أهلا مرة أخرى قمت بتنزيل الاداة الأولى فقامت بمسح الجهاز ولكن في الرد السابق للكونج قال أنه سوف يظهر لي مرتين يطلب أن أوافق على الخطوات ولكن عندي ظهرت مرة واحدة ولم يتم اعادة تشغيل الجهاز اتوماتيكيا، بل ظهر التقرير دون أن يعاد تشغيل الجهاز
وهذا هو التقرير :
ComboFix 08-09-16.05 - Administrator 09/18/2008 23:55:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.115 [GMT 4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\kakle.dll
D:\Autorun.inf
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-08-18 to 2008-09-18 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-18 07:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-18 07:36 --------- d-----w C:\Program Files\CyberLink
2008-09-18 07:33 --------- d-----w C:\Program Files\Webteh
2008-09-18 07:32 --------- d-----w C:\Program Files\DivX
2008-09-18 07:31 --------- d-----w C:\Program Files\Google
2008-09-18 07:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-18 07:23 --------- d-----w C:\Program Files\MSBuild
2008-09-18 07:23 --------- d-----w C:\Program Files\Microsoft Works
2008-09-18 06:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2008-09-18 06:56 --------- d-----w C:\Program Files\Common Files\Ahead
2008-09-18 06:56 --------- d-----w C:\Program Files\Ahead
2008-09-18 06:55 --------- d-----w C:\Program Files\Winamp
2008-09-18 06:53 155,995 ----a-w C:\WINDOWS\java\Packages\CF5J71JD.ZIP
2008-09-14 18:26 --------- d-----w C:\Program Files\Alwil Software
2008-09-14 18:23 90,112 ----a-w C:\WINDOWS\system32\agsaami.dll
2008-09-14 18:23 610,304 ----a-w C:\WINDOWS\system32\agsaamg.dll
2008-09-14 18:23 372,736 ----a-w C:\WINDOWS\system32\agsaamc.dll
2008-09-14 18:23 2,535,424 ----a-w C:\WINDOWS\system32\agsaamj.dll
2008-09-14 18:23 1,986,560 ----a-w C:\WINDOWS\system32\akll.dll
2008-09-14 18:23 1,245,184 ----a-w C:\WINDOWS\system32\bkll.dll
2008-09-14 18:23 1,212,416 ----a-w C:\WINDOWS\system32\ckll.dll
2008-09-14 18:23 --------- d-----w C:\Program Files\Real_SC
2008-09-14 18:23 --------- d-----w C:\Program Files\QuickTime
2008-09-14 18:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-14 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-14 18:21 --------- d-----w C:\Program Files\Real
2008-09-14 18:21 --------- d-----w C:\Program Files\Common Files\xing shared
2008-09-14 18:21 --------- d-----w C:\Program Files\Common Files\Real
2008-09-14 18:18 --------- d-----w C:\Program Files\JetAudio
2008-09-14 18:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-14 18:16 --------- d-----w C:\Program Files\MSN Messenger
2008-09-14 18:14 --------- d-----w C:\Program Files\Java Web Start
2008-09-14 18:13 --------- d-----w C:\Program Files\Java
2008-09-14 18:13 --------- d-----w C:\Program Files\Free Download Manager
2008-09-14 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-09-14 18:13 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-09-14 18:12 --------- d-----w C:\Program Files\Golden Al-Wafi Translator
2008-09-14 18:11 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-09-14 18:11 49,152 ----a-w C:\WINDOWS\ATA Live Update.exe
2008-09-14 18:11 172,032 ------w C:\WINDOWS\Setup1.exe
2008-09-14 18:10 --------- d-----w C:\Program Files\Ahmed_Soft
2008-09-14 18:01 --------- d-----w C:\Program Files\Microsoft.NET
2008-09-14 18:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-09-14 17:50 --------- d-----w C:\Program Files\CONEXANT
2008-09-14 17:46 --------- d-----w C:\Program Files\Realtek
2008-09-14 17:26 --------- d-----w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [01/19/2007 12:55 PM 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [09/14/2008 10:21 PM 146432]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/14/2008 10:22 PM 282624]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/16/2008 03:19 AM 79224]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [12/13/2003 04:50 AM 33792]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM 31016]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM 32768]
"RTHDCPL"="RTHDCPL.EXE" [06/28/2006 10:54 AM 16248320 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 02:04 PM 2879488 C:\WINDOWS\SkyTel.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 12:56 AM 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-08-11 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-08-10 741987]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-09-14 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [05/16/2008 03:20 AM 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [05/16/2008 03:16 AM 20560]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4976955f-841f-11dd-9eb9-0019d15d5003}]
\Shell\AutoRun\command - 83l3v.cmd
\Shell\explore\Command - 83l3v.cmd
\Shell\open\Command - 83l3v.cmd
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.om/
R1 -: HKCU-Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 -: Backward &Links - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 -: Cac&hed Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: Free Download Manager تحميل الفيديو بواسطة -
Files\Free Download Manager\dlfvideo.htm
O8 -: Si&milar Pages - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 -: Translate into English - C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 -: ت&صدير إلى Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 -: تحميل المحددة بفري داونلود مانيجر -
Files\Free Download Manager\dlselected.htm
O8 -: تنزيل الكل بفري داونلود مانيجر -
Files\Free Download Manager\dlall.htm
O8 -: تنزيل بفري داونلود مانيجر -
Files\Free Download Manager\dllink.htm
O16 -: Microsoft XML Parser for Java -
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-09-18 23:57:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 09/18/2008 23:57:54
ComboFix-quarantined-files.txt 2008-09-18 19:57:47
Pre-Run: 32,009,949,184 bytes free
Post-Run: 32,071,065,600 bytes free
136
وهذا تقرير الهايجيك :
Logfile of HijackThis v1.99.1
Scan saved at 12:02:52 ص, on 19/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader 8.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FDMIEsBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Free Download Manager تحميل الفيديو بواسطة -
Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: ت&صدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: تحميل المحددة بفري داونلود مانيجر -
Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: تنزيل الكل بفري داونلود مانيجر -
Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: تنزيل بفري داونلود مانيجر -
Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: إرسال إلى OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: إر&سال إلى OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.emi.ae
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
k: