ComboFix 08-11-19.08 - Computer 11/20/2008 23:02:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.573 [GMT 3:00]
Running from: c:\documents and settings\Computer\My Documents\My Completed Downloads\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\alexa toolbar
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
c:\windows\IE4 Error Log.txt
c:\windows\svchost.ini
.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 20:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-20 19:54 --------- d-----w c:\program files\Google
2008-11-20 19:48 --------- d-----w c:\documents and settings\Computer\Application Data\cleaner
2008-11-20 19:05 --------- d-----w c:\documents and settings\Computer\Application Data\CyberScrub
2008-11-20 17:09 --------- d-----w c:\program files\ESET
2008-11-18 07:06 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-09 15:29 --------- d-----w c:\program files\Your Uninstaller 2008
2008-10-31 13:46 --------- d-----w c:\program files\Circle Developement
2008-10-31 10:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-31 10:49 --------- d-----w c:\program files\REALTEK PCI&Cardbus Wireless LAN Driver and Utility
2008-10-31 10:17 21,035 ----a-w c:\windows\system32\drivers\AegisP.sys
2008-10-31 10:17 --------- d-----w c:\documents and settings\Computer\Application Data\InstallShield
2008-10-28 06:51 --------- d-----w c:\program files\JetAudio
2008-10-21 06:37 --------- d-----w c:\program files\MSBuild
2008-10-21 06:37 --------- d-----w c:\program files\Microsoft Works
2008-10-21 06:35 --------- d-----w c:\program files\Microsoft.NET
2008-10-21 06:29 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-10-20 13:03 3 ----a-w c:\windows\Fonts\dxva_sig.txt
2008-10-19 19:28 --------- d-----w c:\documents and settings\Computer\Application Data\Avant Profiles
2008-10-10 20:29 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-06 17:06 --------- d-----w c:\program files\FLVPlayer
2008-09-18 12:05 44,544 ------w c:\windows\AWuninstall.exe
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-01-10 19:35 720 -c--a-w c:\documents and settings\Computer\phone.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [08/04/2004 10:56 AM 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [04/11/2005 11:26 AM 65536]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [09/03/2005 03:18 PM 94208]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [10/09/2007 12:02 PM 208946]
"Magentic"="c:\progra~1\Magentic\bin\Magentic.exe" [10/09/2007 01:42 PM 475180]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [10/18/2007 11:34 AM 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [08/04/2004 08:32 AM 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [08/04/2004 08:32 AM 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [08/04/2004 08:32 AM 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [05/01/2006 12:04 PM 7557120]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [12/05/2005 12:37 PM 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [11/28/2005 11:41 AM 602182]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [01/05/2006 02:02 PM 352256]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [02/02/2006 12:11 PM 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [05/12/2005 10:31 AM 118784]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [05/05/2006 05:36 PM 30208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [10/06/2005 05:20 AM 122940]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [07/09/2001 11:50 AM 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [10/13/2004 04:04 PM 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [01/20/2007 07:04 PM 98304]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [06/15/2006 12:36 PM 229376]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [05/16/2008 08:04 PM 3053056]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [06/16/2008 10:30 PM 180269]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [07/18/2008 12:56 AM 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM 144784]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [03/04/2004 06:46 PM 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [12/22/2003 08:38 AM 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [02/18/2004 08:55 PM 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM 33648]
"RTHDCPL"="RTHDCPL.EXE" [12/09/2005 10:49 PM 15691264 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [10/15/2005 01:29 PM 88203 c:\windows\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [03/11/2005 03:03 PM 73728 c:\windows\system32\TDispVol.exe]
"CFSServ.exe"="CFSServ.exe" [BU]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 12:56 AM 110592 c:\windows\system32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [08/04/2004 10:56 AM 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2007-01-20 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
05/05/2006 05:48 PM 40448 c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"c:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys [2008-10-31 38144]
R2 FdRedir;FdRedir;\??\c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;\??\c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 33024]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
R2 smihlp;SMI helper driver;\??\c:\program files\Protector Suite QL\smihlp.sys [2006-05-05 3456]
S2 a14yhmxo;RUMBA AS/400 Shared Folders;c:\windows\system32\soujuquooj.exe []
S2 f1eedyupm;Websense CPM Report Scheduler;c:\windows\system32\rozoudouh.exe []
S2 uu7yivmx;PowerUtility TV Recording Reservation;c:\windows\system32\tocizib.exe []
S2 y9c1aeo0okilu2;SmartLinkService;c:\windows\system32\quassedaz.exe []
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-05-24 194304]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys []
S3 Tosrfpcc;Bluetooth PC Card Controller from Toshiba;c:\windows\system32\Drivers\tosrfpcc.sys [2002-08-01 160672]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0bb8220-7e58-11dd-9918-00a0d160974f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7e71f79-cbfb-11dc-a6c3-00a0d160974f}]
\Shell\AutoRun\command - G:\RavMon.exe
\Shell\explore\Command - G:\RavMon.exe -e
\Shell\open\Command - G:\RavMon.exe
.
s of the 'Scheduled Tasks' folder
2008-11-20 c:\windows\Tasks\B583885390703643.job
- c:\docume~1\computer\applic~1\axisjo~1\Gram 32 pure.exe []
2008-11-20 c:\windows\Tasks\SpeedOptimizer Startup.job
- c:\progra~1\speedo~1\SPO.exe [03/20/2008 06:56 PM]
2008-11-20 c:\windows\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_SADI_Computer.job
- c:\windows\system32\mobsync.exe [08/04/2004 10:56 AM]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-XPRepairPro2007 - c:\program files\XP Repair Pro 2007\XPRepairPro.exe
HKCU-Run-Performance Center - c:\program files\Ascentive\Performance Center\ApcMain.exe
HKLM-Run-kofi - c:\windows\system32\munnak.exe
HKLM-Run-gyttourer - c:\windows\system32\munnak.exe
MSConfigStartUp-NVRotateSysTray - c:\windows\system32\nvsysrot.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Computer\Application Data\Mozilla\Firefox\Profiles\1gtykyvs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxps://www.bankalbilad.com.sa/trade/p/postlogon.do|
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-11-20 23:09:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\windows\explorer.exe
-> c:\windows\system32\TDispVol.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\system32\rundll32.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Magentic\bin\MgApp.exe
c:\progra~1\INCRED~1\bin\ImApp.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
.
**************************************************************************
.
Completion time: 11/20/2008 23:16:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 20:16:03
Pre-Run: 19,234,639,872 bytes free
Post-Run: 19,136,819,200 bytes free
201 --- E O F --- 2008-11-20 04:43:48
هذا
