تفضلوا
******** 08-10-10.09 - faezzv 2010-07-08 20:53:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.1553 [GMT -7:00]
Running from: C:\DOCUME~1\faezzv\LOCALS~1\Temp\Rar$EX00.343\********.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((( Files Created from 2010-06-09 to 2010-07-09 )))))))))))))))))))))))))))))))
.
2011-05-25 13:34 . 2009-12-11 03:15 56,872 --a------ C:\WINDOWS\system32\drivers\l1c51x86.sys
2011-05-25 13:22 . 2009-06-26 00:29 1,656,960 --a------ C:\WINDOWS\system32\drivers\Ambfilt.sys
2011-05-25 13:22 . 2009-11-25 05:57 1,617,408 --a------ C:\WINDOWS\system32\drivers\viahduaa.sys
2011-05-25 13:22 . 2008-12-01 23:56 1,389,056 --a------ C:\WINDOWS\system32\drivers\Monfilt.sys
2010-07-08 20:44 . 2010-07-08 20:45 <DIR> d-------- C:\Program Files\Flock
2010-07-08 20:44 . 2010-07-08 20:44 <DIR> d-------- C:\Documents and Settings\faezzv\Application Data\Flock
2010-07-08 20:38 . 2010-07-08 20:39 <DIR> d-------- C:\Zyzoom_Forum_Tools
2010-07-02 02:38 . 2010-07-02 02:38 <DIR> d-------- C:\Program Files\Skype
2010-07-02 02:38 . 2010-07-02 02:38 <DIR> d-------- C:\Program Files\Common Files\Skype
2010-07-02 01:38 . 2010-07-08 20:30 <DIR> d-------- C:\Documents and Settings\faezzv\Application Data\skypePM
2010-07-02 01:38 . 2010-07-02 01:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype Extras
2010-07-02 01:38 . 2010-07-02 01:38 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2010-07-02 01:27 . 2010-07-02 01:27 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2010-07-02 01:27 . 2010-07-02 01:27 <DIR> d-------- C:\WINDOWS\system32\Atheros_L1e
2010-07-02 01:17 . 2010-07-02 01:17 <DIR> d-------- C:\WINDOWS\OPTIONS
2010-07-02 01:17 . 2010-07-02 01:17 <DIR> d-------- C:\Program Files\Realtek
2010-07-02 01:17 . 2010-07-02 01:17 <DIR> d-------- C:\Documents and Settings\faezzv\Application Data\InstallShield
2010-07-02 01:16 . 2010-07-02 01:17 <DIR> d-------- C:\Program Files\VIA
2010-07-02 01:16 . 2006-11-09 17:25 319,456 --a------ C:\WINDOWS\system32\difxapi.dll
2010-07-02 01:00 . 2010-01-18 04:37 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2010-07-02 01:00 . 2010-07-02 01:00 376 --a------ C:\WINDOWS\ODBC.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 23:14 60,936 ----a-w C:\WINDOWS\system32\drivers\avgntflt.sys
2010-07-09 03:41 --------- d-----w C:\Documents and Settings\faezzv\Application Data\Skype
2010-07-02 09:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2010-07-02 08:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2010-07-02 08:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2010-07-02 07:59 --------- d-----w C:\Program Files\Microsoft.NET
2010-07-02 07:59 --------- d-----w C:\Program Files\Microsoft ActiveSync
2010-07-02 07:58 --------- d-----w C:\Program Files\RocketDock
2010-07-02 07:58 --------- d-----w C:\Documents and Settings\faezzv\Application Data\vlc
2010-07-02 07:57 --------- d-----w C:\Program Files\VideoLAN
2010-07-02 07:57 --------- d-----w C:\Program Files\JetAudio
2010-07-02 07:57 --------- d-----w C:\Program Files\Common Files\xing shared
2010-07-02 07:57 --------- d-----w C:\Program Files\Common Files\Real
2010-07-02 07:56 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2010-07-02 07:56 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2010-07-02 07:56 --------- d-----w C:\Program Files\Real
2010-07-02 07:56 --------- d-----w C:\Program Files\K-Lite Codec Pack
2010-07-02 07:56 --------- d-----w C:\Program Files\Common Files\COWON
2010-07-02 07:55 --------- d-----w C:\Program Files\The KMPlayer
2010-07-02 07:54 --------- d-----w C:\Program Files\Yahoo!
