ComboFix 08-08-21.02 - Administrator 08/22/2008 18:39:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.394 [GMT 3:00]
Running from: D:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\WINDOWS\system32\actskn43.ocx
D:\WINDOWS\system32\inst.dat
D:\WINDOWS\system32\kakle.dll
D:\WINDOWS\system32\pk.bin
D:\WINDOWS\system32\winitn.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-22 15:42 606,240 --sha-w D:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-22 15:42 5,248 --sha-w D:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-22 15:42 3,164,704 --sha-w D:\WINDOWS\system32\drivers\fidbox.dat
2008-08-22 15:42 28,948 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx
2008-08-22 15:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-22 01:24 --------- d-----w D:\Program Files\Perfect Optimizer
2008-08-22 01:11 --------- d-----w D:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-22 00:24 --------- d-----w D:\Program Files\Stellar Phoenix NTFS
2008-08-21 23:18 --------- d-----w D:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-21 11:33 --------- d-----w D:\Program Files\Aurora Media Workshop
2008-08-21 11:32 --------- d-----w D:\Program Files\Cracklock
2008-08-21 11:32 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 11:31 --------- d-----w D:\Program Files\BitSpirit
2008-08-21 11:29 --------- d-----w D:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-21 11:28 --------- d-----w D:\Program Files\Easy Gif Animator Extension
2008-08-18 19:41 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-12 20:06 --------- d-----w D:\Program Files\Common Files\Vbox
2008-08-12 20:05 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-08-07 21:55 --------- d-----w D:\Documents and Settings\Administrator\Application Data\Image Zone Express
2008-08-07 18:47 96,976 ----a-w D:\WINDOWS\system32\drivers\klin.dat
2008-07-26 18:13 87,855 ----a-w D:\WINDOWS\system32\drivers\klick.dat
2008-07-03 13:33 --------- d-----w D:\Program Files\Windows Media Connect 2
2008-06-24 22:14 --------- d-----w D:\Program Files\Mobily Connect Card
2008-06-22 22:24 --------- d-----w D:\Program Files\ONH1986
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM 1694208]
"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [03/26/2008 06:41 PM 1232896]
"PC Suite Tray"="D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [04/16/2008 12:53 PM 1079808]
"HUAWEI 3G Data Card MTS"="D:\PROGRA~1\MOBILY~1\Mobily Connect Card.exe" [03/31/2007 11:58 AM 335872]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [08/03/2004 07:56 PM 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [08/03/2004 05:32 PM 208952]
"MSPY2002"="D:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/03/2004 05:31 PM 59392]
"PHIME2002ASync"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [08/03/2004 05:32 PM 455168]
"PHIME2002A"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [08/03/2004 05:32 PM 455168]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/06/2008 12:45 AM 185896]
"HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/19/2006 02:41 AM 49152]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM 155648]
"IDM"="D:\WINDOWS\system32\IDM.exe" [06/09/2007 08:46 PM 417792]
"AVP"="D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [04/25/2008 06:21 PM 201992]
"RTHDCPL"="RTHDCPL.EXE" [10/15/2005 04:51 AM 14864384 D:\WINDOWS\RTHDCPL.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/03/2004 07:56 PM 110592 D:\WINDOWS\system32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [03/26/2008 06:41 PM 1232896]
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
PalTalk.lnk - D:\Program Files\Paltalk Messenger\paltalk.exe [2008-05-09 01:17:29 10452992]
SnagIt 9.lnk - D:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe [2008-05-15 16:49:44 6822728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"vidc.yv12"= yv12vfw.dll
[HKLM\~\startupfolder\D:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=D:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=D:\WINDOWS\pss\PalTalk.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=D:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 01/11/2008 10:16 PM 39792 D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 10/27/2006 12:47 AM 31016 D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
--a------ 11/28/2006 01:12 AM 2658304 D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"D:\\Program Files\\Mobily Connect Card\\Mobily Connect Card.exe"=
"D:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"D:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"D:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"D:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"D:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;D:\WINDOWS\system32\drivers\klbg.sys [01/29/2008 06:29 PM]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;D:\WINDOWS\system32\DRIVERS\klim5.sys [03/25/2008 08:07 PM]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;D:\WINDOWS\system32\drivers\nmwcdnsu.sys [02/01/2008 03:17 PM]
S3 nmwcdnsuc;Nokia USB Flashing Generic;D:\WINDOWS\system32\drivers\nmwcdnsuc.sys [02/01/2008 03:17 PM]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{4D5C8C2A-D075-11D0-B416-00C04FB90376} - %SystemRoot%\system32\browseui.dll
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-SeePassword - D:\Program Files\SeePassword\SeePassword.exe
MSConfigStartUp-PCSuiteTrayApplication - D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.sa/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.savewealth.com/support/ie6/welcome.html
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
O8 -: ت&صدير إلى Microsoft Excel - D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-08-22 18:43:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
C:\AppServ\apache\Apache.exe
D:\WINDOWS\system32\ati2evxx.exe
C:\AppServ\mysql\bin\mysqld-nt.exe
C:\AppServ\apache\Apache.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
D:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
D:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
D:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
D:\Program Files\TechSmith\SnagIt 9\TscHelp.exe
D:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
D:\Program Files\TechSmith\SnagIt 9\SnagItEditor.exe
.
**************************************************************************
.
Completion time: 08/22/2008 18:50:17 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-08-22 15:50:12
Pre-Run: 66,900,131,840 bytes free
Post-Run: 66,868,527,104 bytes free
180 --- E O F --- 2008-08-22 01:16:35
