تقرير جهازى

zoro3309 · 11 مايو 2009

السلام عليكم
اريد الاطمئنان على جهازى لانة لا يعجبنى هذة الايام:i:
هذا هو تقرير فحص جهازى بالهاى جاك
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:52 PM, on 5/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\New Folder\bin\jusched.exe
C:\Program Files\ColorSoft\AntiARP\AntiARP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Documents and Settings\XPPRESP3\Desktop\Hijack This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\bin\IDMIECC.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\New Folder\bin\jp2ssv.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\New Folder\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\New Folder\bin\jusched.exe"
O4 - HKLM\..\Run: [AntiARPStandalone] C:\Program Files\ColorSoft\AntiARP\AntiARP.exe
O4 - HKLM\..\Run: [msnmsgrs] C:\Documents and Settings\XPPRESP3\Desktop\travian-autobot 2.0.0 build.full\travian setup.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User '?')
O4 - HKUS\S-1-5-21-329068152-2139871995-1801674531-1001\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - S-1-5-21-329068152-2139871995-1801674531-1001 Startup: static.bat (User '?')
O4 - Startup: static.bat
O4 - Global Startup: Launchpad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: تحميل الكل بواسطة Internet Download Manager - C:\Program Files\Internet Download Manager\bin\IEGetAll.htm
O8 - Extra context menu item: تحميل بواسطة Internet Download Manager - C:\Program Files\Internet Download Manager\bin\IEExt.htm
O8 - Extra context menu item: تحميل محتوى FLV بواسطة Internet Download Manager - C:\Program Files\Internet Download Manager\bin\IEGetVL.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDFEA7F3-D58F-4F8E-8261-039FDD0C783B}: NameServer = 163.121.128.134,163.121.128.135
O23 - Service: AntiARP Client Loader (AntiARPClientLoader) - Unknown owner - C:\Program Files\ColorSoft\AntiARP\AntiARPClientLoader.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\New Folder\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6571 bytes

ارجو افادتى باسرع وقت

Corporation · 11 مايو 2009

جآآري التحليل :b:

Corporation · 11 مايو 2009

عندك أصابات ,,

عطل برنآمج الحمآية بجهـآزك حتى لا يحدث تعارض مع الأدآة ,,

نزل هذه الاداة

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

عند تشغيلها بتظهر لك رسالة ,, اضغط على >> Yes
بعدها بتظهر لك رساله ثانيه ,, اضغط على >> Yes
اثناء الفحص ممكن يعاد تشغيل الجهاز
وبعد اعادة التشغيل ,, سوف تبدأ الاداة بالفحص مرره ثانيه
انتظر حتى يظهر لك تقرير ،، وبذلك يكون الفحص انتهى الصق التقرير بمشاركتك القادمة

zoro3309 · 11 مايو 2009

ComboFix 09-05-11.01 - XPPRESP3 05/11/2009 22:22.1 - FAT32x86
Running from: c:\documents and settings\XPPRESP3\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\msconfig.exe
c:\windows\system32\winio.vxd

.
((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))))
.

2009-05-11 12:20 . 2009-05-11 12:20 -------- d-sh--w C:\FOUND.037
2009-05-06 18:35 . 2009-05-06 18:35 -------- d-sh--w C:\FOUND.036
2009-05-03 14:54 . 2009-05-03 14:54 -------- d-sh--w C:\FOUND.035
2009-05-02 10:25 . 2009-05-02 10:25 -------- d-----w c:\program files\ColorSoft
2009-05-02 09:09 . 2009-05-02 09:09 -------- d-sh--w C:\FOUND.034
2009-04-30 17:52 . 2009-04-30 17:52 -------- d-sh--w C:\FOUND.033
2009-04-30 10:12 . 2009-04-30 10:12 -------- d-sh--w C:\FOUND.032
2009-04-29 18:52 . 2009-04-29 18:52 -------- d-sh--w C:\FOUND.031
2009-04-29 07:11 . 2009-04-29 07:11 -------- d-sh--w C:\FOUND.030
2009-04-28 13:30 . 2009-04-28 13:30 -------- d-sh--w C:\FOUND.029
2009-04-27 10:56 . 2009-04-27 10:56 -------- d-sh--w C:\FOUND.028
2009-04-25 21:28 . 2009-04-25 21:28 -------- d-sh--w C:\FOUND.027
2009-04-23 21:20 . 2009-04-23 21:20 -------- d-sh--w C:\FOUND.026
2009-04-23 09:01 . 2009-04-23 09:01 -------- d-sh--w C:\FOUND.025
2009-04-22 20:57 . 2009-04-22 20:57 -------- d-sh--w C:\FOUND.024
2009-04-21 09:57 . 2009-04-21 09:57 -------- d-sh--w C:\FOUND.023
2009-04-20 21:43 . 2009-04-20 21:43 -------- d-sh--w C:\FOUND.022
2009-04-19 11:44 . 2009-04-19 11:44 -------- d-sh--w C:\FOUND.021
2009-04-18 10:25 . 2009-04-18 10:25 -------- d-sh--w C:\FOUND.020
2009-04-15 12:09 . 2009-04-15 12:09 -------- d-sh--w C:\FOUND.019
2009-04-12 17:22 . 2009-04-12 17:22 -------- d-sh--w C:\FOUND.018
2009-04-12 09:53 . 2009-04-12 09:53 -------- d-sh--w C:\FOUND.017

