تقرير الكومبوا فيكس :
******** 09-01-05.05 - Al-Qassabi 01/06/2009 16:10:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1256.1.1033.18.1023.669 [GMT 4:00]
Running from: c:\documents and settings\Al-Qassabi\Desktop\********.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\TAKK16HH.exe.a_a
c:\windows\system32\tmp.reg
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 12:16 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-01-06 12:16 --------- d-----w c:\documents and settings\Al-Qassabi\Application Data\DMCache
2009-01-06 12:13 3,052 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-01-06 12:13 3,021,344 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-06 12:13 270,368 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-01-06 12:13 27,828 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-06 12:07 --------- d-----w c:\documents and settings\Al-Qassabi\Application Data\HPAppData
2009-01-06 08:44 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-05 21:16 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2009-01-05 21:16 87,855 ----a-w c:\windows\system32\drivers\klick.dat
2009-01-05 21:15 --------- d-----w c:\program files\Kaspersky Lab
2009-01-05 14:40 --------- d-----w c:\documents and settings\Al-Qassabi\Application Data\SUPERAntiSpyware.com
2009-01-05 11:05 --------- d-----w c:\program files\Siber Systems
2009-01-05 10:54 0 ----a-w C:\osy3.sys
2009-01-05 10:13 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-05 07:30 --------- d-----w c:\documents and settings\All Users\Application Data\Prevx
2009-01-05 07:05 --------- d-----w c:\documents and settings\NetworkService\Application Data\HPAppData
2009-01-04 17:47 --------- d-----w c:\documents and settings\All Users\Application Data\199737986
2008-12-29 19:58 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2008-12-29 19:45 --------- d-----w c:\program files\Circle Developement
2008-12-29 14:23 --------- d-----w c:\documents and settings\Al-Qassabi\Application Data\Thinstall
2008-12-27 10:25 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-27 10:25 --------- d-----w c:\documents and settings\Al-Qassabi\Application Data\Uniblue
2008-12-27 10:22 --------- d-----w c:\program files\HP
2008-12-27 10:18 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-12-26 21:11 --------- d-----w c:\program files\Intel
2008-12-23 23:11 --------- d-----w c:\documents and settings\Al-Qassabi\Application Data\LimeWire
2008-12-23 22:58 --------- d-----w c:\program files\Java
2008-12-23 22:52 --------- d-----w c:\program files\Common Files\Java
2008-12-06 09:15 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-06 09:13 --------- d-----w c:\program files\Musicmatch
2008-12-04 06:02 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-24 09:47 --------- d-----w c:\documents and settings\Al-Qassabi\Application Data\IDM
2008-11-11 16:00 218,376 ----a-w c:\windows\system32\klogon.dll
2008-11-11 15:58 25,601 ----a-w c:\windows\system32\drivers\klopp.dat
2008-11-10 01:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-11-08 14:35 --------- d-----w c:\documents and settings\Al-Qassabi\Application Data\Teleca
2008-11-08 14:31 --------- d-----w c:\program files\Sony Ericsson
2008-11-08 14:31 --------- d-----w c:\program files\Common Files\Teleca Shared
2008-11-08 14:28 --------- d-----w c:\program files\Common Files\Sony Ericsson Shared
2008-11-08 14:28 --------- d-----w c:\documents and settings\All Users\Application Data\Teleca
2008-11-08 14:28 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-11-08 14:28 --------- d-----w c:\documents and settings\Al-Qassabi\Application Data\Sony Ericsson
2008-11-07 16:12 413,760 ----a-w c:\windows\system32\mpg4c32.dll
2008-11-07 10:50 --------- d-----w c:\program files\Common Files\Adobe
2008-10-29 20:27 155,995 ----a-w c:\windows\java\Packages\F1F1N9VN.ZIP
