Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix log


  • This topic is locked This topic is locked
2 replies to this topic

#1 Toxick

Toxick

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 14 March 2011 - 01:23 PM

Hey,
I seem to have some malware of something on my laptop,
if i am iddle for a while, he starts to open up all kinds of webpages with commercials on it, this really slows my pc.
I knew combofix is a very good program for stuff like this, so i let it run on my pc.
After that, it seemed to be OK but i will post this log to see if there are any other issues...

Greetings Toxick

ComboFix 11-03-13.02 - ToxicK 14/03/2011 18:37:09.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.32.1043.18.3070.1983 [GMT 1:00]
Gestart vanuit: c:\users\ToxicK\AppData\Local\Temp\uea00000\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\ToxicK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3 .lnk
c:\windows\system32\sshnas21.dll
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-02-14 to 2011-03-14 ))))))))))))))))))))))))))))))
.
.
2011-03-14 17:45 . 2011-03-14 17:45 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-03-14 17:45 . 2011-03-14 17:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-14 15:29 . 2011-03-14 15:29 137728 ----a-w- c:\windows\Fmepea.exe
2011-03-14 15:23 . 2010-07-30 17:35 17136 ----a-w- c:\windows\system32\sasnative32.exe
2011-03-14 15:21 . 2011-03-14 15:21 -------- d-----w- c:\users\ToxicK\AppData\Roaming\Systweak
2011-03-12 14:37 . 2011-03-12 14:37 -------- d-----w- c:\program files\Conduit
2011-03-12 14:36 . 2011-03-12 23:12 -------- d-----w- c:\users\ToxicK\AppData\Roaming\BitTorrent
2011-03-11 15:27 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C87450B3-79EF-44BD-A138-FD1C562D921F}\mpengine.dll
2011-03-10 21:06 . 2010-12-29 17:41 323072 ----a-w- c:\windows\system32\sbe.dll
2011-03-10 21:06 . 2010-12-29 17:41 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-10 21:06 . 2010-12-29 17:41 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-10 21:06 . 2010-12-29 17:39 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-10 21:03 . 2010-12-17 16:43 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-10 21:03 . 2010-12-17 15:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-02-23 22:03 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-23 22:03 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-02-23 22:03 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-02-23 22:03 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2011-02-23 22:03 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2011-02-23 22:03 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
2011-02-23 22:03 . 2009-10-09 21:56 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
2011-02-23 22:03 . 2009-10-09 21:55 79872 ----a-w- c:\windows\system32\wecutil.exe
2011-02-23 22:03 . 2009-10-09 21:55 54272 ----a-w- c:\windows\system32\WsmRes.dll
2011-02-23 22:03 . 2009-10-09 21:55 146944 ----a-w- c:\windows\system32\wecsvc.dll
2011-02-23 22:03 . 2009-10-09 21:55 81408 ----a-w- c:\windows\system32\wevtfwd.dll
2011-02-23 22:03 . 2009-10-09 21:55 56320 ----a-w- c:\windows\system32\wecapi.dll
2011-02-23 22:02 . 2009-08-01 06:27 201184 ----a-w- c:\windows\system32\winrm.vbs
2011-02-23 22:02 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2011-02-23 22:02 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2011-02-23 22:02 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
2011-02-23 22:02 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2011-02-23 22:02 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2011-02-23 22:02 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2011-02-19 11:59 . 2011-02-19 11:59 -------- d-----w- c:\users\ToxicK\AppData\Local\LaCie
2011-02-19 11:59 . 2011-02-19 11:59 -------- d-----w- c:\program files\LaCie
2011-02-14 18:31 . 2011-02-14 18:31 -------- d-----w- c:\users\ToxicK\AppData\Roaming\OpenOffice.org
2011-02-14 18:28 . 2011-02-14 18:28 -------- d-----w- c:\program files\OpenOffice.org 3
2011-02-14 18:26 . 2011-02-14 18:26 -------- d-----w- c:\program files\Common Files\Java
2011-02-14 18:26 . 2011-02-14 18:26 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-02-14 18:26 . 2011-02-14 18:26 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-14 18:26 . 2011-02-14 18:26 -------- d-----w- c:\program files\Java
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 16:11 . 2010-12-19 11:29 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-08 07:50 . 2011-02-10 07:00 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 05:57 . 2011-02-10 07:00 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:25 . 2011-02-10 07:00 2038784 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 14:57 . 2011-01-12 19:47 409600 ----a-w- c:\windows\system32\odbc32.dll
2010-12-20 15:40 . 2011-02-10 07:00 833024 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 15:37 . 2011-02-10 07:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 14:12 . 2011-02-10 07:00 389632 ----a-w- c:\windows\system32\html.iec
2010-12-20 13:51 . 2011-02-10 07:00 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-19 19:42 . 2010-12-19 19:42 165 ----a-w- c:\windows\bcdtmp.cmd
2010-12-19 19:42 . 2010-12-19 19:42 1183 ----a-w- c:\windows\bcdtmp.tmp
2010-12-19 11:07 . 2010-12-19 11:07 6 ----a-w- c:\windows\silentOnce.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2008-04-30 01:55 4232968 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2008-04-30 01:55 4232968 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaCie Ethernet Agent Startup"="c:\program files\LaCie\Network Assistant\LaCie Network Assistant.exe" [2010-05-28 7700480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-24 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-24 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-20 6265376]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2008-04-30 49928]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-09-22 708608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-04-30 01:43 96008 ----a-w- c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2008-08-26 159744]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [2008-05-19 380416]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-27 3658752]
R3 PKWCap;PKWCap service;c:\windows\system32\DRIVERS\PKWCap.sys [2008-04-28 995328]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSDPrintDevice;WSD-ondersteuning voor afdrukken via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-04-28 54784]
.
.
Inhoud van de 'Gedeelde Taken' map
.
2011-03-14 c:\windows\Tasks\ASOService.job
- d:\games\Advanced System Optimizer 3\ASO3.exe [2011-03-14 17:33]
.
2011-03-14 c:\windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
- c:\windows\Fmepea.exe [2011-03-14 15:29]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.msi.com.tw
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx
FF - ProfilePath - c:\users\ToxicK\AppData\Roaming\Mozilla\Firefox\Profiles\vd6lcxjq.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50485
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS VERWIJDERD - - - -
.
URLSearchHooks-{2d8d9acc-f6d7-4362-8876-a275ca929591} - (no file)
WebBrowser-{2D8D9ACC-F6D7-4362-8876-A275CA929591} - (no file)
HKCU-Run-ccleaner - c:\program files\CCleaner\CCleaner.exe
HKCU-Run-Metropolis - c:\windows\system32\sshnas21.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 18:45
Windows 6.0.6001 Service Pack 1 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Voltooingstijd: 2011-03-14 18:47:57
ComboFix-quarantined-files.txt 2011-03-14 17:47
ComboFix2.txt 2011-01-29 19:23
.
Pre-Run: 2.587.643.904 bytes beschikbaar
Post-Run: 2.641.108.992 bytes beschikbaar
.
- - End Of File - - D5CCA012D60DAB8D76D48E6DA5AAF3D9


btw: the latest days my pc seems to lag whilst gaming wich i didnt had before, it is not just a little bit, sometimes i just cant move are do action for like minutes wich is really annoying =D

Thank you for your time people...


--> a few seconds after i posted this a new weird site opened, so it isnt solved yet.

Edited by Toxick, 14 March 2011 - 01:25 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:41 PM

Posted 18 March 2011 - 08:56 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:41 PM

Posted 23 March 2011 - 09:12 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users