السلام عليكم,,,,
اخواني الكرم ,,, لاحظت مؤخرا كثرة الفايروسات على الجهاز فعملت تقرير الكومبوفيكس والهيجاك
ارجوا منكم إلقاء نظرة وعمل التحليل للتقارير وافادتي بالخطوة القادمة
وجزاكم الله خيرا
اولا تقرير الكومبوفيكس
ComboFix 08-08-03.05 - badaoud 08/09/2008 22:25:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.508 [GMT 3:00]
Running from: F:\Program\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\1nkbd8h.bat
C:\1rfw8hjr.com
C:\Autorun.inf
C:\ffojc.com
C:\kdxdweli.cmd
C:\qxbx9blb.com
C:\r.cmd
D:\1nkbd8h.bat
D:\1rfw8hjr.com
D:\autorun.inf
D:\Documents and Settings\All Users\قائمة ابدأ\البرامج\ADSTechnology
D:\Documents and Settings\All Users\قائمة ابدأ\البرامج\ADSTechnology\ADSTechnology.lnk
D:\Documents and Settings\All Users\قائمة ابدأ\البرامج\ADSTechnology\Uninstall.lnk
D:\kdxdweli.cmd
D:\Program Files\ActivationManager
D:\Program Files\ActivationManager\ActivationManager.dll
D:\Program Files\ActivationManager\Uninstall.exe
D:\Program Files\ADSTechnology
D:\Program Files\ADSTechnology\ADSTechnology.dll
D:\Program Files\ADSTechnology\ADSTechnology.exe
D:\Program Files\ADSTechnology\Uninstall.exe
D:\r.cmd
F:\RECYCLER\desktop.ini
.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 19:23 --------- d-----w D:\Program Files\Unlocker
2008-08-09 19:23 --------- d-----w D:\Documents and Settings\badaoud\Application Data\Desktopicon
2008-08-09 16:55 --------- d-----w D:\Documents and Settings\badaoud\Application Data\MxBoost
2008-08-08 18:53 --------- d-----w D:\Documents and Settings\All Users\Application Data\ATI MMC
2008-08-08 03:53 --------- d-----w D:\Documents and Settings\All Users\Application Data\PC Suite
2008-07-31 23:02 143,872 ----a-w D:\WINDOWS\system32\varukevor.exe
2008-07-31 23:02 143,872 ----a-w D:\WINDOWS\system32\dinnigoop.exe
2008-07-31 16:50 --------- d-----w D:\Program Files\PCTV4Me
2008-07-28 23:06 --------- d-----w D:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-27 15:36 --------- d-----w D:\Program Files\Real_SC
2008-07-27 15:36 --------- d-----w D:\Program Files\Real
2008-07-27 15:36 --------- d-----w D:\Program Files\Luxor
2008-07-27 15:36 --------- d-----w D:\Program Files\تفسير الاحلام
2008-07-26 10:25 79,360 --sh--r D:\WINDOWS\system32\ckvo1.dll
2008-07-25 23:42 87,297 --sh--r D:\g2pfnid.com
2008-07-25 20:32 86,679 --sh--r D:\jk.exe
2008-07-22 10:47 --------- d-----w D:\Documents and Settings\badaoud\Application Data\Skype
2008-07-21 16:38 17,679,958 ----a-w D:\kmplayer.zip
2008-07-21 14:52 --------- d-----w D:\Program Files\Common Files\Real
2008-07-21 14:50 117,520 --sh--r D:\e9ehn1m8.com
2008-07-21 14:21 118,782 --sha-r D:\ybj8df.exe
2008-07-20 18:39 --------- d-----w D:\Program Files\Google
2008-07-20 18:38 --------- d-----w D:\Program Files\Skype
2008-07-20 18:38 --------- d-----w D:\Program Files\Common Files\Skype
2008-07-20 18:38 --------- d-----w D:\Documents and Settings\All Users\Application Data\Skype
2008-07-20 12:42 117,009 --sha-r D:\fi.cmd
2008-07-20 12:11 --------- d-----w D:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-07-20 11:54 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-20 11:54 --------- d-----w D:\Program Files\Intuwave Ltd
2008-07-20 11:53 --------- d-----w D:\Program Files\Sony Ericsson
2008-07-17 17:11 --------- d-----w D:\Program Files\GameShadow
2008-07-14 16:25 119,035 --sh--r D:\dgl6.bat
2008-07-07 10:10 116,932 --sha-r D:\00hoeav.com
2008-07-06 22:19 72 --sh--w D:\Program Files\desktop.ini
2008-07-06 22:19 703 --sh--w D:\Program Files\comment.htt
2008-07-03 18:12 --------- d-----w D:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-07-03 17:14 --------- d-----w D:\Program Files\ReflexiveArcade
2008-07-03 15:10 112,585 --sha-r D:\xmnm2.cmd
2008-07-02 02:41 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-07-02 02:05 --------- d-----w D:\Program Files\Windows Mobile Resources
2008-06-29 16:07 112,227 --sha-r D:\klp8j6i.com
2008-06-28 21:26 --------- d-----w D:\Program Files\برامج أسهل
2008-06-28 21:25 782,336 ----a-w D:\WINDOWS\iun6002.exe
2008-06-21 06:40 110,179 --sha-r D:\udr.com
2008-06-20 17:39 245,248 ----a-w D:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w D:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w D:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 13:24 113,964 --sha-r D:\f6cavn.bat
2008-06-16 08:59 112,672 --sha-r D:\6x8be16.cmd
2008-06-14 17:59 271,616 ----a-w D:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 02:20 114,058 --sha-r D:\m88coaim.exe
2008-06-09 22:47 116,737 --sha-r D:\olb1iimw.bat
2008-06-08 09:02 107,736 --sha-r D:\iefqwp.cmd
2008-06-05 05:50 108,512 --sha-r D:\jjcx.com
2008-06-04 10:06 107,131 --sha-r D:\nby.bat
2008-06-02 12:58 108,400 --sha-r D:\invwft2h.com
2008-06-01 13:56 131,584 ----a-w D:\WINDOWS\system32\SpoonUninstall.exe
2008-05-31 14:07 106,542 --sha-r D:\t8vlw.exe
2008-05-31 05:26 108,885 --sha-r D:\jdwx.exe
2008-05-23 02:41 107,828 --sha-r D:\tfk8.exe
2008-05-18 04:52 105,503 --sha-r D:\d.cmd
2002-02-28 19:34 49,152 ----a-w D:\Documents and Settings\badaoud\addwinfile.exe
2002-02-28 19:34 49,152 ----a-w D:\Documents and Settings\badaoud\بحثwinfile.exe
.
