|
هذا التقرير من ComboFix ونبي منكم الشرح الله يعطيكم العافية ComboFix 09-05-31.06 - pc 06/03/2009 17:05.1 - FAT32x86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.240.128 [GMT 3:00] Running from: c:\documents and settings\pc\My Documents\Downloads\ComboFix.exe AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\IE4 Error Log.txt c:\windows\system\oeminfo.ini c:\windows\system32\drivers\npf.sys c:\windows\system32\Packet.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\tmp.reg c:\windows\system32\WanPacket.dll c:\windows\system32\wpcap.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 ))))))))))))))))))))))))))))))) . 2009-05-27 21:54 . 2009-05-27 21:54 -------- d-----w- c:\documents and settings\pc\Application Data\Xilisoft Corporation 2009-05-27 21:50 . 2009-05-27 21:50 -------- d-----w- c:\program files\Xilisoft 2009-05-22 19:25 . 2009-05-22 19:25 -------- d-----w- c:\documents and settings\pc\Local Settings\Application Data\Xenocode 2009-05-22 00:10 . 2009-05-22 00:10 -------- d-----w- c:\program files\VeryPDF PDF2Word v3.0 2009-05-18 22:36 . 2009-05-18 22:36 -------- d-----w- c:\program files\VerbAce Research 2009-05-18 21:54 . 2009-05-18 21:54 198064 ----a-w- c:\documents and settings\pc\Application Data\IDM\idmmzcc3\components\idmmzcc.dll 2009-05-18 21:54 . 2009-05-18 21:54 -------- d-----w- c:\documents and settings\pc\Application Data\IDM 2009-05-18 21:53 . 2009-05-18 21:53 -------- d-----w- c:\documents and settings\pc\Application Data\DMCache 2009-05-18 21:51 . 2009-05-18 21:51 -------- d-----w- c:\program files\Internet Download Manager 2009-05-18 21:17 . 2009-05-18 21:17 -------- d-----w- c:\program files\WinASO 2009-05-15 00:08 . 2009-05-15 00:08 -------- d-----w- c:\documents and settings\pc\Local Settings\Application Data\PassMark 2009-05-15 00:06 . 2008-07-12 05:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll 2009-05-15 00:06 . 2008-07-12 05:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll 2009-05-15 00:06 . 2008-07-12 05:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll 2009-05-15 00:06 . 2006-09-28 13:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll 2009-05-15 00:05 . 2009-05-15 00:05 -------- d-----w- c:\windows\Logs 2009-05-15 00:05 . 2009-05-15 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark 2009-05-15 00:04 . 2009-05-15 00:04 -------- d-----w- c:\program files\PerformanceTest 2009-05-13 15:58 . 2009-05-13 15:58 -------- d-----w- c:\documents and settings\pc\Application Data\Media Player Classic 2009-05-13 09:24 . 2009-05-13 09:24 -------- d-----w- c:\windows\Muslim Bag 2009-05-13 09:24 . 2009-05-13 09:24 -------- d-----w- c:\program files\Muslim Bag 2009-05-13 09:21 . 2009-05-13 09:21 -------- d-----w- c:\program files\Real Alternative 2009-05-13 09:21 . 2009-05-13 09:21 -------- d-----w- c:\documents and settings\pc\Local Settings\Application Data\Real 2009-05-11 19:14 . 2009-05-11 19:14 -------- d-----w- c:\windows\A4W_DATA 2009-05-11 19:11 . 2004-04-27 08:18 110592 ----a-w- c:\windows\system32\tsccvid.dll 2009-05-10 20:56 . 2009-05-10 20:56 -------- d-----w- c:\program files\Common Files\DistributeShield 2009-05-10 20:56 . 2009-05-10 20:56 -------- d-----w- C:\DVDneXtCOPY 2009-05-10 20:56 . 2009-05-10 20:56 -------- d-----w- c:\program files\DVDneXtCOPY 3 2009-05-10 20:12 . 2009-05-10 20:12 -------- d-----w- c:\program files\USB Disk Security 2009-05-08 21:57 . 2009-05-08 21:57 28928 ----a-w- c:\windows\system32\drivers\tifsfilt.sys 2009-05-08 21:57 . 2009-05-08 21:57 212288 ----a-w- c:\windows\system32\drivers\timntr.sys 2009-05-08 21:56 . 2009-05-08 21:56 82464 ----a-w- c:\windows\system32\drivers\snapman.sys 2009-05-08 21:55 . 2009-05-08 21:55 -------- d-----w- c:\program files\Acronis 2009-05-08 21:55 . 2009-05-08 21:55 -------- d-----w- c:\program files\Common Files\Acronis 2009-05-07 07:42 . 2009-03-26 15:35 210352 ----a-w- c:\windows\system32\idmmbc.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-06-03 13:59 . 2008-06-25 23:18 40992 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2009-06-03 13:59 . 2008-06-25 23:18 2268 --sha-w- c:\windows\system32\drivers\fidbox2.idx 2009-06-03 13:59 . 2008-06-25 23:18 4508 --sha-w- c:\windows\system32\drivers\fidbox.idx 2009-06-03 13:59 . 2008-06-25 23:18 304672 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-06-03 13:58 . 2007-12-16 09:31 12 ----a-w- c:\windows\bthservsdp.dat 2009-05-27 21:55 . 2007-12-16 21:03 114384 ----a-w- c:\documents and settings\pc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-20 12:45 . 2008-06-25 23:19 94643 ----a-w- c:\windows\system32\drivers\klick.dat 2009-05-20 12:45 . 