ComboFix 08-12-07.04 - USER 12/09/2008 16:03:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1256.1.1025.18.508 [GMT 3:00]
Running from: c:\documents and settings\USER\سطح المكتب\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\USER\قائمة ابدأ\Cheap Pharmacy Online.url
c:\documents and settings\USER\قائمة ابدأ\Search Online.url
c:\documents and settings\USER\قائمة ابدأ\SMS TRAP.url
c:\documents and settings\USER\قائمة ابدأ\VIP Casino.url
c:\documents and settings\USER\Application Data\inst.exe
c:\documents and settings\USER\Favorites\Cheap Pharmacy Online.url
c:\documents and settings\USER\Favorites\Search Online.url
c:\documents and settings\USER\Favorites\SMS TRAP.url
c:\documents and settings\USER\Favorites\VIP Casino.url
c:\windows\system32\AutoRun.inf
c:\windows\system32\c.ico
c:\windows\system32\m.ico
c:\windows\system32\p.ico
c:\windows\system32\s.ico
c:\windows\system32\systeminfo3.dll
c:\windows\system32\tmp.reg
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 13:07 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-09 13:05 450,592 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-09 13:05 3,668 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-09 13:05 24,108 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-09 13:05 2,813,472 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-09 13:02 --------- d-----w c:\documents and settings\USER\Application Data\DMCache
2008-12-09 00:01 --------- d-----w c:\documents and settings\USER\Application Data\uTorrent
2008-12-08 23:05 --------- d-----w c:\program files\Hotspot Shield
2008-12-08 01:25 --------- d-----w c:\program files\VoiceMaskPro
2008-12-08 00:29 --------- d-----w c:\program files\Java
2008-12-07 21:04 --------- d-----w c:\program files\AnchorFree
2008-12-07 14:15 --------- d-----w c:\program files\TuneUp Utilities 2009
2008-12-06 17:55 --------- d-----w c:\program files\Hotspot_Shield
2008-12-06 00:16 --------- d-----w c:\documents and settings\USER\Application Data\Desktopicon
2008-12-06 00:15 --------- d-----w c:\program files\VDOWNLOADER
2008-12-05 22:41 --------- d-----w c:\documents and settings\USER\Application Data\Skype
2008-12-05 22:40 --------- d-----w c:\documents and settings\USER\Application Data\skypePM
2008-12-05 19:18 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-12-05 19:11 --------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-05 12:20 --------- d-----w c:\documents and settings\USER\Application Data\IDM
2008-12-05 01:19 --------- d-----w c:\documents and settings\USER\Application Data\Hide IP NG
2008-12-05 01:18 --------- d-----w c:\program files\GreenBrowser
2008-12-04 14:34 --------- d-----w c:\program files\ONSPEED
2008-12-04 14:32 --------- d-----w c:\program files\onspeed_toolbar
2008-12-03 23:51 --------- d-----w c:\documents and settings\USER\Application Data\VitySoft
2008-12-03 17:01 --------- d-----w c:\documents and settings\USER\Application Data\Media Player Classic
2008-12-03 17:00 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-03 16:59 --------- d-----w c:\program files\Common Files\Real
2008-12-03 07:57 --------- d-----w c:\documents and settings\USER\Application Data\Apple Computer
2008-12-03 07:53 --------- d-----w c:\program files\iTunes
2008-12-03 07:53 --------- d-----w c:\program files\iPod
2008-12-03 07:53 --------- d-----w c:\program files\Common Files\Apple
2008-12-03 07:53 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-03 07:53 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-03 07:52 --------- d-----w c:\program files\Bonjour
2008-12-03 07:49 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-03 06:32 --------- d-----w c:\program files\Skype
2008-12-03 06:32 --------- d-----w c:\program files\Common Files\Skype
2008-12-02 09:00 --------- d-----w c:\program files\English Step By Step
2008-12-01 06:43 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-12-01 06:41 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-01 05:46 --------- d-----w c:\documents and settings\USER\Application Data\Thinstall
2008-11-29 05:55 --------- d-----w c:\program files\a-squared Anti-Malware
2008-11-27 09:31 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2008-11-27 09:31 87,855 ----a-w c:\windows\system32\drivers\klick.dat
2008-11-27 07:30 --------- d-----w c:\program files\Kaspersky Lab
2008-11-26 13:57 --------- d-----w c:\program files\Internet Download Manager
2008-11-19 22:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-18 17:38 --------- d-----w c:\program files\Google
2008-11-17 02:43 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-11-17 02:43 249,856 ------w c:\windows\Setup1.exe
2008-11-16 15:15 --------- d-----w c:\program files\Ela-Salaty
2008-11-15 22:49 --------- d-----w c:\program files\Winferno
2008-11-14 13:33 47,360 ----a-w c:\documents and settings\USER\Application Data\pcouffin.sys
2008-11-14 13:33 --------- d-----w c:\documents and settings\USER\Application Data\Vso
2008-11-14 11:00 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-14 04:09 --------- d-----w c:\documents and settings\All Users\Application Data\Winferno
2008-11-14 03:11 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-11-14 02:45 --------- d-----w c:\documents and settings\All Users\Application Data\DVD X Studios
2008-11-14 02:10 --------- d-----w c:\program files\uTorrent
2008-11-14 01:57 --------- d-----w c:\program files\P2P_Torrent
2008-11-14 01:57 --------- d-----w c:\program files\No-IP
2008-11-14 01:38 --------- d-----w c:\program files\Conduit
2008-11-12 09:37 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-12 08:31 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2008-11-11 16:58 25,601 ----a-w c:\windows\system32\drivers\klopp.dat
2008-11-05 05:50 --------- d-----w c:\program files\The KMPlayer
2008-11-05 02:50 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-05 02:06 --------- d-----w c:\program files\ma-config.com
2008-11-05 02:06 --------- d-----w c:\documents and settings\All Users\Application Data\ma-config.com
2008-11-05 01:30 --------- d-----w c:\program files\CCleaner
2008-11-05 01:29 --------- d-----w c:\program files\Yahoo!
2008-11-05 00:44 --------- d-----w c:\documents and settings\USER\Application Data\TuneUp Software
2008-11-05 00:32 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-11-02 21:37 --------- d-----w c:\program files\ColorSoft
2008-11-01 15:52 --------- d-----w c:\program files\Vimicro
2008-11-01 15:28 737,280 ----a-w c:\windows\iun6002.exe
2008-10-28 21:59 --------- d-----w c:\program files\VIA
2008-10-28 19:08 --------- d-----w c:\program files\HP
2008-10-28 18:54 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-26 00:59 --------- d-----w c:\program files\MSN Messenger
2008-10-25 03:43 --------- d-----w c:\program files\CONEXANT
2008-10-24 19:17 --------- d-----w c:\documents and settings\USER\Application Data\Paltalk
2008-10-24 17:18 --------- d-----w c:\documents and settings\All Users\Application Data\Atelier Web
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 10:50 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-10-24 01:05 --------- d-----w c:\program files\Real
2008-10-24 00:48 --------- d-----w c:\program files\Sun
2008-10-24 00:29 --------- d-----w c:\program files\ Code Library
2008-10-24 00:29 --------- d-----w c:\documents and settings\USER\Application Data\OverZone Software
2008-10-24 00:08 155,995 ----a-w c:\windows\java\Packages\F3ZNJTJP.ZIP
2008-10-23 23:41 --------- d-----w c:\program files\Windows Live
2008-10-23 23:41 --------- d-----w c:\program files\Messenger Plus! Live
2008-10-23 23:41 --------- d-----w c:\program files\Circle Developement
2008-10-23 21:51 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-10-23 20:53 --------- d-----w c:\program files\NetWaiting
2008-10-23 20:53 --------- d-----w c:\program files\Creative
2008-10-23 20:11 --------- d-----w c:\program files\S3
2008-10-23 20:09 --------- d-----w c:\program files\Realtek Sound Manager
2008-10-23 20:09 --------- d-----w c:\program files\AvRack
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bc4be15d-6a34-4356-9e97-79e43da32b1d}"= "c:\program files\P2P_Torrent\tbP2P_.dll" [08/20/2008 11:03 PM 1780248]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot1.dll" [12/06/2008 08:55 PM 1784856]
[HKEY_CLASSES_ROOT\clsid\{bc4be15d-6a34-4356-9e97-79e43da32b1d}]
[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
[HKEY_LOCAL_MACHINE\~\Browser Helper s\{bc4be15d-6a34-4356-9e97-79e43da32b1d}]
08/20/2008 11:03 PM 1780248 --a------ c:\program files\P2P_Torrent\tbP2P_.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper s\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
12/06/2008 08:55 PM 1784856 --a------ c:\program files\Hotspot_Shield\tbHot1.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper s\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
12/08/2008 02:07 PM 204248 --a------ c:\program files\Hotspot Shield\hssie\HssIE.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bc4be15d-6a34-4356-9e97-79e43da32b1d}"= "c:\program files\P2P_Torrent\tbP2P_.dll" [08/20/2008 11:03 PM 1780248]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot1.dll" [12/06/2008 08:55 PM 1784856]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BC4BE15D-6A34-4356-9E97-79E43DA32B1D}"= "c:\program files\P2P_Torrent\tbP2P_.dll" [08/20/2008 11:03 PM 1780248]