((((((((((((((((((((((((((((( snapshot_Fri 08-01-2008_ 2.25.17.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-09-16 00:02:34 221,488 -c----w D:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe
+ 2006-09-16 00:02:36 379,184 -c----w D:\WINDOWS\$NtUninstallWudf01005$\spuninst\updspapi.dll
+ 2006-09-15 19:30:12 70,656 -c----w D:\WINDOWS\$NtUninstallWudf01005$\spuninst\WudfCustom.dll
+ 2006-09-28 17:13:26 95,344 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfcoinstaller.dll
+ 2006-09-28 15:56:38 146,432 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfhost.exe
+ 2006-09-28 15:55:50 77,568 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfpf.sys
+ 2006-09-28 15:56:16 165,376 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfplatform.dll
+ 2006-09-28 16:00:34 82,944 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfrd.sys
+ 2006-09-28 15:56:14 55,808 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfsvc.dll
+ 2006-09-28 15:56:38 316,416 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfx.dll
+ 2006-11-03 17:12:10 412,160 ----a-w D:\WINDOWS\system32\drivers\UMDF\PCCSWpdDriver.dll
- 2006-09-28 15:55:50 77,568 ------w D:\WINDOWS\system32\drivers\WudfPf.sys
+ 2006-09-15 19:29:52 76,544 ------w D:\WINDOWS\system32\drivers\WudfPf.sys
- 2006-09-28 16:00:34 82,944 ------w D:\WINDOWS\system32\drivers\WudfRd.sys
+ 2006-09-15 19:30:10 82,688 ------w D:\WINDOWS\system32\drivers\WudfRd.sys
- 2008-07-31 16:52:18 64,554 ----a-w D:\WINDOWS\system32\perfc001.dat
+ 2008-08-09 19:24:03 64,554 ----a-w D:\WINDOWS\system32\perfc001.dat
- 2008-07-31 16:52:18 64,450 ----a-w D:\WINDOWS\system32\perfc009.dat
+ 2008-08-09 19:24:03 64,450 ----a-w D:\WINDOWS\system32\perfc009.dat
- 2008-07-31 16:52:18 344,674 ----a-w D:\WINDOWS\system32\perfh001.dat
+ 2008-08-09 19:24:03 344,674 ----a-w D:\WINDOWS\system32\perfh001.dat
- 2008-07-31 16:52:18 408,928 ----a-w D:\WINDOWS\system32\perfh009.dat
+ 2008-08-09 19:24:03 408,928 ----a-w D:\WINDOWS\system32\perfh009.dat
- 2006-09-25 14:58:48 23,856 ----a-w D:\WINDOWS\system32\spupdsvc.exe
+ 2006-09-16 00:02:34 23,856 ----a-w D:\WINDOWS\system32\spupdsvc.exe
- 2006-09-28 17:13:26 95,344 ------w D:\WINDOWS\system32\WUDFCoinstaller.dll
+ 2006-09-15 20:30:16 87,040 ------w D:\WINDOWS\system32\WUDFCoinstaller.dll
- 2006-09-28 15:56:38 146,432 ------w D:\WINDOWS\system32\WudfHost.exe
+ 2006-09-15 20:30:06 142,848 ------w D:\WINDOWS\system32\WudfHost.exe
- 2006-09-28 15:56:16 165,376 ------w D:\WINDOWS\system32\WudfPlatform.dll
+ 2006-09-15 19:29:54 163,840 ------w D:\WINDOWS\system32\WudfPlatform.dll
- 2006-09-28 15:56:14 55,808 ------w D:\WINDOWS\system32\WudfSvc.dll
+ 2006-09-15 20:30:16 55,296 ------w D:\WINDOWS\system32\WudfSvc.dll
+ 2006-10-19 17:38:28 831,048 ----a-w D:\WINDOWS\system32\WudfUpdate_01005.dll
- 2006-09-28 15:56:38 316,416 ------w D:\WINDOWS\system32\WUDFx.dll
+ 2006-09-15 20:30:16 308,224 ------w D:\WINDOWS\system32\WUDFx.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM 15360]
"MsnMsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [10/18/2007 11:34 AM 5724184]
"ATI Launchpad"="D:\Program Files\ATI Multimedia\main\launchpd.exe" [11/04/2005 09:31 PM 155648]
"ATI DeviceDetect"="D:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [11/04/2005 09:27 PM 57344]
"ATI Remote Control"="D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [10/12/2005 09:08 PM 1622016]
"PCTV4Me"="D:\Program Files\PCTV4Me\pctv4me.exe" [04/25/2008 11:08 PM 1105920]
"Yahoo! Pager"="D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [08/30/2007 05:43 PM 4670704]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM 1289000]
"kamsoft"="D:\WINDOWS\system32\ckvo.exe" [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [03/05/2008 02:32 PM 619896]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM 39792]
"GrooveMonitor"="D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM 33648]
"ATICCC"="D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/12/2005 02:43 PM 45056]
"PCSuiteTrayApplication"="D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [11/28/2006 02:12 PM 278528]
"loofoo"="D:\WINDOWS\system32\varukevor.exe" [08/01/2008 02:02 AM 143872]
"UnlockerAssistant"="D:\Program Files\Unlocker\UnlockerAssistant.exe" [05/02/2008 07:15 AM 15872]