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 11:49 . 2009-03-20 05:41 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-02 10:08 . 2009-02-20 11:25 18312 ----a-w c:\documents and settings\XPPRESP3\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 22:42 . 2009-04-01 22:42 -------- d-----w c:\program files\AP Tuner
2009-03-30 21:49 . 2009-03-30 21:49 -------- d-----w c:\program files\Microsoft
2009-03-30 21:48 . 2009-03-30 21:48 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-27 12:23 . 2009-03-27 12:23 -------- d-----w c:\program files\SpeederXP
2009-03-26 14:35 . 2006-10-23 20:55 210352 ----a-w c:\windows\system32\idmmbc.dll
2009-03-21 10:56 . 2009-03-21 10:56 -------- d-----w c:\program files\Avira
2009-03-20 15:10 . 2009-03-20 15:10 0 ----a-w c:\windows\nsreg.dat
2009-03-16 11:29 . 2009-03-16 11:29 -------- d-----w c:\program files\Common Files\Scanner
2009-03-09 07:10 . 2009-03-09 06:48 20480 ----a-w c:\windows\system32\H@tKeysH@@k.DLL
2009-03-09 02:19 . 2009-02-21 08:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 01:34 . 2005-10-21 00:38 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 01:34 . 2004-08-04 06:56 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 01:33 . 2004-08-04 06:56 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 01:33 . 2004-08-04 06:56 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 01:32 . 2004-08-04 06:56 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 01:32 . 2004-08-04 06:56 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 01:31 . 2004-08-04 06:56 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 01:31 . 2004-08-04 06:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 01:31 . 2004-08-04 06:56 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 01:22 . 2001-08-23 11:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-02-23 13:55 . 2009-02-23 13:49 7168 ----a-w c:\windows\system32\drivers\uty5ntq4.sys
.

------- Sigcheck -------

[-] 2005-11-26 20:30 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\system32\drivers\tcpip.sys
[-] 2005-03-14 00:17 359936 6129E70F3D2F1E60860C930EBEAF92C2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[-] 2004-08-04 06:56 949760 9BE29C2873DF44DD301EC57EEE9A6440 c:\windows\explorer.exe
[7] 2004-08-04 06:56 1032192 A0732187050030AE399B241436565E64 c:\windows\XPize\Backup\explorer.exe

[-] 2004-08-04 06:56 30208 DE8FA9CF18F95341079C7E6A215C226A c:\windows\system32\ctfmon.exe
[7] 2004-08-04 06:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\XPize\Backup\ctfmon.exe

[-] 2005-12-19 14:49 1580544 784DDC1F40C4F729284D5A73930F0C9D c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 30208]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]
"SunJavaUpdateSched"="d:\new folder\bin\jusched.exe" [2009-03-09 148888]
"AntiARPStandalone"="c:\program files\ColorSoft\AntiARP\AntiARP.exe" [2009-02-19 8089600]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-03-11 147456]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\Soundman.exe [2005-06-20 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 30208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2009-03-08 128512]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\XPPRESP3\Start Menu\Programs\Startup\
static.bat [2008-8-10 36]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchpad.lnk - c:\program files\IC Media Corp.\ICM532\Launchpad.exe [2006-10-24 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoExpandedNewMenu"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"f:\\GAMES\\COMMANDO\\COMMANDO\\TCPSERVER.EXE"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"f:\\GAMES\\COMMANDO\\COMM2.EXE"=
"f:\\games\\الرجل المقاتل\\QUAKE3.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"f:\\GAMES\\Claw\\CLAW.EXE"=
"f:\\games\\C???? C???CE?\\QUAKE3.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*

isabled

xpsp2res.dll,-22009

R2 AntiARPClientLoader;AntiARP Client Loader;c:\program files\ColorSoft\AntiARP\AntiARPClientLoader.exe [2007-10-17 40960]
R3 DCamUSBUVT;ICM532A;c:\windows\system32\Drivers\usbuvt.sys [2005-04-12 103424]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\NPF.sys [2007-06-28 42512]
R3 uty5ntq4;AVZ Kernel Driver;c:\windows\system32\Drivers\uty5ntq4.sys [2009-02-23 7168]
R4 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2009-02-12 432897]
S2 AntiArpNdisProt;AntiARP NDIS Protocol Driver;c:\windows\system32\DRIVERS\AntiArpNdisProt.sys [2007-10-17 21120]
S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2009-04-27 194817]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-27 108289]
S2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
S3 xAntiArp;xAntiArpSpoof Service;c:\windows\system32\DRIVERS\xAntiArp.sys [2008-11-22 311040]

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AntiARPClientLoader
*Deregistered* - AntiArpNdisProt
*Deregistered* - AntiVirMailService
*Deregistered* - AntiVirSchedulerService
*Deregistered* - AntiVirService
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avgio
*Deregistered* - avgntflt
*Deregistered* - avipbb
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - HTTP
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssmdrv
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
*Deregistered* - xAntiArp
*Deregistered* - YahooAUService

NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{236289D6-86B7-5004-A24E-713161322A61}]
c:\documents and settings\XPPRESP3\Desktop\travian-autobot 2.0.0 build.full\travian setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-05-11 c:\windows\Tasks\User_Feed_Synchronization-{E1FD3313-5BCB-478C-9ADA-C926883FFBA4}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MSConfig - c:\windows\system32\msconfig.exe
Notify-WgaLogon - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Page_URL = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: تحميل الكل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\bin\IEGetAll.htm
IE: تحميل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\bin\IEExt.htm
IE: تحميل محتوى FLV بواسطة Internet Download Manager - c:\program files\Internet Download Manager\bin\IEGetVL.htm
LSP: c:\windows\system32\idmmbc.dll
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: {EDFEA7F3-D58F-4F8E-8261-039FDD0C783B} = 163.121.128.134,163.121.128.135
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