2010-07-02 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2010-07-02 07:51 --------- d-----w C:\Program Files\Avira
2010-07-02 07:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2010-07-02 07:40 --------- d-----w C:\Program Files\microsoft frontpage
2010-06-02 08:00 108,032 ----a-w C:\WINDOWS\system32\ff_vfw.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 21718312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2010-07-02 198160]
"HDAudDeck"="C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-12-02 33718272]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2009-02-25 141336]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2009-02-25 173592]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2009-02-25 142360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 AntiVirMailService;Avira AntiVir MailGuard;C:\Program Files\Avira\AntiVir Desktop\avmailc.exe [2010-08-02 339624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [2010-08-02 135336]
R2 AntiVirWebService;Avira AntiVir WebGuard;C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2010-08-02 403624]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l1c51x86.sys [2009-12-11 56872]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\WINDOWS\system32\drivers\viahduaa.sys [2009-11-25 1617408]
S3 AMBFilt;AMBFilt;C:\WINDOWS\system32\drivers\AMBFilt.sys [2009-06-26 1656960]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\faezzv\Application Data\Mozilla\Firefox\Profiles\f3zh7o5d.default\
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2010-07-08 20:53:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
Completion time: 2010-07-08 20:54:55
********-quarantined-files.txt 2010-07-09 03:54:51
Pre-Run: 25,891,942,400 bytes free
Post-Run: 25,909,243,904 bytes free
126
******** 08-10-10.09 - faezzv 2010-07-08 20:53:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.1553 [GMT -7:00]
Running from: C:\DOCUME~1\faezzv\LOCALS~1\Temp\Rar$EX00.343\********.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((( Files Created from 2010-06-09 to 2010-07-09 )))))))))))))))))))))))))))))))
.
2011-05-25 13:34 . 2009-12-11 03:15 56,872 --a------ C:\WINDOWS\system32\drivers\l1c51x86.sys
2011-05-25 13:22 . 2009-06-26 00:29 1,656,960 --a------ C:\WINDOWS\system32\drivers\Ambfilt.sys
2011-05-25 13:22 . 2009-11-25 05:57 1,617,408 --a------ C:\WINDOWS\system32\drivers\viahduaa.sys
2011-05-25 13:22 . 2008-12-01 23:56 1,389,056 --a------ C:\WINDOWS\system32\drivers\Monfilt.sys
2010-07-08 20:44 . 2010-07-08 20:45 <DIR> d-------- C:\Program Files\Flock
2010-07-08 20:44 . 2010-07-08 20:44 <DIR> d-------- C:\Documents and Settings\faezzv\Application Data\Flock
2010-07-08 20:38 . 2010-07-08 20:39 <DIR> d-------- C:\Zyzoom_Forum_Tools
2010-07-02 02:38 . 2010-07-02 02:38 <DIR> d-------- C:\Program Files\Skype
2010-07-02 02:38 . 2010-07-02 02:38 <DIR> d-------- C:\Program Files\Common Files\Skype
2010-07-02 01:38 . 2010-07-08 20:30 <DIR> d-------- C:\Documents and Settings\faezzv\Application Data\skypePM
2010-07-02 01:38 . 2010-07-02 01:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype Extras
2010-07-02 01:38 . 2010-07-02 01:38 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2010-07-02 01:27 . 2010-07-02 01:27 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2010-07-02 01:27 . 2010-07-02 01:27 <DIR> d-------- C:\WINDOWS\system32\Atheros_L1e
2010-07-02 01:17 . 2010-07-02 01:17 <DIR> d-------- C:\WINDOWS\OPTIONS
2010-07-02 01:17 . 2010-07-02 01:17 <DIR> d-------- C:\Program Files\Realtek
2010-07-02 01:17 . 2010-07-02 01:17 <DIR> d-------- C:\Documents and Settings\faezzv\Application Data\InstallShield
