وهذا التقرير ياالغالي
ComboFix 08-08-30.03 - N&N 08/31/2008 12:07:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.145 [GMT 3:00]
Running from: C:\Documents and Settings\N&N\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
Error: Cfiles.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\N&N\Application Data\addon.dat
C:\Documents and Settings\N&N\Application Data\macromedia\Flash Player\#Shareds\3Q5Z6A5Y\bin.clearspring.com
C:\Documents and Settings\N&N\Application Data\macromedia\Flash Player\#Shareds\3Q5Z6A5Y\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\N&N\Application Data\macromedia\Flash Player\#Shareds\3Q5Z6A5Y\iforex.com
C:\Documents and Settings\N&N\Application Data\macromedia\Flash Player\#Shareds\3Q5Z6A5Y\iforex.com\Emerp\Events\flash_.swf\user_data.sol
C:\Documents and Settings\N&N\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\N&N\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\N&N\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\N&N\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Program Files\180SearchAssistant
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 09:10 46,208 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-31 09:10 359,968 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-31 09:10 239,192 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-31 09:10 17,583,136 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-31 09:08 --------- d-----w C:\Documents and Settings\N&N\Application Data\DMCache
2008-08-30 01:29 --------- d-----w C:\Program Files\Common Files\Products
2008-08-25 07:39 --------- d-----w C:\Program Files\Save Flash
2008-08-22 05:11 --------- d-----w C:\Program Files\TechSmith
2008-08-22 05:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-08-22 05:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-12 19:26 --------- d-----w C:\Program Files\does balm move
2008-08-12 19:25 --------- d-----w C:\Documents and Settings\N&N\Application Data\does balm move
2008-08-08 02:10 --------- d-----w C:\Program Files\Paltalk Messenger
2008-08-08 02:10 --------- d-----w C:\Documents and Settings\N&N\Application Data\Paltalk
2008-08-06 05:27 --------- d-----w C:\Program Files\NasTube
2008-07-29 11:08 --------- d-----w C:\Program Files\PhotoBrush
2008-07-29 00:21 --------- d-----w C:\Program Files\Online TV Player 4
2008-07-24 21:21 --------- d-----w C:\Program Files\EPCTV
2008-07-22 20:09 --------- d-----w C:\Program Files\Advanced Image Viewer and Converter
2008-07-19 00:37 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-07-13 18:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-12 03:22 --------- d-----w C:\Program Files\Webcam and Screen Recorder
2008-07-10 20:53 --------- d-----w C:\Program Files\Real
2008-07-10 20:53 --------- d-----w C:\Program Files\Common Files\xing shared
2008-07-10 20:53 --------- d-----w C:\Program Files\Common Files\Real
2008-07-09 23:44 --------- d-----w C:\Program Files\MSN Messenger
2008-07-09 23:44 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-07-03 04:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 02:58 --------- d-----w C:\Program Files\edBlockDetector 2.0
2008-05-31 01:48 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2008-04-15 21:33 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-13 18:59 1,215,869 ----a-w C:\Documents and Settings\N&N\Application Data\as.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM 15360]
"LocksDumb"="C:\DOCUME~1\N&N\APPLIC~1\DOESBA~1\thunk platform.exe" [08/12/2008 10:25 PM 494592]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [05/21/2008 08:59 AM 160592]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [09/02/2007 01:58 PM 495616]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [06/26/2008 08:24 AM 171448]
"AFProg"="C:\Program Files\Hotspot Shield\AnchorFree\ctrl\AFController.exe" [06/26/2006 05:26 AM 118784]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:55 PM 5674352]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [02/27/2007 10:07 AM 778240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [07/17/2006 10:40 PM 53248]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/26/2007 10:34 AM 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/26/2007 10:34 AM 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [02/26/2007 10:33 AM 131072]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [07/11/2007 06:52 PM 846344]
