التقرير الاول
ComboFix 08-06-12.2 - WIN XP 3 06/15/2008 21:38:44.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.21 [GMT 3:00]
Running from: G:\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\amvo.exe
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 18:42 800 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-15 18:42 62,752 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-15 18:42 1,892 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-15 18:42 1,148 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-15 18:14 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-15 14:04 --------- d-----w C:\Documents and Settings\WIN XP 3\Application Data\Intel
2008-06-15 14:03 --------- d-----w C:\Program Files\Intel
2008-06-15 12:46 --------- d-----w C:\Program Files\XP TCPIP Repair
2008-05-31 14:17 131,584 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-05-31 13:14 3,676,322 ----a-w C:\WINDOWS\java\Packages\ZLJZJJPB.ZIP
2008-05-02 19:55 --------- d-----w C:\Documents and Settings\WIN XP 3\Application Data\CyberScrub
2008-05-02 19:54 --------- d-----w C:\Documents and Settings\WIN XP 3\Application Data\cleaner
2008-05-02 19:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-27 01:50 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
.
------- Sigcheck -------
01/27/2006 08:45 PM 576512 c287c8218dac8ee3aef1fb2018064699 C:\WINDOWS\system32\user32.dll
09/12/2006 05:53 AM 663040 705a23dce4cdf6b3df8de4481250d30d C:\WINDOWS\system32\wininet.dll
05/10/2006 08:23 AM 656896 2d38385877cb32db7c3d2271d2dc84db C:\WINDOWS\system32\dllcache\wininet.dll
05/10/2006 08:25 AM 662016 4bc88c82ed023c36f906111864c16bf6 C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll
09/12/2006 06:22 AM 2196608 e2e05ac6e25670d9a9f592e3e223b92d C:\WINDOWS\system32\ntkrnlpa.exe
09/09/2006 01:01 AM 2321024 ef63859e4fd9cb3ec31a111481f4b1b6 C:\WINDOWS\system32\ntoskrnl.exe
09/12/2006 05:12 AM 1616384 810316e2e8d32075c8b984320a6011cf C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:55 PM 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [12/18/2007 12:43 AM 227856]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 03:56 AM 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [09/12/2006 05:12 AM 391680 C:\WINDOWS\system32\cmd.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [08/04/2004 04:59 AM 44544]
"MPlayer2_FixUp"="C:\WINDOWS\inf\unregmp2.exe" [05/10/2006 02:59 AM 180736]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^قائمة ابدأ^البرامج^بدء التشغيل^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\قائمة ابدأ\البرامج\بدء التشغيل\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^قائمة ابدأ^البرامج^بدء التشغيل^PowerMenu.lnk]
path=C:\Documents and Settings\All Users\قائمة ابدأ\البرامج\بدء التشغيل\PowerMenu.lnk
backup=C:\WINDOWS\pss\PowerMenu.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 05/03/2005 01:43 PM 69632 C:\WINDOWS\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 08/04/2004 03:56 AM 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 08/22/2004 05:05 PM 81920 C:\Program Files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DialerDetect]
--a------ 05/03/2005 05:06 PM 860160 C:\PROGRA~1\NESMA\Nesma.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 06/08/2005 05:59 AM 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 05/11/2005 11:12 PM 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 06/08/2005 06:02 AM 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 06/08/2005 06:03 AM 114688 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 08/09/2005 10:17 AM 14743552 C:\WINDOWS\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StormCodec_Helper]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 07/26/2006 03:03 AM 49263 C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 10/08/2004 09:43 AM 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 10/08/2004 09:44 AM 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskSwitchXP]
--a------ 07/27/2005 10:00 PM 61952 C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YahooMessenger]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Vypress Chat\\VyChat.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\Program Files\Unlocker\UnlockerDriver4.sys [04/24/2005 12:08 PM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a6b8b52-1890-11dd-8197-0013ce7d86c7}]
\Shell\AutoRun\command - G:\d.com
\Shell\explore\Command - G:\d.com
\Shell\open\Command - G:\d.com
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-06-15 21:43:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BTTRAY.EXE
C:\Program Files\Vypress Chat\VyChat.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 06/15/2008 21:45:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 18:44:58
Pre-Run: 27,161,378,816 bytes free
Post-Run: 27,150,303,232 bytes free
142
تقرير الهايجك
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:59:25 م, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Vypress Chat\VyChat.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\WIN XP 3\سطح المكتب\Zyzoom_HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 38,79,164,144:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Vypress Chat StartUp.lnk = ?
