بطء شديد بفتح البرامج والدخول على صفحات النت
وعند اظهار قوائم المتصفح .. يبدو ان بعض البرامج
التي حدفت سحبت معها بعض ملفات النظام مثل ملفات دل
مرفق تقرير اداة .. كمبو فيكس
ComboFix 08-11-23.02 - Administrator 11/26/2008 4:10:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.252 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\FOLESVR.DLL
c:\windows\system32\wl.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 01:17 680,736 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-11-26 01:17 27,625,504 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-26 01:16 67,928 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-11-26 01:16 375,164 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-26 01:12 --------- d-----w c:\documents and settings\Administrator\Application Data\DMCache
2008-11-25 20:26 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-24 21:18 --------- d-----w c:\program files\CCleaner
2008-11-24 20:43 --------- d-----w c:\documents and settings\Administrator\Application Data\IDM
2008-11-24 17:52 --------- d-----w c:\program files\Avant Browser
2008-11-24 17:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Avant Profiles
2008-11-24 10:36 --------- d-----w c:\program files\Fantasysoft-Studio
2008-11-24 10:34 --------- d-----w c:\program files\Total Video Player
2008-11-23 20:17 --------- d-----w c:\program files\Godlike Developers
2008-11-22 20:22 --------- d-----w c:\program files\Opera
2008-11-21 12:11 --------- d-----w c:\program files\FastFolders
2008-11-21 10:08 --------- d-----w c:\program files\SpeedItUpFree
2008-11-21 10:07 724,992 ----a-w c:\windows\iun6002.exe
2008-11-18 21:36 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-18 21:05 --------- d-----w c:\documents and settings\Administrator\Application Data\Godlike
2008-11-18 19:28 --------- d-----w c:\program files\Error Repair Professional
2008-11-16 21:48 --------- d-----w c:\documents and settings\Administrator\Application Data\WIPE
2008-11-16 21:39 --------- d-----w c:\program files\Wipe
2008-11-16 08:04 --------- d-----w c:\program files\JetAudio
2008-11-15 23:12 --------- d-----w c:\program files\Ad Muncher
2008-11-15 23:12 --------- d-----w c:\documents and settings\All Users\Application Data\Ad Muncher
2008-11-15 21:09 --------- d-----w c:\program files\Hotspot Shield
2008-11-15 21:08 --------- d-----w c:\program files\AnchorFree
2008-11-15 19:40 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2008-11-15 19:40 87,855 ----a-w c:\windows\system32\drivers\klick.dat
2008-11-15 16:22 22,544 ----a-w C:\wjbutton_en.zip
2008-11-14 16:54 --------- d-----w c:\program files\Internet Download Manager
2008-10-28 22:49 --------- d-----w c:\program files\CreativePainter
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [08/04/2004 01:56 AM 15360]
"AFProg"="c:\program files\AnchorFree\bin\ctrl\AFController.exe" [11/20/2006 11:19 AM 81920]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [10/28/2008 08:52 PM 2607616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [06/23/2006 07:41 AM 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [06/23/2006 07:44 AM 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM 32768]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [11/16/2008 02:12 AM 779776]
"SigmatelSysTrayApp"="sttray.exe" [05/26/2006 05:58 PM 282624 c:\windows\sttray.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [08/04/2004 01:56 AM 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WlanUtility.lnk - c:\program files\MicroStar\WLANUtility\WlanUtility.exe [2005-03-08 146944]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoConfigPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoSecCpl"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoConfigPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChange"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\s\\CyberLink\\AgeOfEmpireII\\empires2.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-04-04 24344]
.
s of the 'Scheduled Tasks' folder
2008-11-25 c:\windows\Tasks\At1.job
- c:\documents and settings\Administrator\Templates\14004-NendangBro.com []
2008-11-25 c:\windows\Tasks\At2.job
- c:\documents and settings\Administrator\Templates\14004-NendangBro.com []
.
- - - - ORPHANS REMOVED - - - -
HKLM-RunServices-raVe - (no file)
HKLM-RunServices-Driver32 - (no file)
HKU-Default-Run-Tok-Cirrhatus - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d04702hy.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - c:\program files\Opera\program\plugins\NP_IDM1.dll
FF -: plugin - c:\program files\Opera\program\plugins\NP_IDM2.dll
FF -: plugin - c:\program files\Opera\program\plugins\NP_IDM3.dll
FF -: plugin - c:\program files\Opera\program\plugins\NP_IDM5.dll
FF -: plugin - c:\program files\Opera\program\plugins\NP_IDM6.dll
.
.
------- File Associations -------
.
txtfile=NOTEPAD %1
vbefile\shell\edit\command=c:\windows\Notepad.exe %1
vbsfile\shell\edit\command=c:\windows\Notepad.exe %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-11-26 04:16:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1168)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\klogon.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\WgaLogon.dll
- - - - - - - > 'lsass.exe'(1224)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\idmmbc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\stacsv.exe
c:\windows\system32\wscntfy.exe
c:\program files\MicroStar\WLANUtility\WLAN_Service.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
.
**************************************************************************
.