Rootkit scan 2009-05-11 22:24
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-2139871995-1801674531-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%0*s*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-329068152-2139871995-1801674531-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%0*s*\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5de26187-051e-44a2-8271-fab80ea82b2e}]
@Denied: (Full) (Everyone)
"Model"=dword:00000042
"Therad"=dword:00000012

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c9,b4,a7,97,50,d2,08,1a,cd,09,59,eb,d7,46,50,7e,23,29,8f,8c,ed,
4f,88,03,eb,e0,e1,31,9d,e2,50,46,6d,8d,17,2c,f1,c4,72,ea,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1140)
c:\windows\system32\idmmbc.dll
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
Completion time: 2009-05-11 22:25
ComboFix-quarantined-files.txt 2009-05-11 19:25

Pre-Run: 1,484,820,480 bytes free
Post-Run: 1,489,297,408 bytes free

337

zoro3309 · 12 مايو 2009

أعتز بك · 12 مايو 2009

هايجاك جديد لا هنت

zoro3309 · 12 مايو 2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:13 PM, on 5/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\New Folder\bin\jusched.exe
C:\Program Files\ColorSoft\AntiARP\AntiARP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\XPPRESP3\Desktop\Hijack This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\bin\IDMIECC.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\New Folder\bin\jp2ssv.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\New Folder\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\New Folder\bin\jusched.exe"
O4 - HKLM\..\Run: [AntiARPStandalone] C:\Program Files\ColorSoft\AntiARP\AntiARP.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-329068152-2139871995-1801674531-1001\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-329068152-2139871995-1801674531-1001\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - S-1-5-21-329068152-2139871995-1801674531-1001 Startup: static.bat (User '?')
O4 - Startup: static.bat
O4 - Global Startup: Launchpad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: تحميل الكل بواسطة Internet Download Manager - C:\Program Files\Internet Download Manager\bin\IEGetAll.htm
O8 - Extra context menu item: تحميل بواسطة Internet Download Manager - C:\Program Files\Internet Download Manager\bin\IEExt.htm
O8 - Extra context menu item: تحميل محتوى FLV بواسطة Internet Download Manager - C:\Program Files\Internet Download Manager\bin\IEGetVL.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDFEA7F3-D58F-4F8E-8261-039FDD0C783B}: NameServer = 163.121.128.134,163.121.128.135
O23 - Service: AntiARP Client Loader (AntiARPClientLoader) - Unknown owner - C:\Program Files\ColorSoft\AntiARP\AntiARPClientLoader.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\New Folder\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5607 bytes

أعتز بك · 12 مايو 2009

أحذف التولبار من اضافة وازالة البرامج

وأعمل التالي

عطل جميع برامج الحمايه >>> تأكد من وقت وتاريخ الجهاز
>>> لاتغير اسم الاداة واحفظها على سطح المكتب
وحمل هذه الاداة واحفظها على سطح المكتب

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

عند تشغيلها بتظهر لك رسالة ,, اضغط على >> Yes
بعدها بتظهر لك رساله ثانيه ,, اضغط على >> Yes
انتظر حتى الاداة تنتهي من فحص جهازك ,,, وبشكل تلقائي يعاد تشغيل جهازك ,,
وبعد اعادة التشغيل ,, سوف تبدأ الاداة بالفحص مرره ثانيه
انتظر حتى يظهر لك تقرير ,, انسخه والصقه بردك القادم

zoro3309 · 12 مايو 2009

ها هو التقرير
ComboFix 09-05-11.08 - XPPRESP3 05/12/2009 14:46.2 - FAT32x86
Running from: c:\documents and settings\XPPRESP3\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.

2009-05-12 11:16 . 2009-05-12 11:16 -------- d-----w c:\windows\srchasst
2009-05-12 11:16 . 2009-05-12 11:16 -------- d-----w c:\windows\system32\xircom
2009-05-12 11:16 . 2009-05-12 11:16 -------- d-----w c:\program files\microsoft frontpage
2009-05-12 11:16 . 2009-05-12 11:16 -------- d-sh--w C:\FOUND.038
2009-05-11 12:20 . 2009-05-11 12:20 -------- d-sh--w C:\FOUND.037
2009-05-06 18:35 . 2009-05-06 18:35 -------- d-sh--w C:\FOUND.036
2009-05-03 14:54 . 2009-05-03 14:54 -------- d-sh--w C:\FOUND.035
2009-05-02 10:25 . 2009-05-02 10:25 -------- d-----w c:\program files\ColorSoft
2009-05-02 09:09 . 2009-05-02 09:09 -------- d-sh--w C:\FOUND.034
2009-04-30 17:52 . 2009-04-30 17:52 -------- d-sh--w C:\FOUND.033
2009-04-30 10:12 . 2009-04-30 10:12 -------- d-sh--w C:\FOUND.032
2009-04-29 18:52 . 2009-04-29 18:52 -------- d-sh--w C:\FOUND.031
2009-04-29 07:11 . 2009-04-29 07:11 -------- d-sh--w C:\FOUND.030
2009-04-28 13:30 . 2009-04-28 13:30 -------- d-sh--w C:\FOUND.029
2009-04-27 10:56 . 2009-04-27 10:56 -------- d-sh--w C:\FOUND.028
2009-04-25 21:28 . 2009-04-25 21:28 -------- d-sh--w C:\FOUND.027
2009-04-23 21:20 . 2009-04-23 21:20 -------- d-sh--w C:\FOUND.026
2009-04-23 09:01 . 2009-04-23 09:01 -------- d-sh--w C:\FOUND.025
2009-04-22 20:57 . 2009-04-22 20:57 -------- d-sh--w C:\FOUND.024
2009-04-21 09:57 . 2009-04-21 09:57 -------- d-sh--w C:\FOUND.023
2009-04-20 21:43 . 2009-04-20 21:43 -------- d-sh--w C:\FOUND.022
2009-04-19 11:44 . 2009-04-19 11:44 -------- d-sh--w C:\FOUND.021
2009-04-18 10:25 . 2009-04-18 10:25 -------- d-sh--w C:\FOUND.020
2009-04-15 12:09 . 2009-04-15 12:09 -------- d-sh--w C:\FOUND.019
2009-04-12 17:22 . 2009-04-12 17:22 -------- d-sh--w C:\FOUND.018

