Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix


  • This topic is locked This topic is locked
2 replies to this topic

#1 Ishockey12345

Ishockey12345

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 03 October 2010 - 07:46 AM

Hi,

Can anyone help me to see if my computer is infected with spyware or something else. Have suspicion of that but can´t prove it.

Greatful of some help.

This is the log of Combofix:


ComboFix 10-10-02.02 - husdator 2010-10-03 14:12:58.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.1023.530 [GMT 2:00]
Körs från: c:\documents and settings\husdator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

VARNINIG -ÅTERSTÄLLNINGSKONSOLEN (THE RECOVERY CONSOLE) ÄR INTE INSTALLERAD PÅ DEN HÄR DATORN !!
.

(((((((((((((((((((((((( Filer Skapade från 2010-09-03 till 2010-10-03 ))))))))))))))))))))))))))))))
.

2010-10-02 12:28 . 2010-10-02 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 13:17 . 2005-06-10 21:53 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-07 21:49 . 2010-08-07 21:49 503808 ----a-w- c:\documents and settings\husdator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-72844770-n\msvcp71.dll
2010-08-07 21:49 . 2010-08-07 21:49 499712 ----a-w- c:\documents and settings\husdator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-72844770-n\jmc.dll
2010-08-07 21:49 . 2010-08-07 21:49 348160 ----a-w- c:\documents and settings\husdator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-72844770-n\msvcr71.dll
2010-08-07 21:49 . 2010-08-07 21:49 61440 ----a-w- c:\documents and settings\husdator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5fa4639a-n\decora-sse.dll
2010-08-07 21:49 . 2010-08-07 21:49 12800 ----a-w- c:\documents and settings\husdator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5fa4639a-n\decora-d3d.dll
2010-08-04 09:50 . 2010-08-04 09:50 140752 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-08-03 11:28 . 2010-08-03 11:28 95896 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-07-31 07:56 . 2010-07-31 07:56 503808 ----a-w- c:\documents and settings\samuel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-19fe1be4-n\msvcp71.dll
2010-07-31 07:56 . 2010-07-31 07:56 499712 ----a-w- c:\documents and settings\samuel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-19fe1be4-n\jmc.dll
2010-07-31 07:56 . 2010-07-31 07:56 348160 ----a-w- c:\documents and settings\samuel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-19fe1be4-n\msvcr71.dll
2010-07-31 07:56 . 2010-07-31 07:56 61440 ----a-w- c:\documents and settings\samuel\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-609dd0c3-n\decora-sse.dll
2010-07-31 07:56 . 2010-07-31 07:56 12800 ----a-w- c:\documents and settings\samuel\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-609dd0c3-n\decora-d3d.dll
2010-07-29 11:31 . 2010-07-29 11:31 115008 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-07-22 15:49 . 2004-08-10 17:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2010-05-11 11:28 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 03:00 . 2010-06-15 15:21 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-09 14:46 . 2010-05-11 10:15 38779904 ----a-w- c:\program files\eav_nt32_sve.msi
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"CTHelper"="CTHELPER.EXE" [2005-08-07 16384]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 18944]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
"iHP-100"="c:\program files\iRiver\iHP100\iHPDetect.exe" [2003-08-25 28672]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-08 524288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-08-12 2215064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-07-29 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-08-03 95896]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-08-12 810144]
R3 SIS163u;SiS163 usb Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2010-05-11 215040]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
.
Innehållet i mappen 'Schemalagda aktiviteter':

2010-07-25 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-10-02 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
.
------- Extra genomsökning -------
.
IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\husdator\Application Data\Mozilla\Firefox\Profiles\cq7itc2z.default\
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICY ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-03 14:15
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3756)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Sluttid: 2010-10-03 14:17:07
ComboFix-quarantined-files.txt 2010-10-03 12:17

Före genomsökningen: 14 717 665 280 bytes free
Efter genomsökningen: 15 210 905 600 bytes free

- - End Of File - - FA7447D0986C0C4E0C07A6D4C417711F

Edited by hamluis, 03 October 2010 - 10:09 AM.
Moved from Introductions to Malware Removal Logs ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:53 PM

Posted 09 October 2010 - 04:36 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:53 PM

Posted 13 October 2010 - 06:13 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users