Completion time: 11/26/2008 4:20:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-26 01:20:40
Pre-Run: 4,819,750,912 bytes free
Post-Run: 5,162,684,416 bytes free
184 --- E O F --- 2008-11-23 00:07:54
وعند اظهار قوائم المتصفح .. يبدو ان بعض البرامج
التي حدفت سحبت معها بعض ملفات النظام مثل ملفات دل
مرفق تقرير اداة .. كمبو فيكس
ComboFix 08-11-23.02 - Administrator 11/26/2008 4:10:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.252 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\FOLESVR.DLL
c:\windows\system32\wl.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 01:17 680,736 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-11-26 01:17 27,625,504 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-26 01:16 67,928 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-11-26 01:16 375,164 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-26 01:12 --------- d-----w c:\documents and settings\Administrator\Application Data\DMCache
2008-11-25 20:26 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-24 21:18 --------- d-----w c:\program files\CCleaner
2008-11-24 20:43 --------- d-----w c:\documents and settings\Administrator\Application Data\IDM
2008-11-24 17:52 --------- d-----w c:\program files\Avant Browser
2008-11-24 17:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Avant Profiles
2008-11-24 10:36 --------- d-----w c:\program files\Fantasysoft-Studio
2008-11-24 10:34 --------- d-----w c:\program files\Total Video Player
2008-11-23 20:17 --------- d-----w c:\program files\Godlike Developers
2008-11-22 20:22 --------- d-----w c:\program files\Opera
2008-11-21 12:11 --------- d-----w c:\program files\FastFolders
2008-11-21 10:08 --------- d-----w c:\program files\SpeedItUpFree
2008-11-21 10:07 724,992 ----a-w c:\windows\iun6002.exe
2008-11-18 21:36 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-18 21:05 --------- d-----w c:\documents and settings\Administrator\Application Data\Godlike
2008-11-18 19:28 --------- d-----w c:\program files\Error Repair Professional
2008-11-16 21:48 --------- d-----w c:\documents and settings\Administrator\Application Data\WIPE
2008-11-16 21:39 --------- d-----w c:\program files\Wipe
2008-11-16 08:04 --------- d-----w c:\program files\JetAudio
2008-11-15 23:12 --------- d-----w c:\program files\Ad Muncher
2008-11-15 23:12 --------- d-----w c:\documents and settings\All Users\Application Data\Ad Muncher
2008-11-15 21:09 --------- d-----w c:\program files\Hotspot Shield
2008-11-15 21:08 --------- d-----w c:\program files\AnchorFree
2008-11-15 19:40 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2008-11-15 19:40 87,855 ----a-w c:\windows\system32\drivers\klick.dat
2008-11-15 16:22 22,544 ----a-w C:\wjbutton_en.zip
2008-11-14 16:54 --------- d-----w c:\program files\Internet Download Manager
2008-10-28 22:49 --------- d-----w c:\program files\CreativePainter
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [08/04/2004 01:56 AM 15360]
"AFProg"="c:\program files\AnchorFree\bin\ctrl\AFController.exe" [11/20/2006 11:19 AM 81920]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [10/28/2008 08:52 PM 2607616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [06/23/2006 07:41 AM 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [06/23/2006 07:44 AM 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM 32768]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [11/16/2008 02:12 AM 779776]
"SigmatelSysTrayApp"="sttray.exe" [05/26/2006 05:58 PM 282624 c:\windows\sttray.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [08/04/2004 01:56 AM 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WlanUtility.lnk - c:\program files\MicroStar\WLANUtility\WlanUtility.exe [2005-03-08 146944]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoConfigPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoSecCpl"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoConfigPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChange"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\s\\CyberLink\\AgeOfEmpireII\\empires2.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-04-04 24344]
.
s of the 'Scheduled Tasks' folder
2008-11-25 c:\windows\Tasks\At1.job
- c:\documents and settings\Administrator\Templates\14004-NendangBro.com []
2008-11-25 c:\windows\Tasks\At2.job
- c:\documents and settings\Administrator\Templates\14004-NendangBro.com []
.
- - - - ORPHANS REMOVED - - - -
HKLM-RunServices-raVe - (no file)
HKLM-RunServices-Driver32 - (no file)
HKU-Default-Run-Tok-Cirrhatus - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d04702hy.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - c:\program files\Opera\program\plugins\NP_IDM1.dll
FF -: plugin - c:\program files\Opera\program\plugins\NP_IDM2.dll
FF -: plugin - c:\program files\Opera\program\plugins\NP_IDM3.dll
FF -: plugin - c:\program files\Opera\program\plugins\NP_IDM5.dll
FF -: plugin - c:\program files\Opera\program\plugins\NP_IDM6.dll
.
.
------- File Associations -------
.
txtfile=NOTEPAD %1
vbefile\shell\edit\command=c:\windows\Notepad.exe %1
vbsfile\shell\edit\command=c:\windows\Notepad.exe %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
Rootkit scan 2008-11-26 04:16:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1168)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\klogon.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\WgaLogon.dll
- - - - - - - > 'lsass.exe'(1224)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\idmmbc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\stacsv.exe
c:\windows\system32\wscntfy.exe
c:\program files\MicroStar\WLANUtility\WLAN_Service.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
.
**************************************************************************
.
Completion time: 11/26/2008 4:20:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-26 01:20:40
Pre-Run: 4,819,750,912 bytes free
Post-Run: 5,162,684,416 bytes free
184 --- E O F --- 2008-11-23 00:07:54
