تسلم ياغالي حملت الادوات من جديد لسطح المكتب مباشرة واشتغلت
التقرير الاول :
ComboFix 08-08-17.03 - باسم 08/18/2008 17:52:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.55 [GMT 3:00]
Running from: C:\Documents and Settings\باسم\سطح المكتب\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 15:04 32,800 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-18 15:04 2,016,032 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-18 14:38 4,808 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-18 14:38 29,816 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-18 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-16 19:01 90,343 --sh--r C:\
0.com
2008-08-16 14:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-08-16 12:19 --------- d-----w C:\Documents and Settings\باسم\Application Data\Grisoft
2008-08-16 12:17 91,179 --sh--r C:\t1ypkh.exe
2008-08-14 15:32 88,935 ----a-w C:\WINDOWS\system32\ddr.exe
2008-08-07 15:13 155,995 ----a-w C:\WINDOWS\java\Packages\VXZ9N97B.ZIP
2008-08-06 03:59 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-08-06 03:56 96,559 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-08-06 03:56 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-08-05 20:59 --------- d-----w C:\Program Files\MSXML 4.0
2008-08-05 20:33 --------- d-----w C:\Program Files\Kaspersky Lab
2008-08-05 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-05 18:36 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-04 19:43 --------- d-----w C:\Program Files\اروع الفلاشات الاسلامية
2008-08-04 19:43 --------- d-----w C:\Program Files\اروع الاناشيد الاسلامية
2008-08-04 19:42 --------- d-----w C:\Program Files\System
2008-08-04 19:41 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-08-04 19:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-04 19:39 --------- d-----w C:\Program Files\Windows Live
2008-08-04 19:37 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-08-04 19:32 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-08-04 19:32 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-08-04 19:32 --------- d-----w C:\Program Files\Real
2008-08-04 19:32 --------- d-----w C:\Program Files\Common Files\xing shared
2008-08-04 19:32 --------- d-----w C:\Program Files\Common Files\Real
2008-08-04 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-04 19:25 --------- d-----w C:\Documents and Settings\باسم\Application Data\ArcSoft
2008-08-04 19:22 --------- d-----w C:\Program Files\HP
2008-08-04 19:22 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-04 19:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-08-04 19:21 --------- d-----w C:\Program Files\Common Files\HP
2008-08-04 19:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 19:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-04 19:00 --------- d-----w C:\Program Files\ArcSoft
2008-08-04 18:57 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-08-04 18:29 --------- d--h--w C:\Program Files\Zero G Registry
2008-08-04 18:27 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-08-04 17:37 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 20:30 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:22 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:40 657,920 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:39 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.
(((((((((((((((((((((((((((((
snapshot@Mon 08-18-2008_17.43.45.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-18 14:19:28 52,754 ----a-w C:\WINDOWS\system32\perfc001.dat
+ 2008-08-18 14:43:37 52,754 ----a-w C:\WINDOWS\system32\perfc001.dat
- 2008-08-18 14:19:28 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-18 14:43:37 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-18 14:19:28 318,370 ----a-w C:\WINDOWS\system32\perfh001.dat
+ 2008-08-18 14:43:37 318,370 ----a-w C:\WINDOWS\system32\perfh001.dat
- 2008-08-18 14:19:28 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-18 14:43:38 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 12:25 PM 6731312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 12:56 PM 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
07/22/2006 11:49 PM 5376 C:\WINDOWS\system32\antiwpa.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^قائمة ابدأ^البرامج^بدء التشغيل^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\قائمة ابدأ\البرامج\بدء التشغيل\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 11/03/2007 04:50 AM 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\zyzoom.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 08/04/2004 12:56 PM 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 05/12/2004 03:18 PM 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 02/12/2004 01:38 PM 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 11/28/2005 08:52 AM 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 11/28/2005 08:55 AM 118784 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 11/28/2005 08:55 AM 98304 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 08/04/2004 01:09 AM 1667584 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 10/18/2007 11:34 AM 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.6]
--a------ 02/27/2004 08:29 PM 61440 C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 08/04/2008 10:32 PM 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
--a------ 05/20/2004 07:40 PM 188416 C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Resume copy]
--a------ 03/24/2002 02:54 PM 46080 C:\WINDOWS\COPYFSTQ.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 12/29/2004 01:01 AM 544768 C:\WINDOWS\sm56hlpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
S3 AVPsys;AVPsys;C:\WINDOWS\system32\drivers\tdi.sys [08/04/2004 11:07 AM]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [12/13/2007 01:28 PM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0520864f-6250-11dd-a00c-da9ef4c61493}]
\Shell\AutoRun\command - F:\c9hehpa.bat
\Shell\explore\Command - F:\c9hehpa.bat
\Shell\open\Command - F:\c9hehpa.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d667e951-696d-11dd-a5cb-0018f8351056}]
\Shell\AutoRun\command - F:\tyktjfww.exe
\Shell\explore\Command - F:\tyktjfww.exe
\Shell\open\Command - F:\tyktjfww.exe
.
s of the 'Scheduled Tasks' folder
2008-08-04 C:\WINDOWS\Tasks\WebReg 20080804213658.job
- C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\WebReg\bin\hpqwrg.exe [10/16/2002 06:39 PM]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.sa/
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
O8 -: &تصدير إلى Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java -
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-08-18 18:04:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 08/18/2008 18:06:56
ComboFix-quarantined-files.txt 2008-08-18 15:06:47
ComboFix2.txt 2008-08-18 14:46:38
Pre-Run: 35,965,952,000 bytes free
Post-Run: 35,951,513,600 bytes free
170 --- E O F --- 2008-08-16 12:10:31
تقرير الهاي جاك :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:18:05 م, on 18/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\باسم\سطح المكتب\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &تصدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: بحث - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 3347 bytes
________________
مع الشكر
:
