*********** تقرير الهايجاك ***********
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:59:10 م, on 13/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\home\My Documents\Test Firwall.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\home\My Documents\Downloads\StartUp.exe
C:\Program Files\F-Secure\Common\FSLAUNCH.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\home\LOCALS~1\Temp\Rar$EX00.297\Zyzoom_Report_Tool.exe
C:\DOCUME~1\home\LOCALS~1\Temp\Ht.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {d8fb4583-db9d-4c7b-85be-294c13a3e5c4} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe"
O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A05A2978-6710-4456-8BEB-48F6D0B2F754}: NameServer = 192.168.17.1
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
O23 - Service: خدمة تحديث Google (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
--
End of file - 5336 bytes
*********** تقرير مسجل النظام ***********
"Silent Runners.vbs", revision 60,
Operating System: Windows XP SP3
Search enabled of all directories on local fixed drives for DESKTOP.INI
DLL launch points
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]
"msnmsgr" = ""C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"RemoteControl9" = ""C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe"" ["CyberLink Corp."]
"PDVD9LanguageShortcut" = ""C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe"" ["CyberLink Corp."]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"F-Secure Manager" = ""C:\Program Files\F-Secure\Common\FSM32.EXE" /splash" ["F-Secure Corporation"]
"F-Secure TNB" = ""C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"
\InProcServer32\(Default) = "C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll" ["RealPlayer"]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{C6867EB7-8350-4856-877F-93CF8AE3DC9C}\(Default) = "LitmusBHO"
-> {HKLM...CLSID} = "Browsing Protection Class"
\InProcServer32\(Default) = "C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll" ["F-Secure Corporation"]
{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "WOT Helper"
\InProcServer32\(Default) = "C:\Program Files\WOT\WOT.dll" ["WOT Services Oy"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{0563DB41-F538-4B37-A92D-4659049B7766}" = "WLMD Message Handler"
-> {HKLM...CLSID} = "CLSID_WLMCMimeFilter"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Mail\mailcomm.dll" [MS]
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Notification Packages" = ""|"scecli"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\
<<!>> livecall\CLSID = "{828030A1-22C1-4009-854F-8E305202313F}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL" [MS]
<<!>> ms-help\CLSID = "{314111c7-a502-11d2-bbca-00c04f8ec294}"
-> {HKLM...CLSID} = "HxProtocol Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll" [MS]
<<!>> msnim\CLSID = "{828030A1-22C1-4009-854F-8E305202313F}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL" [MS]
<<!>> wlmailhtml\CLSID = "{03C514A3-1EFB-4856-9F99-10D7BE1653C0}"
-> {HKLM...CLSID} = "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Mail\mailcomm.dll" [MS]
<<!>> wot\CLSID = "{C2A44D6B-CB9F-4663-88A6-DF2F26E4D952}"
-> {HKLM...CLSID} = "WOT Protocol"
\InProcServer32\(Default) = "C:\Program Files\WOT\WOT.dll" ["WOT Services Oy"]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
{23814B80-52A2-11d0-BC1A-004095606CB9}\(Default) = "F-Secure"
-> {HKLM...CLSID} = "FSAV Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\F-Secure\Common\fpshx.dll" ["F-Secure Corporation"]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Documents and Settings\home\Local Settings\Temp\zxq1\mbamext.dll" [file not found]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\
igfxcui\(Default) = "{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}"
-> {HKLM...CLSID} = "GraphicsShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\igfxpph.dll" ["Intel Corporation"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Documents and Settings\home\Local Settings\Temp\zxq1\mbamext.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
{23814B80-52A2-11d0-BC1A-004095606CB9}\(Default) = "F-Secure"
-> {HKLM...CLSID} = "FSAV Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\F-Secure\Common\fpshx.dll" ["F-Secure Corporation"]
HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\home\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
PDVD9PlayCDAudioOnArrival\
"Provider" = "PowerDVD 9"
"InvokeProgID" = "AudioCD"
"InvokeVerb" = "PlayWithPowerDVD9"
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD9\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD9\PowerDVD9.exe" "%L"" ["CyberLink Corp."]
PDVD9PlayDVDMovieOnArrival\
"Provider" = "PowerDVD 9"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD9"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD9\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe" "%L"" ["CyberLink Corp."]
PDVD9PlayVCDMovieOnArrival\
"Provider" = "PowerDVD 9"
"InvokeProgID" = "VCD"
"InvokeVerb" = "PlayWithPowerDVD9"
HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD9\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe" "%L"" ["CyberLink Corp."]
RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]
RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]
RPDVDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.DVDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burndvd "%1"" ["RealNetworks, Inc."]
RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]
RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]
RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]
Enabled Scheduled Tasks:
------------------------
"GoogleUpdateTaskMachineCore" -> launches: "C:\Program Files\Google\Update\GoogleUpdate.exe /c" ["Google Inc."]
"GoogleUpdateTaskMachineUA" -> launches: "C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler" ["Google Inc."]
"RealUpgradeLogonTaskS-1-5-21-1993962763-1417001333-725345543-1003" -> launches: "C:\Program Files\Real\RealUpgrade\realupgrade.exe /logoncheck" ["RealNetworks, Inc."]
"RealUpgradeLogonTaskS-1-5-21-4148128800-2983233487-1952013625-1003" -> launches: "C:\Program Files\Real\RealUpgrade\realupgrade.exe /logoncheck" ["RealNetworks, Inc."]
"RealUpgradeScheduledTaskS-1-5-21-1993962763-1417001333-725345543-1003" -> launches: "C:\Program Files\Real\RealUpgrade\realupgrade.exe /scheduledcheck" ["RealNetworks, Inc."]
"RealUpgradeScheduledTaskS-1-5-21-4148128800-2983233487-1952013625-1003" -> launches: "C:\Program Files\Real\RealUpgrade\realupgrade.exe /scheduledcheck" ["RealNetworks, Inc."]
"Scheduled scanning task" -> launches: "C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe /HARD /POLICY /SCHED /REPORT=C:\PROGRA~1\F-Secure\ANTI-V~1\report.txt " ["F-Secure Corporation"]
"User_Feed_Synchronization-{4F1D730A-A684-479F-A134-E5B2DABE506F}" -> launches: "C:\WINDOWS\system32\msfeedssync.exe sync" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL ["F-Secure Corporation"], 01 - 04, 23
%SystemRoot%\system32\mswsock.dll [MS], 05 - 07, 10 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 08 - 09
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{71576546-354D-41C9-AAE8-31F2EC22BF0D}"
-> {HKLM...CLSID} = "WOT"
\InProcServer32\(Default) = "C:\Program Files\WOT\WOT.dll" ["WOT Services Oy"]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
F-Secure Management Agent, FSMA, ""C:\Program Files\F-Secure\Common\FSMA32.EXE"" ["F-Secure Corporation"]
FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe"" ["F-Secure Corporation"]
---------- (launch time: 2010-11-13 19:59:14)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 50 seconds.