"SigmatelSysTrayApp"="sttray.exe" [N/A]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 01:56 AM 110592 D:\WINDOWS\system32\bthprops.cpl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"loofoo"="D:\WINDOWS\system32\varukevor.exe" [08/01/2008 02:02 AM 143872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 01:56 AM 15360]
"PcSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [11/09/2006 05:15 PM 1634304]
D:\Documents and Settings\badaoud\çںê، ں §ڑ\ںé ©ںê¤\ §ک ں颬نïé\
SkyGear.lnk - D:\Program Files\SkyGear\SkyGear.exe [2008-03-17 16:37:36 704512]
WampServer.lnk - D:\wamp\wampmanager.exe [2007-02-18 18:07:00 1141760]
D:\Documents and Settings\All Users\çںê، ں §ڑ\ںé ©ںê¤\ §ک ں颬نïé\
Adobe Gamma Loader.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-14 17:03:21 110592]
PalTalk.lnk - D:\Program Files\Paltalk Messenger\paltalk.exe [2007-12-11 23:34:40 10252288]
Phone Connection Monitor.lnk - D:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe [2008-07-20 14:54:07 753664]
WinZip Quick Pick.lnk - D:\Program Files\WinZip\WZQKPICK.EXE [2007-08-03 11:10:00 394856]
êم¤é §ک ¢¬نïé Adobe Acrobat.lnk - D:\WINDOWS\Installer\{AC76BA86-1025-0000-7760-000000000003}\_SC_Acrobat.exe [2008-02-13 21:41:28 295606]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= ATIYUV12.DLL
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"D:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
R2 NwSapAgent;SAP Agent;D:\WINDOWS\system32\svchost.exe [08/04/2004 01:56 AM]
R2 PHPGeekUtil;PHPGeekUtil;c:\apache\APACHE.EXE [01/25/2002 07:30 AM]
R2 wampapache;wampapache;D:\wamp\apache2\bin\httpd.exe [01/10/2007 12:17 AM]
R2 wampmysqld;wampmysqld;D:\wamp\mysql\bin\mysqld-nt.exe [07/06/2007 01:14 PM]
S2 kueyyoeg;BCL easyPDF SDK Loader;D:\WINDOWS\system32\dinnigoop.exe [08/01/2008 02:02 AM]
S3 NAL;Nal Service ;D:\WINDOWS\system32\Drivers\iqvw32.sys [07/05/2006 03:35 PM]
S3 slnt;Real RTL8139 PCI Fast Ethernet Adapter;D:\WINDOWS\system32\DRIVERS\slnt.sys [11/20/2003 07:58 AM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{029543cf-5251-11dc-8ea8-0019d1202618}]
\Shell\AutoRun\command - F:\1nkbd8h.bat
\Shell\explore\Command - F:\1nkbd8h.bat
\Shell\open\Command - F:\1nkbd8h.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{148f46ff-ee91-11dc-9a44-0019d1202618}]
\Shell\AutoRun\command - F:\b.com
\Shell\explore\Command - F:\b.com
\Shell\open\Command - F:\b.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17a3cb9c-134f-11dd-9ab2-0019d1202618}]
\Shell\AutoRun\command - F:\RavMon.exe
\Shell\explore\Command - F:\RavMon.exe -e
\Shell\open\Command - F:\RavMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f62c3c4-594f-11dc-8ecd-0019d1202618}]
\Shell\AutoRun\command - pa39xth.cmd
\Shell\explore\Command - pa39xth.cmd
\Shell\open\Command - pa39xth.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34f6e008-f74f-11dc-9a63-0019d1202618}]
\Shell\AutoRun\command - F:\n2de.cmd
\Shell\explore\Command - F:\n2de.cmd
\Shell\open\Command - F:\n2de.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60ee1d93-f677-11dc-9a5d-0019d1202618}]
\Shell\AutoRun\command - F:\n2de.cmd
\Shell\explore\Command - F:\n2de.cmd
\Shell\open\Command - F:\n2de.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c5e676a-7065-11dc-8f41-0019d1202618}]
\Shell\AutoRun\command - G:\xmnm2.cmd
\Shell\explore\Command - G:\xmnm2.cmd
\Shell\open\Command - G:\xmnm2.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aba294f6-02e2-11dd-9a7e-0019d1202618}]
\Shell\AutoRun\command - F:\invwft2h.com
\Shell\explore\Command - F:\invwft2h.com
\Shell\open\Command - F:\invwft2h.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac491cbf-0faa-11dd-9a9f-0019d1202618}]
\Shell\AutoRun\command - F:\pa39xth.cmd
\Shell\explore\Command - F:\pa39xth.cmd
\Shell\open\Command - F:\pa39xth.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3f828ae-06f3-11dd-9a89-0019d1202618}]
\Shell\AutoRun\command - 80avp08.com
\Shell\explore\Command - 80avp08.com
\Shell\open\Command - 80avp08.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7f5eaa4-f50b-11dc-9a58-0019d1202618}]
\Shell\AutoRun\command - F:\b.com
\Shell\explore\Command - F:\b.com
\Shell\open\Command - F:\b.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d163087c-d344-11dc-99f5-00116786fab4}]
\Shell\AutoRun\command - xfoolavp.com
\Shell\explore\Command - xfoolavp.com
