Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Log,


  • This topic is locked This topic is locked
3 replies to this topic

#1 mariankun

mariankun

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 PM

Posted 13 May 2008 - 06:26 AM

Hi everybody, could somebody be so glad and help me with problem of uknown virus on CPU which cause that my PC is workink slow and also mouse sometimes doesn´t work normally.
I´ve got maybe 6 or 8 svchost.exe opened in the CPU and it causes from 30% to 80% of usage

ComboFix 08-05-12.1 - marian 2008-05-13 12:26:06.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.532 [GMT 2:00]
Running from: C:\Documents and Settings\IBG\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\IBG\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-13 09:30 . 2007-08-23 11:50 <DIR> d-------- C:\Documents and Settings\quentin.D520-KUN\Application Data\Intel
2008-05-13 09:30 . 2008-05-13 09:30 <DIR> d-------- C:\Documents and Settings\quentin.D520-KUN
2008-05-13 09:30 . 2008-05-13 11:43 1,024 --ah----- C:\Documents and Settings\quentin.D520-KUN\ntuser.dat.LOG
2008-05-12 16:08 . 2008-05-12 16:07 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-05-12 16:08 . 2008-05-12 16:07 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-05-12 13:16 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-12 13:16 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-12 13:16 . 2008-03-01 15:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-12 13:16 . 2008-03-01 15:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-12 13:16 . 2008-03-01 15:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-12 13:16 . 2008-03-01 15:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-12 13:16 . 2008-03-01 15:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-12 13:16 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-12 13:15 . 2008-05-12 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-05-12 13:15 . 2008-03-01 15:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-12 13:10 . 2008-05-12 13:10 <DIR> d-------- C:\Documents and Settings\IBG\Application Data\System Tweaker
2008-05-12 11:59 . 2008-05-13 12:14 <DIR> d-------- C:\___Uniblue
2008-05-12 11:29 . 2008-05-12 13:21 <DIR> d-------- C:\Program Files\Uniblue
2008-05-12 11:29 . 2008-05-12 13:21 <DIR> d-------- C:\Documents and Settings\IBG\Application Data\Uniblue
2008-05-07 07:49 . 2008-05-07 07:49 <DIR> d-------- C:\z_Drivers
2008-04-18 09:42 . 2008-04-18 13:36 <DIR> d-------- C:\fabia
2008-04-16 11:33 . 2008-04-16 11:35 867 --a------ C:\WINDOWS\setup.iss
2008-04-16 09:15 . 2008-04-16 09:42 <DIR> d-------- C:\___Dubnica

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 14:18 --------- d-----w C:\Program Files\ESET
2008-05-12 14:07 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-05-12 13:40 --------- d-----w C:\Program Files\Trillian
2008-05-12 09:43 --------- d-----w C:\Documents and Settings\IBG\Application Data\Azureus
2008-05-07 05:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-04-28 07:14 --------- d-----w C:\Program Files\ALFA
2008-04-16 10:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 15:22 --------- d-----w C:\Program Files\Terminal Reality
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 05:59 --------- d-----w C:\Documents and Settings\IBG\Application Data\Autodesk
2008-03-18 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-07-16 13:24 16 -c--a-w C:\Documents and Settings\IBG\psoV91.dll
2007-05-04 07:04 16 -c--a-w C:\Documents and Settings\IBG\ptsA62.dll
2006-11-16 15:39 1,663 -c--a-w C:\WINDOWS\inf\COM96.tmp
2007-06-13 10:23 862,720 --sh--r C:\WINDOWS\system32\dllbrun.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-13_10.12.44.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 08:06:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 09:43:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-13 07:31:09 65,442 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-13 09:47:46 65,442 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-13 07:31:09 409,672 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-13 09:47:46 409,672 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverLoad"="" []
"DriverCheck"="" []
"SystemDriverLoad"="" []
"SystemDriver"="" []
"FDriver"="" []
"ADriver"="" []
"CDriver"="c:\z_Drivers\svchost.exe" [2008-05-07 07:49 198144]
"DDriver"="c:\z_Drivers\svchost.exe" [2008-05-07 07:49 198144]
"alpha"="c:\z_Drivers\svchost.exe" [2008-05-07 07:49 198144]
"beta"="c:\z_Drivers\svchost.exe" [2008-05-07 07:49 198144]
"gamma"="c:\z_Drivers\svchost.exe" [2008-05-07 07:49 198144]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"CDriver"= c:\z_Drivers\svchost.exe
"DDriver"= c:\z_Drivers\svchost.exe
"alpha"= c:\z_Drivers\svchost.exe
"beta"= c:\z_Drivers\svchost.exe
"gamma"= c:\z_Drivers\svchost.exe
path=
backup=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\dllbrun.exe"=
"C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"C:\\Program Files\\Mobility Manager\\Mobility Manager\\FMM.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 23:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 23:41]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2004-03-12 00:00]
R2 FMMService;Mobility Manager Service;C:\Program Files\Mobility Manager\Mobility Manager\FMMService.exe [2005-11-10 19:30]
R3 ft1000;Flarion Flash OFDM wireless service;C:\WINDOWS\system32\DRIVERS\ft1000.sys [2006-09-13 18:38]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 12:00]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 11:12:16 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-12 11:12:14 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-12 11:15:51 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 12:33:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-05-13 12:35:24
ComboFix-quarantined-files.txt 2008-05-13 10:34:46
ComboFix2.txt 2008-05-13 09:21:38
ComboFix3.txt 2008-05-13 09:04:37
ComboFix4.txt 2008-05-13 08:30:11
ComboFix5.txt 2008-05-13 08:13:03

Pre-Run: 34,025,447,424 bytes free
Post-Run: 34,229,829,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

144 --- E O F --- 2008-05-12 11:41:06





TNX for Help

BC AdBot (Login to Remove)

 


#2 mariankun

mariankun
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 PM

Posted 13 May 2008 - 06:49 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:49:08, on 13.5.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Mobility Manager\Mobility Manager\FMMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trillian\trillian.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\z_Drivers\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.sk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CDriver] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [DDriver] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [alpha] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [beta] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [gamma] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [CDriver] c:\z_Drivers\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [DDriver] c:\z_Drivers\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [alpha] c:\z_Drivers\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [beta] c:\z_Drivers\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [gamma] c:\z_Drivers\svchost.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Mobility Manager Service (FMMService) - Flarion Technologies, Inc. - C:\Program Files\Mobility Manager\Mobility Manager\FMMService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 4267 bytes

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:04 PM

Posted 31 May 2008 - 12:07 PM

Hi,

The forums are really busy, that explains why logs get behind. If you still need some help, please start with posting a new log in this thread. Don't start with a new thread.
Then I'll take a look. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:04 PM

Posted 09 June 2008 - 07:24 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users