kan noen sjekke gjennom combofix loggen min?

[arwex]

får sanne såkalte cid popups. kan noen sjekke ka som kan vere grunnen? takk!

 

 

 

her er loggen:

 

 

C:\WINDOWS\system32\Desktop_.ini

 

.

((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))

.

 

2008-07-02 19:09 . 2008-07-02 19:39 <DIR> d-------- C:\Programfiler\Unlocker

2008-07-02 19:09 . 2008-07-02 19:09 <DIR> d-------- C:\Documents and Settings\Didier\Programdata\Desktopicon

2008-07-02 13:57 . 2008-07-02 13:57 <DIR> d-------- C:\Programfiler\Trend Micro

2008-07-02 12:11 . 2008-07-02 12:11 0 --a------ C:\WINDOWS\nsreg.dat

2008-07-01 12:03 . 2008-07-02 19:12 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-07-01 12:03 . 2008-07-02 19:12 <DIR> d-------- C:\Documents and Settings\Didier\Programdata\SUPERAntiSpyware.com

2008-07-01 12:03 . 2008-07-01 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-07-01 11:00 . 2008-07-01 11:00 3,400 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP

2008-06-30 12:29 . 2008-06-30 12:29 268 --ah----- C:\sqmdata03.sqm

2008-06-30 12:29 . 2008-06-30 12:29 244 --ah----- C:\sqmnoopt03.sqm

2008-06-30 12:29 . 2008-06-30 12:29 172 --ah----- C:\sqmnoopt04.sqm

2008-06-30 12:29 . 2008-06-30 12:29 148 --ah----- C:\sqmdata04.sqm

2008-06-29 22:27 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll

2008-06-29 22:26 . 2008-06-29 22:26 <DIR> d-------- C:\Programfiler\Microsoft Works

2008-06-29 22:25 . 2008-06-29 22:25 <DIR> d-------- C:\Programfiler\MSBuild

2008-06-29 22:24 . 2008-06-29 22:24 <DIR> d-------- C:\Programfiler\Microsoft.NET

2008-06-29 22:21 . 2008-06-29 22:21 <DIR> d-------- C:\Programfiler\Microsoft Visual Studio 8

2008-06-29 22:20 . 2008-06-29 22:25 <DIR> d-------- C:\WINDOWS\SHELLNEW

2008-06-29 22:19 . 2008-06-29 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Microsoft Help

2008-06-29 22:18 . 2008-06-29 22:18 <DIR> dr-h----- C:\MSOCache

2008-06-29 21:55 . 2008-06-29 21:55 <DIR> d-------- C:\Documents and Settings\Didier\Programdata\DAEMON Tools

2008-06-29 21:55 . 2008-06-29 21:55 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-06-29 18:28 . 2008-06-29 21:51 <DIR> d-------- C:\Programfiler\BitComet

2008-06-29 18:28 . 2008-07-02 19:35 <DIR> d-------- C:\Downloads

2008-06-29 18:28 . 2008-06-29 18:28 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll

2008-06-24 16:35 . 2008-06-24 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2008-06-24 11:59 . 2008-06-24 11:59 <DIR> d-------- C:\Programfiler\Fellesfiler\Skype

2008-06-24 11:59 . 2008-06-24 11:59 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat

2008-06-20 23:47 . 2008-06-20 23:47 <DIR> d-------- C:\WINDOWS\Options

2008-06-20 23:47 . 2008-06-20 23:47 <DIR> d-------- C:\Documents and Settings\Didier\Programdata\InstallShield

2008-06-20 23:46 . 2008-06-20 23:46 <DIR> d-------- C:\Programfiler\Gigabyte

2008-06-20 22:15 . 2008-06-20 23:45 <DIR> d-------- C:\Programfiler\SAGEM(2)

2008-06-20 19:19 . 2005-08-02 00:06 2,048 --a------ C:\WINDOWS\system32\drivers\rt73.bin