\Shell\open\Command - xfoolavp.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d75de3d0-0ae7-11dc-8da0-0019d1202618}]
\Shell\AutoRun\command - F:\f6cavn.bat
\Shell\explore\Command - F:\f6cavn.bat
\Shell\open\Command - F:\f6cavn.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e923b9ce-0bd6-11dd-9a95-0019d1202618}]
\Shell\AutoRun\command - F:\n2de.cmd
\Shell\explore\Command - F:\n2de.cmd
\Shell\open\Command - F:\n2de.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef40aabd-cfff-11dc-99ea-00116786fab4}]
\Shell\AutoRun\command - F:\jfvkcsy.bat
\Shell\explore\Command - F:\jfvkcsy.bat
\Shell\open\Command - F:\jfvkcsy.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff745ff7-5b24-11dd-9b73-0019d1202618}]
\Shell\AutoRun\command - F:\1rfw8hjr.com
\Shell\explore\Command - F:\1rfw8hjr.com
\Shell\open\Command - F:\1rfw8hjr.com
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\badaoud\Application Data\Mozilla\Firefox\Profiles\nmsvc7ei.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-08-09 22:29:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 08/09/2008 22:33:46
ComboFix-quarantined-files.txt 2008-08-09 19:33:30
ComboFix2.txt 2008-07-31 23:25:51
ComboFix3.txt 2008-07-27 15:48:06
Pre-Run: 10,753,073,152 bytes free
Post-Run: 10,880,638,976 bytes free
296 --- E O F --- 2008-07-28 23:06:25
ثانيا تقرير الهيجاك
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:29 م, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\apache\APACHE.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\wamp\apache2\bin\httpd.exe
c:\apache\APACHE.EXE
D:\wamp\mysql\bin\mysqld-nt.exe
D:\wamp\apache2\bin\httpd.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\WINDOWS\system32\varukevor.exe
D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\Program Files\ATI Multimedia\main\launchpd.exe
D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Program Files\PCTV4Me\pctv4me.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\Program Files\Paltalk Messenger\paltalk.exe
D:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
D:\Program Files\SkyGear\SkyGear.exe
D:\wamp\wampmanager.exe
d:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Documents and Settings\badaoud\سطح المكتب\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: مساعد رابط Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: مساعد تسجيل الدخول إلى Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! ¤u¨م¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [loofoo] D:\WINDOWS\system32\varukevor.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\RunServices: [loofoo] D:\WINDOWS\system32\varukevor.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PCTV4Me] "D:\Program Files\PCTV4Me\pctv4me.exe" /hide
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [kamsoft] D:\WINDOWS\system32\ckvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SkyGear.lnk = D:\Program Files\SkyGear\SkyGear.exe
O4 - Startup: WampServer.lnk = D:\wamp\wampmanager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PalTalk.lnk = D:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: Phone Connection Monitor.lnk = D:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: معجل بدء تشغيل Adobe Acrobat.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: BCL easyPDF SDK Loader (kueyyoeg) - Unknown owner - D:\WINDOWS\system32\dinnigoop.exe
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: wampapache - Apache Software Foundation - D:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - D:\wamp\mysql\bin\mysqld-nt.exe
--
End of file - 10239 bytes
اخواني الكرم ,,, لاحظت مؤخرا كثرة الفايروسات على الجهاز فعملت تقرير الكومبوفيكس والهيجاك
ارجوا منكم إلقاء نظرة وعمل التحليل للتقارير وافادتي بالخطوة القادمة
وجزاكم الله خيرا
اولا تقرير الكومبوفيكس
ComboFix 08-08-03.05 - badaoud 08/09/2008 22:25:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.508 [GMT 3:00]
Running from: F:\Program\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\1nkbd8h.bat
C:\1rfw8hjr.com
C:\Autorun.inf
C:\ffojc.com
C:\kdxdweli.cmd
C:\qxbx9blb.com
C:\r.cmd
D:\1nkbd8h.bat
D:\1rfw8hjr.com
D:\autorun.inf
D:\Documents and Settings\All Users\قائمة ابدأ\البرامج\ADSTechnology
D:\Documents and Settings\All Users\قائمة ابدأ\البرامج\ADSTechnology\ADSTechnology.lnk
D:\Documents and Settings\All Users\قائمة ابدأ\البرامج\ADSTechnology\Uninstall.lnk
D:\kdxdweli.cmd