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 11:49 . 2009-03-20 05:41 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-02 10:08 . 2009-02-20 11:25 18312 ----a-w c:\documents and settings\XPPRESP3\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 22:42 . 2009-04-01 22:42 -------- d-----w c:\program files\AP Tuner
2009-03-30 21:49 . 2009-03-30 21:49 -------- d-----w c:\program files\Microsoft
2009-03-30 21:48 . 2009-03-30 21:48 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-27 12:23 . 2009-03-27 12:23 -------- d-----w c:\program files\SpeederXP
2009-03-26 14:35 . 2006-10-23 20:55 210352 ----a-w c:\windows\system32\idmmbc.dll
2009-03-21 10:56 . 2009-03-21 10:56 -------- d-----w c:\program files\Avira
2009-03-20 15:10 . 2009-03-20 15:10 0 ----a-w c:\windows\nsreg.dat
2009-03-16 11:29 . 2009-03-16 11:29 -------- d-----w c:\program files\Common Files\Scanner
2009-03-09 07:10 . 2009-03-09 06:48 20480 ----a-w c:\windows\system32\H@tKeysH@@k.DLL
2009-03-09 02:19 . 2009-02-21 08:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 01:34 . 2005-10-21 00:38 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 01:34 . 2004-08-04 06:56 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 01:33 . 2004-08-04 06:56 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 01:33 . 2004-08-04 06:56 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 01:32 . 2004-08-04 06:56 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 01:32 . 2004-08-04 06:56 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 01:31 . 2004-08-04 06:56 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 01:31 . 2004-08-04 06:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 01:31 . 2004-08-04 06:56 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 01:22 . 2001-08-23 11:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-02-23 13:55 . 2009-02-23 13:49 7168 ----a-w c:\windows\system32\drivers\uty5ntq4.sys
.

------- Sigcheck -------

[-] 2005-11-26 20:30 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\system32\drivers\tcpip.sys
[-] 2005-03-14 00:17 359936 6129E70F3D2F1E60860C930EBEAF92C2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[-] 2004-08-04 06:56 949760 9BE29C2873DF44DD301EC57EEE9A6440 c:\windows\explorer.exe
[7] 2004-08-04 06:56 1032192 A0732187050030AE399B241436565E64 c:\windows\XPize\Backup\explorer.exe

[-] 2004-08-04 06:56 30208 DE8FA9CF18F95341079C7E6A215C226A c:\windows\system32\ctfmon.exe
[7] 2004-08-04 06:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\XPize\Backup\ctfmon.exe

[-] 2005-12-19 14:49 1580544 784DDC1F40C4F729284D5A73930F0C9D c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 30208]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]
"SunJavaUpdateSched"="d:\new folder\bin\jusched.exe" [2009-03-09 148888]
"AntiARPStandalone"="c:\program files\ColorSoft\AntiARP\AntiARP.exe" [2009-02-19 8089600]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-03-11 147456]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\Soundman.exe [2005-06-20 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 30208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2009-03-08 128512]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\XPPRESP3\Start Menu\Programs\Startup\
static.bat [2008-8-10 36]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchpad.lnk - c:\program files\IC Media Corp.\ICM532\Launchpad.exe [2006-10-24 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoExpandedNewMenu"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"f:\\GAMES\\COMMANDO\\COMMANDO\\TCPSERVER.EXE"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"f:\\GAMES\\COMMANDO\\COMM2.EXE"=
"f:\\games\\الرجل المقاتل\\QUAKE3.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"f:\\GAMES\\Claw\\CLAW.EXE"=
"f:\\games\\C???? C???CE?\\QUAKE3.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*

isabled

xpsp2res.dll,-22009

R2 AntiARPClientLoader;AntiARP Client Loader;c:\program files\ColorSoft\AntiARP\AntiARPClientLoader.exe [2007-10-17 40960]
R3 DCamUSBUVT;ICM532A;c:\windows\system32\Drivers\usbuvt.sys [2005-04-12 103424]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\NPF.sys [2007-06-28 42512]
R3 uty5ntq4;AVZ Kernel Driver;c:\windows\system32\Drivers\uty5ntq4.sys [2009-02-23 7168]
R4 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2009-02-12 432897]
S2 AntiArpNdisProt;AntiARP NDIS Protocol Driver;c:\windows\system32\DRIVERS\AntiArpNdisProt.sys [2007-10-17 21120]
S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2009-04-27 194817]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-27 108289]
S3 xAntiArp;xAntiArpSpoof Service;c:\windows\system32\DRIVERS\xAntiArp.sys [2008-11-22 311040]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HELPSVC
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AntiARPClientLoader
*Deregistered* - AntiArpNdisProt
*Deregistered* - AntiVirMailService
*Deregistered* - AntiVirSchedulerService
*Deregistered* - AntiVirService
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avgio
*Deregistered* - avgntflt
*Deregistered* - avipbb
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - HTTP
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssmdrv
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
*Deregistered* - xAntiArp

NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{236289D6-86B7-5004-A24E-713161322A61}]
c:\documents and settings\XPPRESP3\Desktop\travian-autobot 2.0.0 build.full\travian setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-05-12 c:\windows\Tasks\User_Feed_Synchronization-{E1FD3313-5BCB-478C-9ADA-C926883FFBA4}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Page_URL = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: تحميل الكل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\bin\IEGetAll.htm
IE: تحميل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\bin\IEExt.htm
IE: تحميل محتوى FLV بواسطة Internet Download Manager - c:\program files\Internet Download Manager\bin\IEGetVL.htm
LSP: c:\windows\system32\idmmbc.dll
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: {EDFEA7F3-D58F-4F8E-8261-039FDD0C783B} = 163.121.128.134,163.121.128.135
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

Rootkit scan 2009-05-12 14:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-2139871995-1801674531-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%0*s*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-329068152-2139871995-1801674531-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%0*s*\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5de26187-051e-44a2-8271-fab80ea82b2e}]
@Denied: (Full) (Everyone)
"Model"=dword:00000042
"Therad"=dword:00000012

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c9,b4,a7,97,50,d2,08,1a,cd,09,59,eb,d7,46,50,7e,23,29,8f,8c,ed,
4f,88,03,eb,e0,e1,31,9d,e2,50,46,6d,8d,17,2c,f1,c4,72,ea,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1140)
c:\windows\system32\idmmbc.dll
c:\program files\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(3300)
c:\windows\System32\cscui.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
Completion time: 2009-05-12 14:50
ComboFix-quarantined-files.txt 2009-05-12 11:50
ComboFix2.txt 2009-05-11 19:26

Pre-Run: 1,493,344,256 bytes free
Post-Run: 1,485,549,568 bytes free

338

zoro3309 · 12 مايو 2009

zoro3309 · 12 مايو 2009

ComboFix 09-05-11.08 - XPPRESP3 05/12/2009 14:46.2 - FAT32x86
Running from: c:\documents and settings\XPPRESP3\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.

2009-05-12 11:16 . 2009-05-12 11:16 -------- d-----w c:\windows\srchasst
2009-05-12 11:16 . 2009-05-12 11:16 -------- d-----w c:\windows\system32\xircom
2009-05-12 11:16 . 2009-05-12 11:16 -------- d-----w c:\program files\microsoft frontpage
2009-05-12 11:16 . 2009-05-12 11:16 -------- d-sh--w C:\FOUND.038
2009-05-11 12:20 . 2009-05-11 12:20 -------- d-sh--w C:\FOUND.037
2009-05-06 18:35 . 2009-05-06 18:35 -------- d-sh--w C:\FOUND.036
2009-05-03 14:54 . 2009-05-03 14:54 -------- d-sh--w C:\FOUND.035
2009-05-02 10:25 . 2009-05-02 10:25 -------- d-----w c:\program files\ColorSoft
2009-05-02 09:09 . 2009-05-02 09:09 -------- d-sh--w C:\FOUND.034
2009-04-30 17:52 . 2009-04-30 17:52 -------- d-sh--w C:\FOUND.033
2009-04-30 10:12 . 2009-04-30 10:12 -------- d-sh--w C:\FOUND.032
2009-04-29 18:52 . 2009-04-29 18:52 -------- d-sh--w C:\FOUND.031
2009-04-29 07:11 . 2009-04-29 07:11 -------- d-sh--w C:\FOUND.030
2009-04-28 13:30 . 2009-04-28 13:30 -------- d-sh--w C:\FOUND.029
2009-04-27 10:56 . 2009-04-27 10:56 -------- d-sh--w C:\FOUND.028
2009-04-25 21:28 . 2009-04-25 21:28 -------- d-sh--w C:\FOUND.027
2009-04-23 21:20 . 2009-04-23 21:20 -------- d-sh--w C:\FOUND.026
2009-04-23 09:01 . 2009-04-23 09:01 -------- d-sh--w C:\FOUND.025
2009-04-22 20:57 . 2009-04-22 20:57 -------- d-sh--w C:\FOUND.024
2009-04-21 09:57 . 2009-04-21 09:57 -------- d-sh--w C:\FOUND.023
2009-04-20 21:43 . 2009-04-20 21:43 -------- d-sh--w C:\FOUND.022
2009-04-19 11:44 . 2009-04-19 11:44 -------- d-sh--w C:\FOUND.021
2009-04-18 10:25 . 2009-04-18 10:25 -------- d-sh--w C:\FOUND.020
2009-04-15 12:09 . 2009-04-15 12:09 -------- d-sh--w C:\FOUND.019
2009-04-12 17:22 . 2009-04-12 17:22 -------- d-sh--w C:\FOUND.018

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 11:49 . 2009-03-20 05:41 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-02 10:08 . 2009-02-20 11:25 18312 ----a-w c:\documents and settings\XPPRESP3\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 22:42 . 2009-04-01 22:42 -------- d-----w c:\program files\AP Tuner
2009-03-30 21:49 . 2009-03-30 21:49 -------- d-----w c:\program files\Microsoft
2009-03-30 21:48 . 2009-03-30 21:48 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-27 12:23 . 2009-03-27 12:23 -------- d-----w c:\program files\SpeederXP
2009-03-26 14:35 . 2006-10-23 20:55 210352 ----a-w c:\windows\system32\idmmbc.dll
2009-03-21 10:56 . 2009-03-21 10:56 -------- d-----w c:\program files\Avira
2009-03-20 15:10 . 2009-03-20 15:10 0 ----a-w c:\windows\nsreg.dat
2009-03-16 11:29 . 2009-03-16 11:29 -------- d-----w c:\program files\Common Files\Scanner
2009-03-09 07:10 . 2009-03-09 06:48 20480 ----a-w c:\windows\system32\H@tKeysH@@k.DLL
2009-03-09 02:19 . 2009-02-21 08:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 01:34 . 2005-10-21 00:38 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 01:34 . 2004-08-04 06:56 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 01:33 . 2004-08-04 06:56 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 01:33 . 2004-08-04 06:56 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 01:32 . 2004-08-04 06:56 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 01:32 . 2004-08-04 06:56 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 01:31 . 2004-08-04 06:56 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 01:31 . 2004-08-04 06:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 01:31 . 2004-08-04 06:56 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 01:22 . 2001-08-23 11:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-02-23 13:55 . 2009-02-23 13:49 7168 ----a-w c:\windows\system32\drivers\uty5ntq4.sys
.