---------- (total run time: 66 seconds)
*********** جميع عمليات الذاكرة ***********
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\home\My Documents\Test Firwall.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\F-Secure\Common\FSLAUNCH.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\home\LOCALS~1\Temp\Rar$EX00.297\Zyzoom_Report_Tool.exe
*********** عمليات الذاكره الغير موقعه رقميا _ بدون عمليات النظام _ ***********
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\home\My Documents\Test Firwall.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\home\LOCALS~1\Temp\Rar$EX00.297\Zyzoom_Report_Tool.exe
*********** المجلدات والملفات التي تم انشاؤها في آخر شهر ***********
2010-11-13 19:59:07 ----A---- C:\zzlog.txt
2010-11-13 19:59:07 ----A---- C:\WINDOWS\system32\Gif89.dll
2010-11-13 07:09:10 ----D---- C:\Documents and Settings\All Users\Application Data\MessengerDiscovery 2
2010-11-13 06:54:40 ----D---- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2010-11-13 06:54:25 ----D---- C:\Program Files\Messenger Plus! Live
2010-11-13 05:40:50 ----D---- C:\Program Files\Microsoft
2010-11-13 05:40:23 ----D---- C:\Program Files\Windows Live SkyDrive
2010-11-13 04:17:01 ----D---- C:\Program Files\Common Files\Windows Live
2010-11-13 04:12:59 ----HDC---- C:\WINDOWS\$NtUninstallKB942288-v3$
2010-11-13 03:22:58 ----D---- C:\Program Files\Wikikou
2010-11-13 02:13:34 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2010-11-09 17:01:19 ----D---- C:\Program Files\Conduit
2010-11-09 10:45:41 ----D---- C:\Program Files\Common Files\DESIGNER
2010-11-09 10:45:19 ----D---- C:\Program Files\Microsoft Visual Studio
2010-11-09 00:46:19 ----D---- C:\Program Files\ThreatFire
2010-11-06 19:11:59 ----D---- C:\Documents and Settings\home\Application Data\skypePM
2010-11-06 19:02:30 ----D---- C:\Program Files\Common Files\Skype
2010-11-06 19:02:26 ----RD---- C:\Program Files\Skype
2010-11-06 19:02:26 ----D---- C:\Documents and Settings\home\Application Data\Skype
2010-11-06 19:02:22 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2010-11-04 14:16:54 ----D---- C:\Program Files\CCleaner
2010-11-04 14:14:50 ----D---- C:\Program Files\Google
2010-11-04 03:38:47 ----AD---- C:\WINDOWS\VDLL.DLL
2010-11-04 03:38:47 ----AD---- C:\WINDOWS\system32\runouce.exe
2010-11-04 03:38:47 ----AD---- C:\WINDOWS\RUNDL132.EXE
2010-11-04 03:38:47 ----AD---- C:\WINDOWS\logo_1.exe
2010-11-04 03:19:26 ----A---- C:\WINDOWS\system32\msvcr80.dll
2010-11-04 03:19:25 ----A---- C:\WINDOWS\system32\msvcp80.dll
2010-11-04 03:19:24 ----A---- C:\WINDOWS\system32\eEmpty.exe
2010-11-04 03:19:21 ----A---- C:\WINDOWS\system32\TASKMGR.COM
2010-11-04 03:19:21 ----A---- C:\WINDOWS\system32\T.COM
2010-11-04 03:19:21 ----A---- C:\WINDOWS\REGEDIT.COM
2010-11-04 03:19:21 ----A---- C:\WINDOWS\R.COM
2010-11-04 03:19:19 ----D---- C:\Program Files\Common Files\MicroWorld
2010-11-04 03:19:15 ----D---- C:\Documents and Settings\All Users\Application Data\MicroWorld
2010-11-03 01:18:05 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2010-11-03 01:17:43 ----A---- C:\YServer.txt
2010-11-03 01:16:23 ----D---- C:\Program Files\Yahoo!