"VistaDrive"="C:\WINDOWS\VistaDrive\VistaDrive.exe" [10/05/2006 08:56 PM 280779]
"ClocX"="C:\Program Files\ClocX\ClocX.exe" [09/04/2004 11:28 AM 270336]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [08/02/2007 05:30 PM 3096576]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/10/2008 11:52 PM 185896]
"kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [03/24/2006 07:09 PM 139367]
"RTHDCPL"="RTHDCPL.EXE" [07/05/2007 04:08 PM 16380416 C:\WINDOWS\RTHDCPL.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 01:56 AM 110592 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 01:56 AM 15360]
C:\Documents and Settings\N&N\Start Menu\Programs\Startup\
msn.lnk - C:\WINDOWS\system32\pai.exe [2008-08-08 07:49:14 1215869]
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2006-01-21 15:31:46 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk
backup=C:\WINDOWS\pss\SnagIt 8.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^N&N^Start Menu^Programs^Startup^MSN Pictures Displayer.lnk]
path=C:\Documents and Settings\N&N\Start Menu\Programs\Startup\MSN Pictures Displayer.lnk
backup=C:\WINDOWS\pss\MSN Pictures Displayer.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 02/27/2007 10:07 AM 778240 C:\Program Files\Internet Download Manager\IDMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 01/19/2007 12:55 PM 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 02/01/2008 05:22 PM 21898024 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP
oVoo TCP المنفذ 443
"443:UDP"= 443:UDP
oVoo UDP المنفذ 443
"37674:TCP"= 37674:TCP
oVoo TCP المنفذ 37674
"37674:UDP"= 37674:UDP
oVoo UDP المنفذ 37674
"37675:UDP"= 37675:UDP
oVoo UDP المنفذ 37675
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [08/04/2004 01:56 AM]
R3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [12/16/2006 11:37 PM]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [05/21/2008 09:18 AM]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{056f0064-e1e9-11dc-9291-001d721513a3}]
\Shell\AutoRun\command - F:\RavMon.exe
\Shell\explore\Command - F:\RavMon.exe -e
\Shell\open\Command - F:\RavMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{056f0065-e1e9-11dc-9291-001d721513a3}]
\Shell\AutoRun\command - G:\RavMon.exe
\Shell\explore\Command - G:\RavMon.exe -e
\Shell\open\Command - G:\RavMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{056f0066-e1e9-11dc-9291-001d721513a3}]
\Shell\AutoRun\command - H:\RavMon.exe
\Shell\explore\Command - H:\RavMon.exe -e
\Shell\open\Command - H:\RavMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{177a0412-38de-11dd-9390-001d721513a3}]
\Shell\AutoRun\command - G:\bud3.bat
\Shell\explore\Command - G:\bud3.bat
\Shell\open\Command - G:\bud3.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33569371-3d7d-11dd-939e-001d721513a3}]
\Shell\AutoRun\command - F:\zPharaoh.exe
\Shell\explore\command - F:\zPharaoh.exe
\Shell\open\command - F:\zPharaoh.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e16f9413-05ad-11dd-92cb-001d721513a3}]
\Shell\AutoRun\command - F:\ntde1ect.com
\Shell\explore\Command - F:\ntde1ect.com
\Shell\open\Command - F:\ntde1ect.com
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}]
C:\WINDOWS\system32\ass\as.exe s
.
s of the 'Scheduled Tasks' folder
2008-08-31 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [02/29/2008 02:24 PM]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-LanguageShortcut - C:\Program Files\CyberLink\PowerDVD\Language\Language.exe
MSConfigStartUp-oovoo - C:\Program Files\ooVoo\oovoo.exe
MSConfigStartUp-RemoteControl - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-Yahoo! Pager - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
MSConfigStartUp-Device Detector - DevDetect.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\N&N\Application Data\Mozilla\Firefox\Profiles\82y70fsn.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-08-31 12:11:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\DOCUME~1\N&N\LOCALS~1\temp\RtkBtMnt.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\ass\as.exe
.
**************************************************************************
.
Completion time: 08/31/2008 12:16:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-31 09:15:38
Pre-Run: 17,961,279,488 bytes free
Post-Run: 17,907,236,864 bytes free
234