2010-07-02 01:16 . 2010-07-02 01:17 <DIR> d-------- C:\Program Files\VIA
2010-07-02 01:16 . 2006-11-09 17:25 319,456 --a------ C:\WINDOWS\system32\difxapi.dll
2010-07-02 01:00 . 2010-01-18 04:37 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2010-07-02 01:00 . 2010-07-02 01:00 376 --a------ C:\WINDOWS\ODBC.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 23:14 60,936 ----a-w C:\WINDOWS\system32\drivers\avgntflt.sys
2010-07-09 03:41 --------- d-----w C:\Documents and Settings\faezzv\Application Data\Skype
2010-07-02 09:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2010-07-02 08:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2010-07-02 08:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2010-07-02 07:59 --------- d-----w C:\Program Files\Microsoft.NET
2010-07-02 07:59 --------- d-----w C:\Program Files\Microsoft ActiveSync
2010-07-02 07:58 --------- d-----w C:\Program Files\RocketDock
2010-07-02 07:58 --------- d-----w C:\Documents and Settings\faezzv\Application Data\vlc
2010-07-02 07:57 --------- d-----w C:\Program Files\VideoLAN
2010-07-02 07:57 --------- d-----w C:\Program Files\JetAudio
2010-07-02 07:57 --------- d-----w C:\Program Files\Common Files\xing shared
2010-07-02 07:57 --------- d-----w C:\Program Files\Common Files\Real
2010-07-02 07:56 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2010-07-02 07:56 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2010-07-02 07:56 --------- d-----w C:\Program Files\Real
2010-07-02 07:56 --------- d-----w C:\Program Files\K-Lite Codec Pack
2010-07-02 07:56 --------- d-----w C:\Program Files\Common Files\COWON
2010-07-02 07:55 --------- d-----w C:\Program Files\The KMPlayer
2010-07-02 07:54 --------- d-----w C:\Program Files\Yahoo!
2010-07-02 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2010-07-02 07:51 --------- d-----w C:\Program Files\Avira
2010-07-02 07:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2010-07-02 07:40 --------- d-----w C:\Program Files\microsoft frontpage
2010-06-02 08:00 108,032 ----a-w C:\WINDOWS\system32\ff_vfw.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 21718312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2010-07-02 198160]
"HDAudDeck"="C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-12-02 33718272]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2009-02-25 141336]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2009-02-25 173592]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2009-02-25 142360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 AntiVirMailService;Avira AntiVir MailGuard;C:\Program Files\Avira\AntiVir Desktop\avmailc.exe [2010-08-02 339624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [2010-08-02 135336]
R2 AntiVirWebService;Avira AntiVir WebGuard;C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2010-08-02 403624]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l1c51x86.sys [2009-12-11 56872]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\WINDOWS\system32\drivers\viahduaa.sys [2009-11-25 1617408]
S3 AMBFilt;AMBFilt;C:\WINDOWS\system32\drivers\AMBFilt.sys [2009-06-26 1656960]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\faezzv\Application Data\Mozilla\Firefox\Profiles\f3zh7o5d.default\
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
يجب عليك تسجيل الدخول أو التسجيل لمشاهدة الرابط المخفي
Rootkit scan 2010-07-08 20:53:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
Completion time: 2010-07-08 20:54:55
********-quarantined-files.txt 2010-07-09 03:54:51
Pre-Run: 25,891,942,400 bytes free
Post-Run: 25,909,243,904 bytes free
126