D:\Program Files\ActivationManager
D:\Program Files\ActivationManager\ActivationManager.dll
D:\Program Files\ActivationManager\Uninstall.exe
D:\Program Files\ADSTechnology
D:\Program Files\ADSTechnology\ADSTechnology.dll
D:\Program Files\ADSTechnology\ADSTechnology.exe
D:\Program Files\ADSTechnology\Uninstall.exe
D:\r.cmd
F:\RECYCLER\desktop.ini
.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 19:23 --------- d-----w D:\Program Files\Unlocker
2008-08-09 19:23 --------- d-----w D:\Documents and Settings\badaoud\Application Data\Desktopicon
2008-08-09 16:55 --------- d-----w D:\Documents and Settings\badaoud\Application Data\MxBoost
2008-08-08 18:53 --------- d-----w D:\Documents and Settings\All Users\Application Data\ATI MMC
2008-08-08 03:53 --------- d-----w D:\Documents and Settings\All Users\Application Data\PC Suite
2008-07-31 23:02 143,872 ----a-w D:\WINDOWS\system32\varukevor.exe
2008-07-31 23:02 143,872 ----a-w D:\WINDOWS\system32\dinnigoop.exe
2008-07-31 16:50 --------- d-----w D:\Program Files\PCTV4Me
2008-07-28 23:06 --------- d-----w D:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-27 15:36 --------- d-----w D:\Program Files\Real_SC
2008-07-27 15:36 --------- d-----w D:\Program Files\Real
2008-07-27 15:36 --------- d-----w D:\Program Files\Luxor
2008-07-27 15:36 --------- d-----w D:\Program Files\تفسير الاحلام
2008-07-26 10:25 79,360 --sh--r D:\WINDOWS\system32\ckvo1.dll
2008-07-25 23:42 87,297 --sh--r D:\g2pfnid.com
2008-07-25 20:32 86,679 --sh--r D:\jk.exe
2008-07-22 10:47 --------- d-----w D:\Documents and Settings\badaoud\Application Data\Skype
2008-07-21 16:38 17,679,958 ----a-w D:\kmplayer.zip
2008-07-21 14:52 --------- d-----w D:\Program Files\Common Files\Real
2008-07-21 14:50 117,520 --sh--r D:\e9ehn1m8.com
2008-07-21 14:21 118,782 --sha-r D:\ybj8df.exe
2008-07-20 18:39 --------- d-----w D:\Program Files\Google
2008-07-20 18:38 --------- d-----w D:\Program Files\Skype
2008-07-20 18:38 --------- d-----w D:\Program Files\Common Files\Skype
2008-07-20 18:38 --------- d-----w D:\Documents and Settings\All Users\Application Data\Skype
2008-07-20 12:42 117,009 --sha-r D:\fi.cmd
2008-07-20 12:11 --------- d-----w D:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-07-20 11:54 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-20 11:54 --------- d-----w D:\Program Files\Intuwave Ltd
2008-07-20 11:53 --------- d-----w D:\Program Files\Sony Ericsson
2008-07-17 17:11 --------- d-----w D:\Program Files\GameShadow
2008-07-14 16:25 119,035 --sh--r D:\dgl6.bat
2008-07-07 10:10 116,932 --sha-r D:\00hoeav.com
2008-07-06 22:19 72 --sh--w D:\Program Files\desktop.ini
2008-07-06 22:19 703 --sh--w D:\Program Files\comment.htt
2008-07-03 18:12 --------- d-----w D:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-07-03 17:14 --------- d-----w D:\Program Files\ReflexiveArcade
2008-07-03 15:10 112,585 --sha-r D:\xmnm2.cmd
2008-07-02 02:41 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-07-02 02:05 --------- d-----w D:\Program Files\Windows Mobile Resources
2008-06-29 16:07 112,227 --sha-r D:\klp8j6i.com
2008-06-28 21:26 --------- d-----w D:\Program Files\برامج أسهل
2008-06-28 21:25 782,336 ----a-w D:\WINDOWS\iun6002.exe
2008-06-21 06:40 110,179 --sha-r D:\udr.com
2008-06-20 17:39 245,248 ----a-w D:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w D:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w D:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 13:24 113,964 --sha-r D:\f6cavn.bat
2008-06-16 08:59 112,672 --sha-r D:\6x8be16.cmd
2008-06-14 17:59 271,616 ----a-w D:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 02:20 114,058 --sha-r D:\m88coaim.exe
2008-06-09 22:47 116,737 --sha-r D:\olb1iimw.bat
2008-06-08 09:02 107,736 --sha-r D:\iefqwp.cmd
2008-06-05 05:50 108,512 --sha-r D:\jjcx.com
2008-06-04 10:06 107,131 --sha-r D:\nby.bat
2008-06-02 12:58 108,400 --sha-r D:\invwft2h.com
2008-06-01 13:56 131,584 ----a-w D:\WINDOWS\system32\SpoonUninstall.exe
2008-05-31 14:07 106,542 --sha-r D:\t8vlw.exe
2008-05-31 05:26 108,885 --sha-r D:\jdwx.exe
2008-05-23 02:41 107,828 --sha-r D:\tfk8.exe
2008-05-18 04:52 105,503 --sha-r D:\d.cmd
2002-02-28 19:34 49,152 ----a-w D:\Documents and Settings\badaoud\addwinfile.exe
2002-02-28 19:34 49,152 ----a-w D:\Documents and Settings\badaoud\بحثwinfile.exe
.