2008-06-20 19:19 . 2005-08-19 15:51 138 --a------ C:\WINDOWS\filespec7x

2008-06-20 14:48 . 2008-06-20 23:46 <DIR> d-------- C:\Programfiler\Orange

2008-06-20 14:48 . 2008-06-20 14:48 <DIR> d-------- C:\Programfiler\Fellesfiler\France Telecom

2008-06-20 13:29 . 2008-06-20 23:46 <DIR> d-------- C:\Programfiler\Gigabyte(2)

2008-06-11 20:46 . 2008-06-11 20:46 <DIR> d-------- C:\Programfiler\MSECache

2008-06-11 20:45 . 2008-06-11 20:45 27,100,264 --a------ C:\PowerPointViewer.exe

2008-06-11 16:41 . 2008-06-11 16:41 <DIR> d-------- C:\Programfiler\Alwil Software

2008-06-11 10:06 . 2008-06-11 10:06 <DIR> d-------- C:\Documents and Settings\Didier\Programdata\ItsLabel

2008-06-11 10:04 . 2008-06-14 20:00 272,256 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 10:04 . 2008-06-14 20:00 272,256 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-10 23:15 . 2008-06-11 16:10 <DIR> d-------- C:\Programfiler\OpenOffice.org 2.4

2008-06-10 23:01 . 2008-06-11 16:06 <DIR> d-------- C:\Programfiler\EoRezo

2008-06-10 23:01 . 2008-06-11 16:06 <DIR> d-------- C:\Documents and Settings\Didier\Programdata\EoRezo

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-02 17:30 --------- d-----w C:\Programfiler\Windows Live

2008-07-02 17:12 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-07-02 14:04 --------- d-----w C:\Documents and Settings\Didier\Programdata\skypePM

2008-07-02 10:01 --------- d-----w C:\Documents and Settings\Didier\Programdata\Skype

2008-06-29 16:24 --------- d-----w C:\Documents and Settings\Didier\Programdata\LimeWire

2008-06-27 09:51 20 ---h--w C:\Documents and Settings\All Users\Programdata\PKP_DLec.DAT

2008-06-27 09:51 20 ---h--w C:\Documents and Settings\All Users\Programdata\PKP_DLds.DAT

2008-06-25 18:06 --------- d-----w C:\Documents and Settings\Didier\Programdata\FLAG BIKE

2008-06-20 21:47 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-06-20 21:47 --------- d-----w C:\Programfiler\Atheros

2008-06-18 09:16 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-06-17 11:23 --------- d-----w C:\Documents and Settings\Didier\Programdata\Uniblue

2008-06-11 18:05 --------- d-----w C:\Documents and Settings\All Users\Programdata\avg8

2008-05-29 14:11 --------- d-----w C:\Documents and Settings\Didier\Programdata\SPAMfighter

2008-05-22 21:31 --------- d-----w C:\Documents and Settings\Didier\Programdata\AVGTOOLBAR

2008-05-18 17:46 --------- d-----w C:\Documents and Settings\Didier\Programdata\dvdcss

2008-05-18 11:22 --------- d-----w C:\Programfiler\Uniblue

2008-05-18 11:19 4,511,232 ----a-w C:\speedupmypc3aff.exe

2008-05-16 16:45 --------- d-----w C:\Programfiler\AVG

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-03-13 12:09 32 ----a-w C:\Documents and Settings\All Users\Programdata\ezsid.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-08-02 14:00 15360]

"Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]

"View Bird"="C:\DOCUME~1\Didier\PROGRA~1\FLAGBI~1\sixthbookkind.exe" [2008-06-25 20:03 523264]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-08-02 14:00 15360]

 

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

GN-WB01GS Utility.lnk - C:\Programfiler\Gigabyte\Gigabyte WB01GS Wireless USB Adapter\Installer\WINXP\GNConfig.exe [2008-04-25 22:33:52 720896]

Laptop Battery Power Monitor.lnk - C:\WINDOWS\Installer\{52384794-3FAE-456F-921E-CCB6F9D2BC18}\_F2F1DBB19E950C4AA5F9FC.exe [2008-03-10 23:28:59 26694]

NkbMonitor.exe.lnk - C:\Programfiler\Nikon\PictureProject\NkbMonitor.exe [2008-03-13 17:06:19 118784]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= ffdshow.ax

"msacm.ac3filter"= ac3filter.acm

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\Messenger\\msmsgs.exe"=

"C:\\Programfiler\\BitComet\\BitComet.exe"=

"C:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8932:TCP"= 8932:TCP:BitComet 8932 TCP

"8932:UDP"= 8932:UDP:BitComet 8932 UDP

 

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]

R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 12:27]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]

S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []

S3 POWERKEY;POWERKEY;C:\Programfiler\Launch Manager\POWERKEY.sys [2000-12-19 19:29]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\rt2870.sys [2007-03-13 13:35]

 

.

Contents of the 'Scheduled Tasks' folder

"2008-07-02 17:00:00 C:\WINDOWS\Tasks\ABB0808690733D66.job"

- c:\docume~1\didier\progra~1\flagbi~1\link hole grey.exe

"2008-06-28 08:09:34 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"

- C:\Programfiler\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

"2008-05-18 11:23:08 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"

- C:\Programfiler\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-Second bat creative peak - C:\Documents and Settings\All Users\Programdata\Axis Readme Second Bat\wipe this.exe

HKLM-Run-UnlockerAssistant - C:\Programfiler\Unlocker\UnlockerAssistant.exe

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-02 19:41:31

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Duomart.com\Laptop Battery Power Monitor\BatteryMonitor.exe

C:\Programfiler\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2008-07-02 19:44:39 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-02 17:44:36

 

Pre-Run: 37,526,134,784 byte ledig

Post-Run: 37,769,977,856 byte ledig

 

166 --- E O F --- 2008-06-29 21:38:59

[norbat]

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen.

 

File::

C:\DOCUME~1\Didier\PROGRA~1\FLAGBI~1

C:\WINDOWS\Tasks\ABB0808690733D66.job

 

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"View Bird"=-

 

Sjekk deretter om hosts-fila inneholder noen linjer knyttet til CiD:

Klikk: Start->Kjør

Skriv/lim inn: notepad %systemroot%\system32\drivers\etc\hosts og klikk Ok

 

Hosts-fila vil åpnes i notisblokk. Den siste linja som skal stå der er 127.0.0.1 localhost

Fjern evt. oppføringer med CiD.

 

Fortell hvordan det går med problemet.

[arwex]

ser ut som alt er borte! har ikkje fått nokken popups på lenge. internetten går litt fortere med no...

[norbat]

Hvis alt kjører greit, så fjerner du combofix ved å skrive combofix /u i kjør-feltet. Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere.

[arwex]

ok. er det farlig visst eg ikkje sletta det med å skrive combofix /u i kjørfeltet? eg bere sletta det sann vanlig fordi eg sletta det før eg leste svaret ditt

[norbat]

Farlig er det ikke , men jeg vil tro at du da kanskje må sjekke om du har ei mappe e.l som heter combofix etc. Den sletter du manuelt også.

 

I tillegg kan det være lurt å nullstille systemgjenopprettingen:

 

Opprett et nytt systemgjenopprettingspunkt:

Tilbehør->systemverktøy->systemgjenoppretting . Velg å opprette

et nytt. Navgi det og klikk opprett.

 

Slett gamle systemgjenopprettingspunkt unntatt det siste:

Tilbehør->systemverktøy->diskopprydding

Velg stasjon c:. Etter en sjekk åpnes et vindu der du velger 'Flere alternativer'.

Der klikker du på 'Rydd opp...' i Systemgjenopprettings-feltet.