سويت مثل ماقلت
هاذا التقرير
ComboFix 09-03-19.02 - user 03/21/2009 23:37:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.2046.1492 [GMT 3:00]
Running from: c:\documents and settings\user\Desktop\reem\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\IE4 Error Log.txt
c:\windows\system32\agsaame.dll
c:\windows\system32\ALOAudioFile2.dll
c:\windows\system32\ALOAVIFile.dll
c:\windows\system32\ALOQuickTimeFile.dll
c:\windows\system32\ALOVideoCoreM.dll
c:\windows\system32\ALOWMAFile2.dll
c:\windows\system32\kakle.dll
c:\windows\system32\pthreadGC2.dll
c:\windows\system32\winitn.dll
c:\windows\system32\x64
.
((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 20:31 --------- d-----w c:\program files\FlashGet
2009-03-05 18:20 --------- d-----w c:\program files\JAP
2009-03-05 18:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-05 18:19 --------- d-----w c:\program files\JavaSoft
2009-03-02 21:53 --------- d-----w c:\program files\Hotspot_Shield
2009-03-02 21:53 --------- d-----w c:\program files\Conduit
2009-03-02 14:32 --------- d-----w c:\program files\ma-config.com
2009-03-02 14:32 --------- d-----w c:\documents and settings\All Users\Application Data\ma-config.com
2009-03-02 13:46 --------- d-----w c:\documents and settings\user\Application Data\CyberLink
2009-02-18 12:39 --------- d-----w c:\program files\Windows Live
2009-02-16 00:09 --------- d-----w c:\program files\Internet Audio Mix
2009-02-13 03:22 --------- d-----w c:\program files\Common Files\Adobe
2009-02-13 02:39 --------- d-----w c:\program files\K-Lite Codec Pack
2009-02-12 21:08 --------- d-----w c:\program files\Messenger Plus! Live
2009-02-12 20:59 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-02-12 20:58 --------- d-----w c:\program files\Microsoft Sync Framework
2009-02-12 20:56 --------- d-----w c:\program files\Windows Live SkyDrive
2009-02-12 19:49 --------- d-----w c:\program files\Google
2009-02-12 17:27 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-02-12 17:26 --------- d-----w c:\program files\Microsoft
2009-02-12 16:31 --------- d-----w c:\program files\Common Files\Windows Live
2009-02-12 15:28 --------- d-----w c:\program files\JetAudio
2009-02-12 15:28 --------- d-----w c:\documents and settings\user\Application Data\COWON
2009-02-12 15:11 --------- d-----w c:\program files\Zuma Deluxe
2009-02-12 15:05 --------- d-----w c:\program files\Real
2009-02-12 15:05 --------- d-----w c:\program files\Common Files\Real
2009-02-12 14:43 --------- d-----w c:\program files\GRETECH
2009-02-06 20:32 57,344 ----a-w c:\windows\system32\ff_vfw.dll
2009-02-06 16:43 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 15:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-05 21:55 31,704 ----a-w c:\windows\system32\drivers\hssdrv.sys
2009-02-05 19:18 --------- d-----w c:\documents and settings\user\Application Data\ATI
2009-02-05 19:18 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-02-05 19:08 --------- d-----w c:\program files\ATI Technologies
2009-02-05 19:06 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-05 19:06 --------- d-----w c:\program files\Common Files\ATI Technologies
2009-02-05 17:38 --------- d-----w c:\program files\CONEXANT
2009-01-28 21:25 2,246,163 ----a-w c:\windows\system32\x264vfw.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [08/12/2004 03:00 PM 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [10/16/2007 08:50 PM 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [12/19/2006 11:27 AM 136768]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [12/07/2005 10:57 PM 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [05/18/2006 11:29 AM 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [09/05/2007 12:13 PM 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [09/05/2007 12:13 PM 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [09/05/2007 12:13 PM 137752]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [08/29/2008 05:11 PM 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/15/2008 01:04 AM 39792]
"RTHDCPL"="RTHDCPL.EXE" [07/05/2007 11:08 AM 16380416 c:\windows\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [08/12/2004 03:00 PM 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-02-05 89600]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-02-24 31704]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.EXE --> c:\program files\Hotspot Shield\bin\HssTrayService.EXE [?]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2008-09-02 191656]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54b7c33f-7737-11dd-9790-806d6172696f}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{c95a4e8e-816d-4655-8c79-d736da1adb6d} - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.sa/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = 127.0.0.1:4001
IE: &Download All by FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: &Download using FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-03-21 23:38:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 03/21/2009 23:38:53
ComboFix-quarantined-files.txt 2009-03-21 20:38:51
Pre-Run: 64,322,957,312 bytes free
Post-Run: 64,625,594,368 bytes free
140
وهذا تقرير الهاي جاك الجديد
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:25 م, on 21/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\FlashGet\flashget.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\reem\Zyzoom_HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\Jccatch.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: مساعد تسجيل الدخول إلى Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: تدوين هذا في المدونة - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &تدوين هذا في Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE (file missing)
O23 - Service: Ma-Config Service (maconfservice) - CybelSoft - C:\Program Files\ma-config.com\maconfservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 6773 bytes
k: .... ولكن ليس جميع المشاكل ...