كود:
<pre>
----a-w 1,441,869 2002-03-17 15:09:22 D:\Harddisk C\لوحة الاعلان\برنامج لوحة موف ساين .exe
----a-w 4,528,005 2008-01-01 17:28:46 D:\العمالقة\Games\CheatBook DataBase 2008\Updates\setup .exe
----a-w 463,003 2006-08-25 22:16:52 D:\برامج\Edit-Convert Audio-Video\1FB9~1\RadLight\Arabic subtitles\SW\SubsFinder .exe
</pre>((((((((((((((((((((((((((((( snapshot_Fri 08-01-2008_ 2.25.17.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-09-16 00:02:34 221,488 -c----w D:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe
+ 2006-09-16 00:02:36 379,184 -c----w D:\WINDOWS\$NtUninstallWudf01005$\spuninst\updspapi.dll
+ 2006-09-15 19:30:12 70,656 -c----w D:\WINDOWS\$NtUninstallWudf01005$\spuninst\WudfCustom.dll
+ 2006-09-28 17:13:26 95,344 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfcoinstaller.dll
+ 2006-09-28 15:56:38 146,432 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfhost.exe
+ 2006-09-28 15:55:50 77,568 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfpf.sys
+ 2006-09-28 15:56:16 165,376 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfplatform.dll
+ 2006-09-28 16:00:34 82,944 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfrd.sys
+ 2006-09-28 15:56:14 55,808 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfsvc.dll
+ 2006-09-28 15:56:38 316,416 -c----w D:\WINDOWS\$NtUninstallWudf01005$\wudfx.dll
+ 2006-11-03 17:12:10 412,160 ----a-w D:\WINDOWS\system32\drivers\UMDF\PCCSWpdDriver.dll
- 2006-09-28 15:55:50 77,568 ------w D:\WINDOWS\system32\drivers\WudfPf.sys
+ 2006-09-15 19:29:52 76,544 ------w D:\WINDOWS\system32\drivers\WudfPf.sys
- 2006-09-28 16:00:34 82,944 ------w D:\WINDOWS\system32\drivers\WudfRd.sys
+ 2006-09-15 19:30:10 82,688 ------w D:\WINDOWS\system32\drivers\WudfRd.sys
- 2008-07-31 16:52:18 64,554 ----a-w D:\WINDOWS\system32\perfc001.dat
+ 2008-08-09 19:24:03 64,554 ----a-w D:\WINDOWS\system32\perfc001.dat
- 2008-07-31 16:52:18 64,450 ----a-w D:\WINDOWS\system32\perfc009.dat
+ 2008-08-09 19:24:03 64,450 ----a-w D:\WINDOWS\system32\perfc009.dat
- 2008-07-31 16:52:18 344,674 ----a-w D:\WINDOWS\system32\perfh001.dat
+ 2008-08-09 19:24:03 344,674 ----a-w D:\WINDOWS\system32\perfh001.dat
- 2008-07-31 16:52:18 408,928 ----a-w D:\WINDOWS\system32\perfh009.dat
+ 2008-08-09 19:24:03 408,928 ----a-w D:\WINDOWS\system32\perfh009.dat
- 2006-09-25 14:58:48 23,856 ----a-w D:\WINDOWS\system32\spupdsvc.exe
+ 2006-09-16 00:02:34 23,856 ----a-w D:\WINDOWS\system32\spupdsvc.exe
- 2006-09-28 17:13:26 95,344 ------w D:\WINDOWS\system32\WUDFCoinstaller.dll
+ 2006-09-15 20:30:16 87,040 ------w D:\WINDOWS\system32\WUDFCoinstaller.dll
- 2006-09-28 15:56:38 146,432 ------w D:\WINDOWS\system32\WudfHost.exe
+ 2006-09-15 20:30:06 142,848 ------w D:\WINDOWS\system32\WudfHost.exe
- 2006-09-28 15:56:16 165,376 ------w D:\WINDOWS\system32\WudfPlatform.dll
+ 2006-09-15 19:29:54 163,840 ------w D:\WINDOWS\system32\WudfPlatform.dll
- 2006-09-28 15:56:14 55,808 ------w D:\WINDOWS\system32\WudfSvc.dll
+ 2006-09-15 20:30:16 55,296 ------w D:\WINDOWS\system32\WudfSvc.dll
+ 2006-10-19 17:38:28 831,048 ----a-w D:\WINDOWS\system32\WudfUpdate_01005.dll
- 2006-09-28 15:56:38 316,416 ------w D:\WINDOWS\system32\WUDFx.dll
+ 2006-09-15 20:30:16 308,224 ------w D:\WINDOWS\system32\WUDFx.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM 15360]
"MsnMsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [10/18/2007 11:34 AM 5724184]
"ATI Launchpad"="D:\Program Files\ATI Multimedia\main\launchpd.exe" [11/04/2005 09:31 PM 155648]
"ATI DeviceDetect"="D:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [11/04/2005 09:27 PM 57344]
"ATI Remote Control"="D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [10/12/2005 09:08 PM 1622016]
"PCTV4Me"="D:\Program Files\PCTV4Me\pctv4me.exe" [04/25/2008 11:08 PM 1105920]
"Yahoo! Pager"="D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [08/30/2007 05:43 PM 4670704]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM 1289000]
"kamsoft"="D:\WINDOWS\system32\ckvo.exe" [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [03/05/2008 02:32 PM 619896]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM 39792]
