عزيزي الواصل خلف
هذا التقرير اللي طلع معاي حق الكومبوفيكس
ComboFix 08-11-05.02 - Administrator 11/07/2008 10:24:46.1 - NTFSx86 MINIMAL
Running from: c:\documents and settings\Administrator\سطح المكتب\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\
08dgu.com
C:\autorun.inf
C:\cqdis.cmd
C:\Funny UST Scandal.avi.exe
C:\i.exe
C:\nq0cq.cmd
C:\smss.exe
c:\windows\autorun.inf
c:\windows\Funny UST Scandal.exe
c:\windows\killer.exe
c:\windows\smss.exe
c:\windows\system32\amvo.exe
c:\windows\system32\amvo0.dll
c:\windows\system32\amvo1.dll
c:\windows\system32\Bitkv0.dll
c:\windows\system32\Bitkv1.dll
c:\windows\system32\ckvo.exe
c:\windows\system32\ckvo0.dll
c:\windows\system32\ckvo1.dll
C:\xih9.cmd
D:\
08dgu.com
D:\Autorun.inf
D:\cqdis.cmd
D:\Funny UST Scandal.avi.exe
D:\nq0cq.cmd
D:\smss.exe
D:\xih9.cmd
E:\
08dgu.com
E:\Autorun.inf
E:\cqdis.cmd
E:\Funny UST Scandal.avi.exe
E:\nq0cq.cmd
E:\smss.exe
E:\xih9.cmd
.
((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 07:23 672,908 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-07 07:23 60,037,152 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-06 13:04 --------- d-----w c:\program files\ma-config.com
2008-11-06 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\ma-config.com
2008-11-06 07:33 --------- d-----w c:\program files\Kaspersky Lab
2008-11-06 07:11 --------- d-----w c:\documents and settings\All Users\Application Data\zyz Kaspersky Lab setup files
2008-11-01 16:15 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-01 15:16 104,927 --sh--r C:\vfjc8mxm.exe
2008-10-15 05:39 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-10-15 05:39 282,624 ------w c:\windows\Setup1.exe
2008-10-10 15:23 32,443,998 ----a-w C:\zyzoom_kis8.0.0.357en.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [08/04/2004 12:56 AM 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [11/28/2005 08:55 AM 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [11/28/2005 08:52 AM 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [11/28/2005 08:55 AM 118784]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 12:56 AM 158208]
"AGRSMMSG"="AGRSMMSG.exe" [10/08/2004 05:50 AM 88363 c:\windows\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [08/04/2004 12:56 AM 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
S1 is-RN1FKdrv;is-RN1FKdrv;c:\windows\system32\DRIVERS\16578323.sys [07/08/2008 01:54 PM 148496]
S3 AVPsys;AVPsys;c:\windows\system32\drivers\tdi.sys [08/03/2004 11:07 PM 18560]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [09/02/2008 04:14 PM 191656]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{073ccc18-9c54-11dd-b59a-000ffe0fa363}]
\Shell\AutoRun\command - H:\
08dgu.com
\Shell\explore\Command - H:\
08dgu.com
\Shell\open\Command - H:\
08dgu.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9401367e-4a0a-11dd-9a3c-a5c0559938f8}]
\Shell\AutoRun\command - H:\xih9.cmd
\Shell\explore\Command - H:\xih9.cmd
\Shell\open\Command - H:\xih9.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2ed4b6e-9ff3-11dd-b5a3-000ffe0fa363}]
\Shell\Autoplay\Command - H:\smss.exe
\Shell\AutoRun\command - H:\smss.exe
\Shell\Explore\Command - H:\smss.exe
\Shell\Open\Command - H:\smss.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0a47a2d-57de-11dd-b585-000ffe0fa363}]
\Shell\Autoplay\Command - H:\smss.exe
\Shell\AutoRun\command - H:\smss.exe
\Shell\Explore\Command - H:\smss.exe
\Shell\Open\Command - H:\smss.exe
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{C5F43BEF-CE2F-46D8-AFE6-A647BACD1F09} - c:\windows\system32\Bitkv1.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.sa/
O8 -: &تصدير إلى Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-11-07 10:25:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\tsd32.dll
.
Completion time: 11/07/2008 10:26:30
ComboFix-quarantined-files.txt 2008-11-07 07:26:28
Pre-Run: 46,887,895,040 bytes free
Post-Run: 47,147,053,056 bytes free
128
و هذا حق الهايجاك
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:01 ص, on 07/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\سطح المكتب\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &تصدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: بحث - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ma-Config Service (maconfservice) - CybelSoft - C:\Program Files\ma-config.com\maconfservice.exe
--
End of file - 2157 bytes
و آسف تعبتك معاي ..