"{C95A4E8E-816D-4655-8C79-D736DA1ADB6D}"= "c:\program files\Hotspot_Shield\tbHot1.dll" [12/06/2008 08:55 PM 1784856]
[HKEY_CLASSES_ROOT\clsid\{bc4be15d-6a34-4356-9e97-79e43da32b1d}]
[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [04/14/2008 06:59 PM 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [01/19/2007 12:55 PM 5674352]
"AFProg"="c:\program files\AnchorFree\bin\ctrl\AFController.exe" [10/11/2006 04:47 AM 81920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [08/03/2004 11:32 PM 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [08/03/2004 11:32 PM 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [08/03/2004 11:32 PM 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM 33648]
"BigDogPath"="c:\windows\VM_STI.EXE" [02/28/2005 05:53 PM 53248]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [11/11/2008 07:59 PM 206088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [11/20/2008 01:20 PM 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [12/08/2008 03:29 AM 136600]
"SoundMan"="SOUNDMAN.EXE" [06/10/2003 02:12 PM 55296 c:\windows\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [09/21/2006 04:36 PM 53248 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [08/27/2007 07:03 PM 200704 c:\windows\system32\VTTrayp.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [04/14/2008 06:59 PM 15360]
c:\documents and settings\USER\çںê، ں §ڑ\ںé ©ںê¤\ §ک ں颬نïé\
Ela-Salaty.lnk - c:\program files\Ela-Salaty\Salaty.exe [2007-03-05 5205504]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoConfigPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoConfigPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"AFProg"=c:\program files\AnchorFree\bin\ctrl\AFController.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VIARaidUtl"=c:\program files\VIA\RAID\raid_tool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\USER\\سطح المكتب\\PaltalkScene.exe"=
"c:\\Documents and Settings\\USER\\Application Data\\Thinstall\\PaltalkScene\\400000b3400002i\\paltalk.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\english\\setup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R0 viasraid;viasraid;c:\windows\system32\DRIVERS\viasraid.sys [2008-10-23 75904]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2008-12-05 603904]
R2 VRAID Log Service;VRAID Log Service;c:\program files\VIA\RAID\vialogsv.exe [2008-10-29 52888]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S3 gwiopm;gwiopm;\??\c:\program files\Unknown Device Identifier\gwiopm.sys []
S3 maconfservice;Ma-Config Service;"c:\program files\ma-config.com\maconfservice.exe" [2008-11-02 195752]
S3 s3chipid;s3chipid;\??\c:\docume~1\USER\LOCALS~1\Temp\s3chipid.sys []
S3 xAntiArp;xAntiArpSpoof Service;c:\windows\system32\DRIVERS\xAntiArp.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
s of the 'Scheduled Tasks' folder
2008-12-09 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [11/20/2008 04:28 PM]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1561552
uInternet Settings,ProxyOverride = plimus.com,
,
IE: Download All Links with IDM - c:\docume~1\USER\LOCALS~1\Temp\Rar$EX00.625\quyanhnguyen\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\docume~1\USER\LOCALS~1\Temp\Rar$EX00.625\quyanhnguyen\Internet Download Manager\IEExt.htm
IE: ت&صدير إلى Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: تحميل الكل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEGetAll.htm
IE: تحميل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEExt.htm
IE: تحميل محتوى FLV بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEGetVL.htm
LSP: c:\progra~1\ONSPEED\sliplsp.dll
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\kgi6ony4.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1210541&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.sa/
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - c:\program files\ma-config.com\nphardwaredetection.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Yahoo!\Common\npyaxmpb.dll
.
.
------- File Associations -------
.
txtfile=NOTEPAD %1
vbefile\shell\edit\command=%SystemRoot%\System32\Notepad.exe %1
vbsfile\shell\edit\command=c:\windows\Notepad.exe %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-12-09 16:07:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(432)
c:\windows\system32\ac3acm.acm
c:\windows\system32\lameACM.acm
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 12/09/2008 16:10:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 13:10:02
Pre-Run: 67,618,103,296 bytes free
Post-Run: 67,647,676,416 bytes free
294 --- E O F --- 2008-12-08 00:21:41