"GrooveMonitor"="D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM 33648]
"ATICCC"="D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/12/2005 02:43 PM 45056]
"PCSuiteTrayApplication"="D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [11/28/2006 02:12 PM 278528]
"loofoo"="D:\WINDOWS\system32\varukevor.exe" [08/01/2008 02:02 AM 143872]
"UnlockerAssistant"="D:\Program Files\Unlocker\UnlockerAssistant.exe" [05/02/2008 07:15 AM 15872]
"SigmatelSysTrayApp"="sttray.exe" [N/A]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 01:56 AM 110592 D:\WINDOWS\system32\bthprops.cpl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"loofoo"="D:\WINDOWS\system32\varukevor.exe" [08/01/2008 02:02 AM 143872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 01:56 AM 15360]
"PcSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [11/09/2006 05:15 PM 1634304]
D:\Documents and Settings\badaoud\çںê، ں §ڑ\ںé ©ںê¤\ §ک ں颬نïé\
SkyGear.lnk - D:\Program Files\SkyGear\SkyGear.exe [2008-03-17 16:37:36 704512]
WampServer.lnk - D:\wamp\wampmanager.exe [2007-02-18 18:07:00 1141760]
D:\Documents and Settings\All Users\çںê، ں §ڑ\ںé ©ںê¤\ §ک ں颬نïé\
Adobe Gamma Loader.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-14 17:03:21 110592]
PalTalk.lnk - D:\Program Files\Paltalk Messenger\paltalk.exe [2007-12-11 23:34:40 10252288]
Phone Connection Monitor.lnk - D:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe [2008-07-20 14:54:07 753664]
WinZip Quick Pick.lnk - D:\Program Files\WinZip\WZQKPICK.EXE [2007-08-03 11:10:00 394856]
êم¤é §ک ¢¬نïé Adobe Acrobat.lnk - D:\WINDOWS\Installer\{AC76BA86-1025-0000-7760-000000000003}\_SC_Acrobat.exe [2008-02-13 21:41:28 295606]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= ATIYUV12.DLL
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"D:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
R2 NwSapAgent;SAP Agent;D:\WINDOWS\system32\svchost.exe [08/04/2004 01:56 AM]
R2 PHPGeekUtil;PHPGeekUtil;c:\apache\APACHE.EXE [01/25/2002 07:30 AM]
R2 wampapache;wampapache;D:\wamp\apache2\bin\httpd.exe [01/10/2007 12:17 AM]
R2 wampmysqld;wampmysqld;D:\wamp\mysql\bin\mysqld-nt.exe [07/06/2007 01:14 PM]
S2 kueyyoeg;BCL easyPDF SDK Loader;D:\WINDOWS\system32\dinnigoop.exe [08/01/2008 02:02 AM]
S3 NAL;Nal Service ;D:\WINDOWS\system32\Drivers\iqvw32.sys [07/05/2006 03:35 PM]
S3 slnt;Real RTL8139 PCI Fast Ethernet Adapter;D:\WINDOWS\system32\DRIVERS\slnt.sys [11/20/2003 07:58 AM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{029543cf-5251-11dc-8ea8-0019d1202618}]
\Shell\AutoRun\command - F:\1nkbd8h.bat
\Shell\explore\Command - F:\1nkbd8h.bat
\Shell\open\Command - F:\1nkbd8h.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{148f46ff-ee91-11dc-9a44-0019d1202618}]
\Shell\AutoRun\command - F:\b.com
\Shell\explore\Command - F:\b.com
\Shell\open\Command - F:\b.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17a3cb9c-134f-11dd-9ab2-0019d1202618}]
\Shell\AutoRun\command - F:\RavMon.exe
\Shell\explore\Command - F:\RavMon.exe -e
\Shell\open\Command - F:\RavMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f62c3c4-594f-11dc-8ecd-0019d1202618}]
\Shell\AutoRun\command - pa39xth.cmd
\Shell\explore\Command - pa39xth.cmd
\Shell\open\Command - pa39xth.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34f6e008-f74f-11dc-9a63-0019d1202618}]
\Shell\AutoRun\command - F:\n2de.cmd
\Shell\explore\Command - F:\n2de.cmd
\Shell\open\Command - F:\n2de.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60ee1d93-f677-11dc-9a5d-0019d1202618}]
\Shell\AutoRun\command - F:\n2de.cmd
\Shell\explore\Command - F:\n2de.cmd
\Shell\open\Command - F:\n2de.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c5e676a-7065-11dc-8f41-0019d1202618}]
\Shell\AutoRun\command - G:\xmnm2.cmd
\Shell\explore\Command - G:\xmnm2.cmd
\Shell\open\Command - G:\xmnm2.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aba294f6-02e2-11dd-9a7e-0019d1202618}]
\Shell\AutoRun\command - F:\invwft2h.com
\Shell\explore\Command - F:\invwft2h.com
\Shell\open\Command - F:\invwft2h.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac491cbf-0faa-11dd-9a9f-0019d1202618}]
\Shell\AutoRun\command - F:\pa39xth.cmd
\Shell\explore\Command - F:\pa39xth.cmd
\Shell\open\Command - F:\pa39xth.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3f828ae-06f3-11dd-9a89-0019d1202618}]
\Shell\AutoRun\command - 80avp08.com
\Shell\explore\Command - 80avp08.com
\Shell\open\Command - 80avp08.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7f5eaa4-f50b-11dc-9a58-0019d1202618}]
\Shell\AutoRun\command - F:\b.com
\Shell\explore\Command - F:\b.com
\Shell\open\Command - F:\b.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d163087c-d344-11dc-99f5-00116786fab4}]
\Shell\AutoRun\command - xfoolavp.com
\Shell\explore\Command - xfoolavp.com
\Shell\open\Command - xfoolavp.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d75de3d0-0ae7-11dc-8da0-0019d1202618}]
\Shell\AutoRun\command - F:\f6cavn.bat
\Shell\explore\Command - F:\f6cavn.bat
\Shell\open\Command - F:\f6cavn.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e923b9ce-0bd6-11dd-9a95-0019d1202618}]
\Shell\AutoRun\command - F:\n2de.cmd
\Shell\explore\Command - F:\n2de.cmd
\Shell\open\Command - F:\n2de.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef40aabd-cfff-11dc-99ea-00116786fab4}]
\Shell\AutoRun\command - F:\jfvkcsy.bat
\Shell\explore\Command - F:\jfvkcsy.bat
\Shell\open\Command - F:\jfvkcsy.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff745ff7-5b24-11dd-9b73-0019d1202618}]
\Shell\AutoRun\command - F:\1rfw8hjr.com
\Shell\explore\Command - F:\1rfw8hjr.com
\Shell\open\Command - F:\1rfw8hjr.com
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\badaoud\Application Data\Mozilla\Firefox\Profiles\nmsvc7ei.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
Rootkit scan 2008-08-09 22:29:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 08/09/2008 22:33:46
ComboFix-quarantined-files.txt 2008-08-09 19:33:30
ComboFix2.txt 2008-07-31 23:25:51
ComboFix3.txt 2008-07-27 15:48:06
Pre-Run: 10,753,073,152 bytes free
Post-Run: 10,880,638,976 bytes free
296 --- E O F --- 2008-07-28 23:06:25
ثانيا تقرير الهيجاك
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:29 م, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\apache\APACHE.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\wamp\apache2\bin\httpd.exe
c:\apache\APACHE.EXE
D:\wamp\mysql\bin\mysqld-nt.exe
D:\wamp\apache2\bin\httpd.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\WINDOWS\system32\varukevor.exe
D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\Program Files\ATI Multimedia\main\launchpd.exe
D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Program Files\PCTV4Me\pctv4me.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\Program Files\Paltalk Messenger\paltalk.exe
D:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
D:\Program Files\SkyGear\SkyGear.exe
D:\wamp\wampmanager.exe
d:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Documents and Settings\badaoud\سطح المكتب\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: مساعد رابط Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: مساعد تسجيل الدخول إلى Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! ¤u¨م¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [loofoo] D:\WINDOWS\system32\varukevor.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\RunServices: [loofoo] D:\WINDOWS\system32\varukevor.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PCTV4Me] "D:\Program Files\PCTV4Me\pctv4me.exe" /hide
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [kamsoft] D:\WINDOWS\system32\ckvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SkyGear.lnk = D:\Program Files\SkyGear\SkyGear.exe
O4 - Startup: WampServer.lnk = D:\wamp\wampmanager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PalTalk.lnk = D:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: Phone Connection Monitor.lnk = D:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: معجل بدء تشغيل Adobe Acrobat.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: BCL easyPDF SDK Loader (kueyyoeg) - Unknown owner - D:\WINDOWS\system32\dinnigoop.exe
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: wampapache - Apache Software Foundation - D:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - D:\wamp\mysql\bin\mysqld-nt.exe
--
End of file - 10239 bytes