------- Sigcheck -------

[-] 2005-11-26 20:30 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\system32\drivers\tcpip.sys
[-] 2005-03-14 00:17 359936 6129E70F3D2F1E60860C930EBEAF92C2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[-] 2004-08-04 06:56 949760 9BE29C2873DF44DD301EC57EEE9A6440 c:\windows\explorer.exe
[7] 2004-08-04 06:56 1032192 A0732187050030AE399B241436565E64 c:\windows\XPize\Backup\explorer.exe

[-] 2004-08-04 06:56 30208 DE8FA9CF18F95341079C7E6A215C226A c:\windows\system32\ctfmon.exe
[7] 2004-08-04 06:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\XPize\Backup\ctfmon.exe

[-] 2005-12-19 14:49 1580544 784DDC1F40C4F729284D5A73930F0C9D c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 30208]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]
"SunJavaUpdateSched"="d:\new folder\bin\jusched.exe" [2009-03-09 148888]
"AntiARPStandalone"="c:\program files\ColorSoft\AntiARP\AntiARP.exe" [2009-02-19 8089600]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-03-11 147456]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\Soundman.exe [2005-06-20 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 30208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2009-03-08 128512]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\XPPRESP3\Start Menu\Programs\Startup\
static.bat [2008-8-10 36]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchpad.lnk - c:\program files\IC Media Corp.\ICM532\Launchpad.exe [2006-10-24 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoExpandedNewMenu"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"f:\\GAMES\\COMMANDO\\COMMANDO\\TCPSERVER.EXE"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"f:\\GAMES\\COMMANDO\\COMM2.EXE"=
"f:\\games\\الرجل المقاتل\\QUAKE3.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"f:\\GAMES\\Claw\\CLAW.EXE"=
"f:\\games\\C???? C???CE?\\QUAKE3.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*

isabled

xpsp2res.dll,-22009

R2 AntiARPClientLoader;AntiARP Client Loader;c:\program files\ColorSoft\AntiARP\AntiARPClientLoader.exe [2007-10-17 40960]
R3 DCamUSBUVT;ICM532A;c:\windows\system32\Drivers\usbuvt.sys [2005-04-12 103424]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\NPF.sys [2007-06-28 42512]
R3 uty5ntq4;AVZ Kernel Driver;c:\windows\system32\Drivers\uty5ntq4.sys [2009-02-23 7168]
R4 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2009-02-12 432897]
S2 AntiArpNdisProt;AntiARP NDIS Protocol Driver;c:\windows\system32\DRIVERS\AntiArpNdisProt.sys [2007-10-17 21120]
S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2009-04-27 194817]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-27 108289]
S3 xAntiArp;xAntiArpSpoof Service;c:\windows\system32\DRIVERS\xAntiArp.sys [2008-11-22 311040]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HELPSVC
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AntiARPClientLoader
*Deregistered* - AntiArpNdisProt
*Deregistered* - AntiVirMailService
*Deregistered* - AntiVirSchedulerService
*Deregistered* - AntiVirService
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avgio
*Deregistered* - avgntflt
*Deregistered* - avipbb
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - HTTP
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssmdrv
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
*Deregistered* - xAntiArp

NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{236289D6-86B7-5004-A24E-713161322A61}]
c:\documents and settings\XPPRESP3\Desktop\travian-autobot 2.0.0 build.full\travian setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-05-12 c:\windows\Tasks\User_Feed_Synchronization-{E1FD3313-5BCB-478C-9ADA-C926883FFBA4}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Page_URL = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: تحميل الكل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\bin\IEGetAll.htm
IE: تحميل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\bin\IEExt.htm
IE: تحميل محتوى FLV بواسطة Internet Download Manager - c:\program files\Internet Download Manager\bin\IEGetVL.htm
LSP: c:\windows\system32\idmmbc.dll
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: {EDFEA7F3-D58F-4F8E-8261-039FDD0C783B} = 163.121.128.134,163.121.128.135
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

Rootkit scan 2009-05-12 14:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-2139871995-1801674531-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%0*s*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-329068152-2139871995-1801674531-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%0*s*\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5de26187-051e-44a2-8271-fab80ea82b2e}]
@Denied: (Full) (Everyone)
"Model"=dword:00000042
"Therad"=dword:00000012

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c9,b4,a7,97,50,d2,08,1a,cd,09,59,eb,d7,46,50,7e,23,29,8f,8c,ed,
4f,88,03,eb,e0,e1,31,9d,e2,50,46,6d,8d,17,2c,f1,c4,72,ea,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1140)
c:\windows\system32\idmmbc.dll
c:\program files\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(3300)
c:\windows\System32\cscui.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
Completion time: 2009-05-12 14:50
ComboFix-quarantined-files.txt 2009-05-12 11:50
ComboFix2.txt 2009-05-11 19:26

Pre-Run: 1,493,344,256 bytes free
Post-Run: 1,485,549,568 bytes free

338

zoro3309 · 12 مايو 2009

للرفع رجاءا

zoro3309 · 12 مايو 2009

zoro3309 · 12 مايو 2009

uuuuuuuuuuuuuuuuuuuuuuuuuuuppppppppppppppppppppp

zoro3309 · 12 مايو 2009

zoro3309 · 12 مايو 2009

ComboFix 09-05-11.08 - XPPRESP3 05/12/2009 14:46.2 - FAT32x86
Running from: c:\documents and settings\XPPRESP3\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.