2010-11-02 02:24:48 ----D---- C:\Program Files\WOT
2010-11-01 05:54:14 ----D---- C:\WINDOWS\Minidump
2010-10-29 01:26:11 ----D---- C:\Program Files\Hitman Pro 3.5
2010-10-29 01:20:27 ----D---- C:\Documents and Settings\All Users\Application Data\Hitman Pro
2010-10-28 23:58:31 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2010-10-28 16:56:19 ----HDC---- C:\WINDOWS\$NtUninstallKB2378111_WM9$
2010-10-28 13:08:12 ----SHD---- C:\Config.Msi
2010-10-28 13:05:18 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2010-10-27 19:05:10 ----HDC---- C:\WINDOWS\$NtUninstallKB2345886$
2010-10-27 19:05:06 ----HDC---- C:\WINDOWS\$NtUninstallKB2296011$
2010-10-27 19:04:59 ----HDC---- C:\WINDOWS\$NtUninstallKB2115168$
2010-10-27 19:04:53 ----HDC---- C:\WINDOWS\$NtUninstallKB975558_WM8$
2010-10-27 19:04:47 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2010-10-27 19:04:08 ----HDC---- C:\WINDOWS\$NtUninstallKB982132$
2010-10-27 19:04:01 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2010-10-27 19:03:34 ----HDC---- C:\WINDOWS\$NtUninstallKB981852$
2010-10-27 04:10:55 ----HDC---- C:\WINDOWS\$NtUninstallKB2387149$
2010-10-27 04:10:49 ----HDC---- C:\WINDOWS\$NtUninstallKB2279986$
2010-10-27 04:10:45 ----HDC---- C:\WINDOWS\$NtUninstallKB982214$
2010-10-27 04:10:41 ----HDC---- C:\WINDOWS\$NtUninstallKB2259922$
2010-10-27 04:10:12 ----HDC---- C:\WINDOWS\$NtUninstallKB2347290$
2010-10-27 04:10:07 ----HDC---- C:\WINDOWS\$NtUninstallKB2079403$
2010-10-27 04:09:31 ----HDC---- C:\WINDOWS\$NtUninstallKB979687$
2010-10-27 04:09:26 ----HDC---- C:\WINDOWS\$NtUninstallKB2121546$
2010-10-27 04:09:21 ----HDC---- C:\WINDOWS\$NtUninstallKB980436$
2010-10-27 04:08:50 ----HDC---- C:\WINDOWS\$NtUninstallKB981322$
2010-10-27 04:07:38 ----HDC---- C:\WINDOWS\$NtUninstallKB2286198$
2010-10-27 04:07:29 ----HDC---- C:\WINDOWS\$NtUninstallKB981957$
2010-10-27 04:07:24 ----HDC---- C:\WINDOWS\$NtUninstallKB981997$
2010-10-27 04:07:19 ----HDC---- C:\WINDOWS\$NtUninstallKB2141007$
2010-10-27 04:07:14 ----HDC---- C:\WINDOWS\$NtUninstallKB2158563$
2010-10-27 04:07:12 ----HDC---- C:\WINDOWS\$NtUninstallKB982665$
2010-10-27 04:06:59 ----HDC---- C:\WINDOWS\$NtUninstallKB2360937$
2010-10-26 01:38:32 ----D---- C:\Documents and Settings\home\Application Data\F-Secure
2010-10-26 01:30:23 ----D---- C:\Program Files\F-Secure
2010-10-26 01:30:06 ----D---- C:\Documents and Settings\All Users\Application Data\fssg
2010-10-26 01:25:38 ----D---- C:\Documents and Settings\All Users\Application Data\f-secure
2010-10-24 12:29:08 ----HD---- C:\WINDOWS\PIF
2010-10-24 10:20:21 ----D---- C:\## aswSnx private storage
2010-10-24 00:47:13 ----D---- C:\Program Files\Alwil Software
2010-10-24 00:47:13 ----D---- C:\Documents and Settings\All Users\Application Data\Alwil Software
2010-10-22 13:58:56 ----D---- C:\Documents and Settings\home\Application Data\EurekaLog
2010-10-17 04:52:07 ----D---- C:\Documents and Settings\home\Application Data\Zyzoom_Salty_Killer
2010-10-16 09:12:42 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2010-10-16 03:33:01 ----D---- C:\Program Files\AntiLogger
2010-10-15 02:27:47 ----D---- C:\WINDOWS\pss
2010-10-14 21:12:03 ----D---- C:\Program Files\VCD CUTER
---------------------------------------------------------------------
This Report Created By Zyzoom.org Tools & Silent Runners & HijackThis
