Malewarebytes:
Malwarebytes Anti-Malware (Prooviversioon) 1.60.1.1000
www.malwarebytes.org
Andmebaasi versioon: v2012.03.11.12
Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Kasutaja :: PC256011462664 [limiteeritud]
Püsikaitse: Lubatud
11/03/2012 23:59:22
mbam-log-2012-03-11 (23-59-22).txt
Kontrolli tüüp: Täielik kontroll
Lubatud kontrollimise valikud: Mälu | Alglaadimine | Register | Failisüsteem | Heuristika/Ekstra | Heuristika/Shuriken | PUP | PUM
Väljalülitatud kontrollimise valikud: P2P
Kontrollitud objekte: 512013
Kulunud aeg: 3 tundi, 59 minutit, 37 sekundit
Tuvastatud mälu objekte: 0
(Pahavara ei tuvastatud)
Tuvastatud mälu mooduleid: 0
(Pahavara ei tuvastatud)
Tuvastatud registrivõtmeid: 0
(Pahavara ei tuvastatud)
Tuvastatud registri väärtusi: 0
(Pahavara ei tuvastatud)
Tuvastatud registriandmeid: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Halb: (1) Hea: (0) -> Paigutati karantiini ja parandati edukalt.
Tuvastatud kaustu: 0
(Pahavara ei tuvastatud)
Tuvastatud faile: 15
C:\Documents and Settings\Kasutaja\Application Data\Sun\Java\Deployment\cache\6.0\31\29e2c95f-42e371e9 (Trojan.FakeMS) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Application Data\Sun\Java\Deployment\cache\6.0\8\7b125688-160f2c0f (Trojan.FakeMS) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Local Settings\Application Data\20529a01\X (Rootkit.0Access) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Local Settings\Temp\jag10307.exe (Trojan.FakeMS) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Local Settings\Temp\13.tmp (Trojan.UMadBro) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Local Settings\Temp\fsa418200.exe (Trojan.FakeMS) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Local Settings\Temp\~!#11.tmp (Trojan.UMadBro) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\My Documents\Downloads\ESET NOD32 Key Finder Uninstaller.exe (Trojan.Agent.CK) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Favorites\Antivirus Scan.url (Rogue.Link) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\My Documents\My Music\My Music.url (Trojan.Zlob) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\All Users\Start Menu\Online Antispyware Test.url (Trojan.Zlob) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Local Settings\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Paigutati karantiini ja kustutati edukalt.
(lõpp)
Combofix:
ComboFix 12-03-11.01 - Kasutaja 11/03/2012 23:36:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1022.731 [GMT 2:00]
Running from: c:\documents and settings\Kasutaja.PC256011462664\Desktop\ComboFix.exe
AV: Norton Internet Security 2006 *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\isecurity.exe
c:\program files\Applications\myd.ico
c:\program files\Applications\mym.ico
c:\program files\Applications\myp.ico
c:\program files\Applications\myv.ico
c:\program files\Applications\ot.ico
c:\program files\Applications\ts.ico
C:\Thumbs.db
c:\windows\$NtUninstallKB17836$
c:\windows\$NtUninstallKB17836$\2726800942
c:\windows\$NtUninstallKB17836$\542284289\@
c:\windows\$NtUninstallKB17836$\542284289\L\trbssmgb
c:\windows\$NtUninstallKB17836$\542284289\loader.tlb
c:\windows\$NtUninstallKB17836$\542284289\U\@00000001
c:\windows\$NtUninstallKB17836$\542284289\U\@000000c0
c:\windows\$NtUninstallKB17836$\542284289\U\@000000cb
c:\windows\$NtUninstallKB17836$\542284289\U\@000000cf
c:\windows\$NtUninstallKB17836$\542284289\U\@80000000
c:\windows\$NtUninstallKB17836$\542284289\U\@800000c0
c:\windows\$NtUninstallKB17836$\542284289\U\@800000cb
c:\windows\$NtUninstallKB17836$\542284289\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
.
.
2012-03-11 19:52 . 2012-03-11 19:52 -------- d-----w- c:\documents and settings\Kasutaja.PC256011462664
2012-03-11 19:46 . 2001-08-17 13:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-03-11 19:46 . 2001-08-17 14:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-03-11 19:20 . 2012-03-11 19:20 -------- d-----w- c:\windows\system32\LogFiles
2012-02-27 17:11 . 2012-02-27 17:11 -------- d-----w- c:\program files\Common Files\Skype
2012-02-21 21:50 . 2012-02-21 21:50 -------- d-----w- c:\program files\Common Files\Microsoft Games
2012-02-18 23:53 . 2012-02-18 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3
2012-02-18 23:11 . 2012-02-18 23:11 -------- d-----w- c:\program files\Microsoft Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-20 21:15 . 2011-12-26 14:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 36975]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"nwiz"="nwiz.exe" [2006-07-20 1519616]
"MsmqIntCert"="mqrt.dll" [2006-03-16 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-16 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2008-10-1 102400]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 14:57]
.
2012-03-11 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2012-02-08 17:33]
.
2012-03-11 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Kasutaja.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 10:13]
.
2012-03-11 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-09-14 13:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2012-03-11 23:49
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???8U??????`?@?????L?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(832)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\msdtc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\mqsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2012-03-11 23:55:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-11 21:55
.
Pre-Run: 12,589,936,640 bytes free
Post-Run: 12,557,193,216 bytes free
.
- - End Of File - - AA2945C8370C5F1A34AC1E8DEAC6DA94