2009-05-12 11:16 . 2009-05-12 11:16 -------- d-----w c:\windows\srchasst
2009-05-12 11:16 . 2009-05-12 11:16 -------- d-----w c:\windows\system32\xircom
2009-05-12 11:16 . 2009-05-12 11:16 -------- d-----w c:\program files\microsoft frontpage
2009-05-12 11:16 . 2009-05-12 11:16 -------- d-sh--w C:\FOUND.038
2009-05-11 12:20 . 2009-05-11 12:20 -------- d-sh--w C:\FOUND.037
2009-05-06 18:35 . 2009-05-06 18:35 -------- d-sh--w C:\FOUND.036
2009-05-03 14:54 . 2009-05-03 14:54 -------- d-sh--w C:\FOUND.035
2009-05-02 10:25 . 2009-05-02 10:25 -------- d-----w c:\program files\ColorSoft
2009-05-02 09:09 . 2009-05-02 09:09 -------- d-sh--w C:\FOUND.034
2009-04-30 17:52 . 2009-04-30 17:52 -------- d-sh--w C:\FOUND.033
2009-04-30 10:12 . 2009-04-30 10:12 -------- d-sh--w C:\FOUND.032
2009-04-29 18:52 . 2009-04-29 18:52 -------- d-sh--w C:\FOUND.031
2009-04-29 07:11 . 2009-04-29 07:11 -------- d-sh--w C:\FOUND.030
2009-04-28 13:30 . 2009-04-28 13:30 -------- d-sh--w C:\FOUND.029
2009-04-27 10:56 . 2009-04-27 10:56 -------- d-sh--w C:\FOUND.028
2009-04-25 21:28 . 2009-04-25 21:28 -------- d-sh--w C:\FOUND.027
2009-04-23 21:20 . 2009-04-23 21:20 -------- d-sh--w C:\FOUND.026
2009-04-23 09:01 . 2009-04-23 09:01 -------- d-sh--w C:\FOUND.025
2009-04-22 20:57 . 2009-04-22 20:57 -------- d-sh--w C:\FOUND.024
2009-04-21 09:57 . 2009-04-21 09:57 -------- d-sh--w C:\FOUND.023
2009-04-20 21:43 . 2009-04-20 21:43 -------- d-sh--w C:\FOUND.022
2009-04-19 11:44 . 2009-04-19 11:44 -------- d-sh--w C:\FOUND.021
2009-04-18 10:25 . 2009-04-18 10:25 -------- d-sh--w C:\FOUND.020
2009-04-15 12:09 . 2009-04-15 12:09 -------- d-sh--w C:\FOUND.019
2009-04-12 17:22 . 2009-04-12 17:22 -------- d-sh--w C:\FOUND.018

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-04-27 11:49 . 2009-03-20 05:41 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-02 10:08 . 2009-02-20 11:25 18312 ----a-w c:\documents and settings\XPPRESP3\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 22:42 . 2009-04-01 22:42 -------- d-----w c:\program files\AP Tuner
2009-03-30 21:49 . 2009-03-30 21:49 -------- d-----w c:\program files\Microsoft
2009-03-30 21:48 . 2009-03-30 21:48 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-27 12:23 . 2009-03-27 12:23 -------- d-----w c:\program files\SpeederXP
2009-03-26 14:35 . 2006-10-23 20:55 210352 ----a-w c:\windows\system32\idmmbc.dll
2009-03-21 10:56 . 2009-03-21 10:56 -------- d-----w c:\program files\Avira
2009-03-20 15:10 . 2009-03-20 15:10 0 ----a-w c:\windows\nsreg.dat
2009-03-16 11:29 . 2009-03-16 11:29 -------- d-----w c:\program files\Common Files\Scanner
2009-03-09 07:10 . 2009-03-09 06:48 20480 ----a-w c:\windows\system32\H@tKeysH@@k.DLL
2009-03-09 02:19 . 2009-02-21 08:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 01:34 . 2005-10-21 00:38 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 01:34 . 2004-08-04 06:56 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 01:33 . 2004-08-04 06:56 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 01:33 . 2004-08-04 06:56 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 01:32 . 2004-08-04 06:56 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 01:32 . 2004-08-04 06:56 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 01:31 . 2004-08-04 06:56 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 01:31 . 2004-08-04 06:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 01:31 . 2004-08-04 06:56 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 01:22 . 2001-08-23 11:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-02-23 13:55 . 2009-02-23 13:49 7168 ----a-w c:\windows\system32\drivers\uty5ntq4.sys
.