2008-10-27 06:45 676,224 ----a-w c:\windows\system32\ogacheckcontrol.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 19:47 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-10-22 19:47 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 10:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 10:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 10:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 10:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 10:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 10:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 10:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 10:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 10:06 268,648 ----a-w c:\windows\system32\mucltui.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [04/14/2008 04:00 PM 15360]
"IDMan"="e:\program files\Internet Download Manager\IDMan.exe" [09/15/2008 09:30 PM 2606512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [11/11/2008 07:59 PM 206088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [10/22/2008 11:47 PM 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [11/10/2008 05:43 AM 136600]
"Sony Ericsson PC Suite"="e:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [06/13/2007 08:16 AM 528384]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [08/22/2007 04:31 PM 80896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM 33648]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/15/2008 01:04 AM 39792]
"1904921226"="c:\documents and settings\All Users\Application Data\199737986\1904921226.exe" [01/04/2009 09:47 PM 1812002]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [04/14/2008 04:00 PM 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\
0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\lime wire\\P.LimeWire_4.18\\P.LimeWire_4.18.1.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2008-11-08 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [2008-11-08 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [2008-11-08 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [2008-11-08 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [2008-11-08 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [2008-11-08 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [2008-11-08 97704]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{641eb4f6-ca69-11dd-a355-001b1105321a}]
\Shell\AutoRun\command - I:\abk.bat
\Shell\explore\Command - I:\abk.bat
\Shell\open\Command - I:\abk.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd3b99d6-ae5e-11dd-a2dd-001b1105321a}]
\Shell\AutoRun\command - sysinfo.exe
\Shell\explore\command - sysinfo.exe
\Shell\open\command - sysinfo.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: تحميل الكل بـ إنترنت داونلود مانيجر - e:\program files\Internet Download Manager\IEGetAll.htm
IE: تحميل بـ إنترنت داونلود مانيجر - e:\program files\Internet Download Manager\IEExt.htm
IE: تحميل محتوى فيديو (إف.إل.في) بـ إنترنت داونلود مانيجر - e:\program files\Internet Download Manager\IEGetVL.htm
O16 -: Microsoft XML Parser for Java -
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-01-06 16:17:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):54,b0,68,ab,1e,69,54,9b,02,39,bd,96,bc,ca,62,30,7a,7c,67,e8,63,\
dc,b5,66,c7,43,97,7c,f9,18,3e,a3,02,b0,05,bb,08,aa,4b,42,00,00,00,00,00,00,\
00,00,00,00
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{bd2d7cfb-62b3-4b0f-a395-b1aaceb13591}]
@Denied: (Full) (Everyone)
"Model"=dword:00000002
"Therad"=dword:00000001
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,\
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,6f,e7,1e,2d,45,4a,ee,74,37,4f,94,9b,65,ae,\
af,c9,78,9f,42,f3,21,14,6b,e9,06,7a,50,3b,03,74,8b,8e,5e,d0,60,cf,5f,bd,6c,\
57,6a,d8,39,2d,84,a1,0e,73,f5,d6,8d,e7,ec,41,b6,c2,b3,34,5f,e5,bb,d7,26,ca,\
a2,3a,41,14,db,d5,2e,a0,d3,94,8c,90,8f,7f,5e,a9,3f,e4,37,24,b5,ea,ea,d0,c6,\
c8,e7,96,da,5d,44,dc,06,2c,94,03,00,06,27,76,4b,d3,a4,ba,93,df,33,e1,46,8f,\
3c,f2,5c,68,ee,21,f7,97,a8,b1,05,47,89,be,31,d8,9a,fa,03,7f,f4,70,84,76,e7,\
e8,ba,51,7c,3b,55,0e,fa,f2,76,72,06,ae,5e,f2,4a,28,92,40,26,e4,e7,c6,37,13,\
49,b7,02,4b,ac,ed,21,06,b0,05,92,54,71,b7,f9,27,f7,f8,a4,76,eb,f6,b2,51,d3,\
42,fa,b3,98,24,7f,c0,6e,3e,7e,f6,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
3f,ce,36,b4,5b,f9,0b,02,e1,03
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
e:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 01/06/2009 16:20:30 - machine was rebooted
********-quarantined-files.txt 2009-01-06 12:20:23
Pre-Run: 22,177,177,600 bytes free
Post-Run: 22,131,605,504 bytes free
206 --- E O F --- 2008-12-29 21:33:36