O4 - Global Startup: سرعة تشغيل Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &تصدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ShaPlus Google Translator - res://C:\Program Files\ShaPlus Google Translator\GoogleTranslator.dll/ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: بحث - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: C-SMS - {C1E3533C-70F6-4f36-B97C-032C8A5EE759} - C:\\c-sms.exe
O9 - Extra 'Tools' menuitem: Send an SMS using C-SMS - {C1E3533C-70F6-4f36-B97C-032C8A5EE759} - C:\\c-sms.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ANB Direct -
O16 - DPF: {630F2610-7654-11D1-83E3-0080C71A8794} (ANB Direct) -
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
--
End of file - 5353 bytes
ComboFix 08-06-12.2 - WIN XP 3 06/15/2008 21:38:44.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.21 [GMT 3:00]
Running from: G:\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\amvo.exe
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 18:42 800 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-15 18:42 62,752 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-15 18:42 1,892 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-15 18:42 1,148 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-15 18:14 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-15 14:04 --------- d-----w C:\Documents and Settings\WIN XP 3\Application Data\Intel
2008-06-15 14:03 --------- d-----w C:\Program Files\Intel
2008-06-15 12:46 --------- d-----w C:\Program Files\XP TCPIP Repair
2008-05-31 14:17 131,584 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-05-31 13:14 3,676,322 ----a-w C:\WINDOWS\java\Packages\ZLJZJJPB.ZIP
2008-05-02 19:55 --------- d-----w C:\Documents and Settings\WIN XP 3\Application Data\CyberScrub
2008-05-02 19:54 --------- d-----w C:\Documents and Settings\WIN XP 3\Application Data\cleaner
2008-05-02 19:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-27 01:50 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
.
------- Sigcheck -------
01/27/2006 08:45 PM 576512 c287c8218dac8ee3aef1fb2018064699 C:\WINDOWS\system32\user32.dll
09/12/2006 05:53 AM 663040 705a23dce4cdf6b3df8de4481250d30d C:\WINDOWS\system32\wininet.dll
05/10/2006 08:23 AM 656896 2d38385877cb32db7c3d2271d2dc84db C:\WINDOWS\system32\dllcache\wininet.dll
05/10/2006 08:25 AM 662016 4bc88c82ed023c36f906111864c16bf6 C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll
09/12/2006 06:22 AM 2196608 e2e05ac6e25670d9a9f592e3e223b92d C:\WINDOWS\system32\ntkrnlpa.exe
09/09/2006 01:01 AM 2321024 ef63859e4fd9cb3ec31a111481f4b1b6 C:\WINDOWS\system32\ntoskrnl.exe
09/12/2006 05:12 AM 1616384 810316e2e8d32075c8b984320a6011cf C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:55 PM 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [12/18/2007 12:43 AM 227856]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 03:56 AM 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [09/12/2006 05:12 AM 391680 C:\WINDOWS\system32\cmd.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [08/04/2004 04:59 AM 44544]
"MPlayer2_FixUp"="C:\WINDOWS\inf\unregmp2.exe" [05/10/2006 02:59 AM 180736]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^قائمة ابدأ^البرامج^بدء التشغيل^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\قائمة ابدأ\البرامج\بدء التشغيل\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^قائمة ابدأ^البرامج^بدء التشغيل^PowerMenu.lnk]
path=C:\Documents and Settings\All Users\قائمة ابدأ\البرامج\بدء التشغيل\PowerMenu.lnk
backup=C:\WINDOWS\pss\PowerMenu.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 05/03/2005 01:43 PM 69632 C:\WINDOWS\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 08/04/2004 03:56 AM 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 08/22/2004 05:05 PM 81920 C:\Program Files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DialerDetect]
--a------ 05/03/2005 05:06 PM 860160 C:\PROGRA~1\NESMA\Nesma.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 06/08/2005 05:59 AM 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 05/11/2005 11:12 PM 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 06/08/2005 06:02 AM 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 06/08/2005 06:03 AM 114688 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 08/09/2005 10:17 AM 14743552 C:\WINDOWS\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StormCodec_Helper]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 07/26/2006 03:03 AM 49263 C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 10/08/2004 09:43 AM 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 10/08/2004 09:44 AM 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskSwitchXP]
--a------ 07/27/2005 10:00 PM 61952 C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YahooMessenger]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Vypress Chat\\VyChat.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\Program Files\Unlocker\UnlockerDriver4.sys [04/24/2005 12:08 PM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a6b8b52-1890-11dd-8197-0013ce7d86c7}]
\Shell\AutoRun\command - G:\d.com
\Shell\explore\Command - G:\d.com
\Shell\open\Command - G:\d.com
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
Rootkit scan 2008-06-15 21:43:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BTTRAY.EXE
C:\Program Files\Vypress Chat\VyChat.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 06/15/2008 21:45:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 18:44:58
Pre-Run: 27,161,378,816 bytes free
Post-Run: 27,150,303,232 bytes free
142
تقرير الهايجك
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:59:25 م, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Vypress Chat\VyChat.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\WIN XP 3\سطح المكتب\Zyzoom_HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 38,79,164,144:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Vypress Chat StartUp.lnk = ?
O4 - Global Startup: سرعة تشغيل Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &تصدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ShaPlus Google Translator - res://C:\Program Files\ShaPlus Google Translator\GoogleTranslator.dll/ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: بحث - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: C-SMS - {C1E3533C-70F6-4f36-B97C-032C8A5EE759} - C:\\c-sms.exe
O9 - Extra 'Tools' menuitem: Send an SMS using C-SMS - {C1E3533C-70F6-4f36-B97C-032C8A5EE759} - C:\\c-sms.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ANB Direct -
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
O16 - DPF: {630F2610-7654-11D1-83E3-0080C71A8794} (ANB Direct) -
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
--
End of file - 5353 bytes
