NDNuninstall7_22.exe

c:\windows\NDNuninstall7_48.exe

c:\windows\system32\stera.log

.

((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FOPN

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-04-02 til 2009-05-02 )))))))))))))))))))))))))))))))))

.

2009-05-02 19:39 . 2009-03-26 23:16 12672 ----a-w c:\windows\system32\drivers\cpuz132_x32.sys

2009-05-02 19:39 . 2009-05-02 19:39 -------- d-----w c:\program files\CPUID

2009-04-10 00:44 . 2009-04-10 01:05 -------- d-----w c:\windows\system32\CatRoot_bak

2009-04-08 12:37 . 2001-08-17 11:28 871388 -c--a-w c:\windows\system32\dllcache\bcmdm.sys

2009-04-08 12:36 . 2001-08-17 11:49 26624 -c--a-w c:\windows\system32\dllcache\alifir.sys

2009-04-08 12:36 . 2001-08-17 10:11 27678 -c--a-w c:\windows\system32\dllcache\ali5261.sys

2009-04-08 12:36 . 2001-08-17 12:07 56960 -c--a-w c:\windows\system32\dllcache\aic78xx.sys

2009-04-08 12:36 . 2001-08-17 12:07 55168 -c--a-w c:\windows\system32\dllcache\aic78u2.sys

2009-04-08 12:36 . 2001-08-17 11:52 12800 -c--a-w c:\windows\system32\dllcache\aha154x.sys

2009-04-08 12:12 . 2009-04-08 12:12 -------- d-sh--w C:\found.000

2009-04-08 00:50 . 2009-04-08 00:50 -------- d-----w c:\documents and settings\Eier\Local Settings\Application Data\Opera

2009-04-08 00:49 . 2009-04-08 00:49 -------- d-----w c:\documents and settings\Eier\Application Data\Malwarebytes

2009-04-08 00:49 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-08 00:48 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-08 00:48 . 2009-04-08 00:48 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-08 00:48 . 2009-04-08 08:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-07 22:43 . 2009-04-07 22:43 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-04-07 22:43 . 2009-04-07 22:43 -------- d-----w c:\program files\SUPERAntiSpyware

2009-04-07 22:43 . 2009-04-07 22:43 -------- d-----w c:\documents and settings\Eier\Application Data\SUPERAntiSpyware.com

2009-04-07 22:41 . 2009-04-07 22:41 -------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-04-07 22:35 . 2009-04-07 22:35 -------- d-----w c:\program files\CCleaner

2009-04-07 19:52 . 2009-04-07 19:52 -------- d-----w c:\documents and settings\Eier\Local Settings\Application Data\Apple

2009-04-07 19:51 . 2009-04-07 20:42 -------- d-----w c:\windows\SxsCaPendDel

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-02 20:21 . 2003-03-15 13:53 6 ---ha-w c:\windows\Tasks\SA.DAT

2009-04-08 00:22 . 2005-09-18 13:17 -------- d-----w c:\program files\Java

2009-04-07 21:51 . 2003-04-19 22:01 81312 ----a-w c:\documents and settings\Eier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-07 20:26 . 2006-04-27 19:01 -------- d-----w c:\program files\Logitech

2009-04-07 20:14 . 2006-04-09 11:32 -------- d-----w c:\program files\Common Files\Teleca Shared

2009-04-07 20:10 . 2005-12-25 10:55 -------- d-----w c:\program files\Common Files\HP

2009-04-07 20:06 . 2003-04-24 16:58 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-07 20:02 . 2006-04-27 19:02 -------- d-----w c:\program files\Common Files\Logitech

2009-02-09 10:19 . 2002-08-29 12:00 1846272 ----a-w c:\windows\system32\win32k.sys

.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))

.

.

*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2002-11-18 4243456]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2002-11-19 46592]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2002-11-18 315392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Hurtigstart for Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 10:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eier^Start Menu^Programs^Startup^Registration-Studio 7 SE.lnk]

path=c:\documents and settings\Eier\Start Menu\Programs\Startup\Registration-Studio 7 SE.lnk

backup=c:\windows\pss\Registration-Studio 7 SE.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-03-26 12672]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

R3 USBAAPL;Apple Mobile USB Driver; [x]

S0 DiMaint;Eicon Maintenance Driver;c:\windows\System32\DRIVERS\DISDN\dimaint.sys [2002-10-04 91312]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]

S2 DiCapi;Eicon CAPI 2.0 Driver;c:\windows\system32\DRIVERS\DISDN\capi202k.sys [2002-10-04 181168]

S2 DiPort;Eicon Port Driver;c:\windows\system32\DRIVERS\DISDN\diport40.sys [2002-10-04 188416]

S3 DiWan;Eicon Driver for all Diva Client cards;c:\windows\system32\DRIVERS\DISDN\Diwan.sys [2002-10-04 911920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1b5b4aa-776b-11dd-9fb5-0020ed3cd391}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

.

- - - - TOMME PEKERE FJERNET - - - -

Notify-Control Panel - c:\windows\system32\r0p8la7u1d.dll

.

------- Tilleggsskanning -------

.

uStart Page = hxxp://www.google.no/

uDefault_Search_URL = hxxp://ie.search.msn.com

uInternet Settings,ProxyOverride = 127.0.0.1

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: statoil.com\athome

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-02 22:23

Windows 5.1.2600 Service Pack 2 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...

skanning vellykket

skjulte filer: 0

**************************************************************************

.

--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'winlogon.exe'(488)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Tidspunkt ferdig: 2009-05-02 22:25

ComboFix-quarantined-files.txt 2009-05-02 20:25

Pre-Run: 32,144,093,184 bytes free

Post-Run: 32,194,486,272 bytes free

149 --- E O F --- 2009-04-11 16:46

Lenke til kommentar

Videoannonse

Annonse

snippsat

snippsat

Skrevet 4. mai 2009

- Del

Skrevet 4. mai 2009 (endret)

Ser bra ut.

Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc.

Sjekk om software er oppdatert Secunia

Surf trygt.

Endret 4. mai 2009 av SNIPPSAT

Lenke til kommentar

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå

Gå til emneliste

Populær nå
- 3500 ansatte i NRK - er det blitt for mye? 1 2 3 4 5
  
  Av Sampson, 9 timer siden i Politikk og samfunn
  - 91 svar
  - 1 581 visninger
Hvem er aktive 0 medlemmer
- Ingen innloggede medlemmer aktive

×

×

Opprett ny...