------- Sigcheck -------

[-] 2005-11-26 20:30 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\system32\drivers\tcpip.sys
[-] 2005-03-14 00:17 359936 6129E70F3D2F1E60860C930EBEAF92C2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[-] 2004-08-04 06:56 949760 9BE29C2873DF44DD301EC57EEE9A6440 c:\windows\explorer.exe
[7] 2004-08-04 06:56 1032192 A0732187050030AE399B241436565E64 c:\windows\XPize\Backup\explorer.exe

[-] 2004-08-04 06:56 30208 DE8FA9CF18F95341079C7E6A215C226A c:\windows\system32\ctfmon.exe
[7] 2004-08-04 06:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\XPize\Backup\ctfmon.exe

[-] 2005-12-19 14:49 1580544 784DDC1F40C4F729284D5A73930F0C9D c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 30208]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]
"SunJavaUpdateSched"="d:\new folder\bin\jusched.exe" [2009-03-09 148888]
"AntiARPStandalone"="c:\program files\ColorSoft\AntiARP\AntiARP.exe" [2009-02-19 8089600]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-03-11 147456]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\Soundman.exe [2005-06-20 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 30208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"nlsf"="move" [X]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2009-03-08 128512]
"tscuninstall"="c:\windows\system32\tscupgrd.e xe" [2004-08-04 44544]

c:\documents and settings\XPPRESP3\Start Menu\Programs\Startup\
static.bat [2008-8-10 36]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchpad.lnk - c:\program files\IC Media Corp.\ICM532\Launchpad.exe [2006-10-24 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoExpandedNewMenu"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2 e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"f:\\GAMES\\COMMANDO\\COMMANDO\\TCPSERVER.EXE" =
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"f:\\GAMES\\COMMANDO\\COMM2.EXE"=
"f:\\games\\الرجل المقاتل\\QUAKE3.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"f:\\GAMES\\Claw\\CLAW.EXE"=
"f:\\games\\C???? C???CE?\\QUAKE3.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009

R2 AntiARPClientLoader;AntiARP Client Loader;c:\program files\ColorSoft\AntiARP\AntiARPClientLoader.exe [2007-10-17 40960]
R3 DCamUSBUVT;ICM532A;c:\windows\system32\Drivers\usb uvt.sys [2005-04-12 103424]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\NPF.sys [2007-06-28 42512]
R3 uty5ntq4;AVZ Kernel Driver;c:\windows\system32\Drivers\uty5ntq4.sys [2009-02-23 7168]
R4 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2009-02-12 432897]
S2 AntiArpNdisProt;AntiARP NDIS Protocol Driver;c:\windows\system32\DRIVERS\AntiArpNdisProt .sys [2007-10-17 21120]
S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2009-04-27 194817]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-27 108289]
S3 xAntiArp;xAntiArpSpoof Service;c:\windows\system32\DRIVERS\xAntiArp.sys [2008-11-22 311040]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HELPSVC
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AntiARPClientLoader
*Deregistered* - AntiArpNdisProt
*Deregistered* - AntiVirMailService
*Deregistered* - AntiVirSchedulerService
*Deregistered* - AntiVirService
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avgio
*Deregistered* - avgntflt
*Deregistered* - avipbb
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - HTTP
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssmdrv
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
*Deregistered* - xAntiArp

NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{236289D6-86B7-5004-A24E-713161322A61}]
c:\documents and settings\XPPRESP3\Desktop\travian-autobot 2.0.0 build.full\travian setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-05-12 c:\windows\Tasks\User_Feed_Synchronization-{E1FD3313-5BCB-478C-9ADA-C926883FFBA4}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Page_URL = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: تحميل الكل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\bin\IEGetAll.htm
IE: تحميل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\bin\IEExt.htm
IE: تحميل محتوى FLV بواسطة Internet Download Manager - c:\program files\Internet Download Manager\bin\IEGetVL.htm
LSP: c:\windows\system32\idmmbc.dll
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: {EDFEA7F3-D58F-4F8E-8261-039FDD0C783B} = 163.121.128.134,163.121.128.135
FF - ProfilePath -
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

Rootkit scan 2009-05-12 14:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-2139871995-1801674531-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts\.*a%0*s*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-329068152-2139871995-1801674531-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts\.*a%0*s*\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5de2618 7-051e-44a2-8271-fab80ea82b2e}]
@Denied: (Full) (Everyone)
"Model"=dword:00000042
"Therad"=dword:00000012

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E916 4-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c9,b4,a7,97,50,d2,08,1a,cd,09,59,e b,d7,46,50,7e,23,29,8f,8c,ed,
4f,88,03,eb,e0,e1,31,9d,e2,50,46,6d,8d,17,2c,f1,c4 ,72,ea,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1140)
c:\windows\system32\idmmbc.dll
c:\program files\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(3300)
c:\windows\System32\cscui.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
Completion time: 2009-05-12 14:50
ComboFix-quarantined-files.txt 2009-05-12 11:50
ComboFix2.txt 2009-05-11 19:26

Pre-Run: 1,493,344,256 bytes free
Post-Run: 1,485,549,568 bytes free

338

zoro3309 · 12 مايو 2009

zoro3309 · 12 مايو 2009

zoro3309 · 13 مايو 2009

Corporation · 13 مايو 2009

عذراً على التأخير أخي ,,

أرفع هايجـآك جديد > سويه الحين لاهنت ,,

زيزوومى مميز

توقيع : zoro3309

زيزوومى فضى

توقيع : Corporation

زيزوومى فضى

توقيع : Corporation

زيزوومى مميز

توقيع : zoro3309

زيزوومى مميز

توقيع : zoro3309

زيزوومى محترف

توقيع : أعتز بك

زيزوومى مميز

توقيع : zoro3309

زيزوومى محترف

توقيع : أعتز بك

زيزوومى مميز

توقيع : zoro3309

زيزوومى مميز

توقيع : zoro3309

زيزوومى مميز

توقيع : zoro3309

زيزوومى مميز

توقيع : zoro3309

زيزوومى مميز

توقيع : zoro3309

زيزوومى مميز

توقيع : zoro3309

زيزوومى مميز

توقيع : zoro3309

زيزوومى مميز

توقيع : zoro3309

زيزوومى مميز

توقيع : zoro3309

زيزوومى مميز

توقيع : zoro3309

زيزوومى مميز

توقيع : zoro3309

زيزوومى فضى

توقيع : Corporation