2008-06-25 23:19 105395 ----a-w- c:\windows\system32\drivers\klin.dat 2009-04-23 20:36 . 2009-04-23 20:36 -------- d-----w- c:\documents and settings\pc\Application Data\ACD Systems 2009-04-23 20:31 . 2009-04-23 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems 2009-04-23 20:29 . 2009-04-23 20:29 -------- d-----w- c:\program files\ACD Systems 2009-04-23 20:29 . 2009-04-23 20:29 -------- d-----w- c:\program files\Common Files\ACD Systems 2009-04-16 06:56 . 2009-04-16 06:56 -------- d-----w- c:\program files\Microsoft 2009-04-16 06:55 . 2009-04-16 06:55 -------- d-----w- c:\program files\Windows Live SkyDrive 2009-04-15 07:56 . 2009-04-15 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP 2009-04-15 07:54 . 2009-04-15 07:54 -------- d-----w- c:\program files\PDF to Word 2009-03-15 01:25 . 2008-07-18 01:40 861448 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.3 57\Updater.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "Google Update"="c:\documents and settings\pc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-06 133104] "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-05-07 2807216] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2008-09-23 798720] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-02-10 201992] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] "PcSync"="c:\program files\Samsung\Samsung PC Studio 7\PcSync2.exe" [2006-06-27 1449984] c:\documents and settings\All Users\Start Menu\Programs\Startup\ ASUS Hotkey.lnk - c:\program files\Asus\Asus Hotkey\Hotkey.exe [2007-12-17 543744] VerbAce-Pro Startup Agent.lnk - c:\program files\VerbAce Research\VerbAce-Pro\VerbAce-Pro.exe [2009-5-19 606208] [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau relog_ap [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\procexp90.Sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ASUS ChkMail.lnk] backup=c:\windows\pss\ASUS ChkMail.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ASUS Hotkey.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ASUS Hotkey.lnk backup=c:\windows\pss\ASUS Hotkey.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^pc^Start Menu^Programs^Startup^CaptureWiz.lnk] backup=c:\windows\pss\CaptureWiz.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickPhrase HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mobily Connect Card\\Mobily Connect Card.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R3 br3gmdm;BandLuxe 3.5G HSDPA Adapter - USB;c:\windows\system32\DRIVERS\br3gmdm.sys [2008-03-14 100096] R3 nmwcdsa;Samsung USB Phone Parent;c:\windows\system32\drivers\nmwcdsa.sys [2007-05-02 135680] R3 nmwcdsac;Samsung USB Generic;c:\windows\system32\drivers\nmwcdsac.sys [2007-05-02 8320] R3 nmwcdsacj;Samsung USB Port;c:\windows\system32\drivers\nmwcdsacj.sys [2007-05-02 12288] R3 nmwcdsacm;Samsung USB Modem;c:\windows\system32\drivers\nmwcdsacm.sys [2007-05-02 12288] S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-02-10 33808] S2 BandLuxe_Service;BandLuxe Service;c:\program files\BandRich\BandLuxe HSDPA Utility R11\BRService.exe [2008-06-03 87264] S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-03-25 24592] S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-08-23 177280] --- Other Services/Drivers In Memory --- *Deregistered* - AcrSch2Svc *Deregistered* - AFD *Deregistered* - ALG *Deregistered* - Arp1394 *Deregistered* - AudioSrv *Deregistered* - audstub *Deregistered* - AVP *Deregistered* - BandLuxe_Service *Deregistered* - Beep *Deregistered* - BITS *Deregistered* - Browser *Deregistered* - BthServ *Deregistered* - Cdfs *Deregistered* - Compbatt *Deregistered* - CryptSvc *Deregistered* - DcomLaunch *Deregistered* - Dhcp *Deregistered* - dmio *Deregistered* - dmload *Deregistered* - dmserver *Deregistered* - ERSvc *Deregistered* - EventSystem *Deregistered* - Fastfat *Deregistered* - FastUserSwitchingCompatibility *Deregistered* - Fips *Deregistered* - FltMgr *Deregistered* - Ftdisk *Deregistered* - Gpc *Deregistered* - helpsvc *Deregistered* - HTTP *Deregistered* - ImapiService *Deregistered* - IpFilterDriver *Deregistered* - IpNat *Deregistered* - IPSec *Deregistered* - irda *Deregistered* - Irmon *Deregistered* - JavaQuickStarterService *Deregistered* - kl1 *Deregistered* - klbg *Deregistered* - KLIF *Deregistered* - klim5 *Deregistered* - KSecDD *Deregistered* - lanmanserver *Deregistered* - lanmanworkstation *Deregistered* - LmHosts *Deregistered* - mnmdd *Deregistered* - MountMgr *Deregistered* - MRxDAV *Deregistered* - MRxSmb *Deregistered* - Msfs *Deregistered* - mssmbios *Deregistered* - Mup *Deregistered* - NDIS *Deregistered* - NdisTapi *Deregistered* - Ndisuio *Deregistered* - NdisWan *Deregistered* - NDProxy *Deregistered* - NetBIOS *Deregistered* - NetBT *Deregistered* - Netman *Deregistered* - Nla *Deregistered* - Npfs *Deregistered* - Null *Deregistered* - NWCWorkstation *Deregistered* - NwlnkIpx *Deregistered* - NwlnkNb *Deregistered* - NwlnkSpx *Deregistered* - NWRDR *Deregistered* - PartMgr *Deregistered* - ParVdm *Deregistered* - Pml Driver HPZ12 *Deregistered* - PolicyAgent *Deregistered* - PptpMiniport *Deregistered* - ProtectedStorage *Deregistered* - PSched *Deregistered* - RasAcd *Deregistered* - Rasirda *Deregistered* - Rasl2tp *Deregistered* - RasMan *Deregistered* - RasPppoe *Deregistered* - Raspti *Deregistered* - Rdbss *Deregistered* - RDPCDD *Deregistered* - rdpdr *Deregistered* - RemoteRegistry *Deregistered* - RpcSs *Deregistered* - SamSs *Deregistered* - Schedule *Deregistered* - seclogon *Deregistered* - SENS *Deregistered* - SharedAccess *Deregistered* - ShellHWDetection *Deregistered* - Spooler *Deregistered* - sr *Deregistered* - srservice *Deregistered* - Srv *Deregistered* - SSDPSRV *Deregistered* - stisvc *Deregistered* - swenum *Deregistered* - TapiSrv *Deregistered* - Tcpip *Deregistered* - TermDD *Deregistered* - TermService *Deregistered* - Themes *Deregistered* - tifsfilter *Deregistered* - timounter *Deregistered* - TrkWks *Deregistered* - Update *Deregistered* - VgaSave *Deregistered* - Vmodem *Deregistered* - VolSnap *Deregistered* - Vpctcom *Deregistered* - Vvoice *Deregistered* - W32Time *Deregistered* - Wanarp *Deregistered* - WebClient *Deregistered* - winmgmt *Deregistered* - wscsvc *Deregistered* - wuauserv *Deregistered* - WZCSVC . *******s of the 'Scheduled Tasks' folder 2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34] 2009-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-9318785-596333656-765479376-1005.job - c:\documents and settings\pc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-06 00:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.thegulfbiz.com/vb/forumdisplay.php?f=5 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: ShaPlus Google Translator - c:\program files\ShaPlus Google Translator\GoogleTranslator.dll/ie.htm IE: تحميل الكل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEGetAll.htm IE: تحميل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEExt.htm IE: تحميل محتوى FLV بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEGetVL.htm DPF: DirectAnimation Java Classes DPF: Microsoft XML Parser for Java . . ------- File Associations ------- . txtfile=c:\windows\notepad.exe %1 . ************************************************** ************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-03 17:19 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-9318785-596333656-765479376-1005\RemoteAccess\Profile\x *] "EnableAutodisconnect"=dword:00000001 "EnableExitDisconnect"=dword:00000001 "DisconnectIdleTime"=dword:00000014 [HKEY_USERS\S-1-5-21-9318785-596333656-765479376-1005\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts\.*a] @Class="Shell" [HKEY_USERS\S-1-5-21-9318785-596333656-765479376-1005\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts\.*a\OpenWithList] @Class="Shell" "a"="realplay.exe" "MRUList"="a" [HKEY_USERS\S-1-5-21-9318785-596333656-765479376-1005\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts\.*a\OpenWithProgids] "1_auto_file"=hex(0): [HKEY_USERS\S-1-5-21-9318785-596333656-765479376-1005\Software\Microsoft\Windows\CurrentVersion\Exp lorer\RecentDocs\.*a] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "0"=hex:48,06,31,06,39,06,20,00,61,06,62,06,33 ,06, 46,06,29,06,2e,00,61,06,00, 00,5c,00,36,00,00,00,00,00,00,00,00,00,00,00,48,06 ,31,06,39,06,20,00,61,06,\ "MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff [HKEY_LOCAL_MACHINE\software\Classes\.*a] @="1_auto_file" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(928) c:\windows\system32\klogon.dll - - - - - - - > 'lsass.exe'(992) c:\windows\system32\relog_ap.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\wscntfy.exe c:\progra~1\MICROS~3\rapimgr.exe . ************************************************** ************************ . Completion time: 2009-06-03 17:30 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-03 14:30 Pre-Run: 16,173,694,976 bytes free Post-Run: 16,234,545,152 bytes free 355 --- E O F --- 2008-07-09 14:42 |
| الساعة الآن 07:10 AM |
Powered by vBulletin® Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.5.2 TranZ By
Almuhajir