فينك يامودير
ComboFix 09-05-13.01 - user 05/14/2009 0:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1256.966.1025.18.1015.536 [GMT 3:00]
Running from: c:\documents and settings\user\سطح المكتب\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\msa.exe
c:\windows\system32\2019.exe
c:\windows\system32\tmp.reg
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPFW
-------\Service_ipfw
((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.
2009-05-13 20:47 . 2009-05-13 20:47 -------- d-----w c:\program files\Trend Micro
2009-05-13 19:43 . 2009-05-13 19:43 7168 ----a-w c:\windows\system32\drivers\ute0ntu0.sys
2009-05-13 16:33 . 2009-05-13 16:33 -------- d-----w c:\documents and settings\user\DoctorWeb
2009-05-13 04:30 . 2009-05-13 04:30 -------- d-----w C:\VundoFix Backups
2009-05-13 03:43 . 2009-05-13 09:54 -------- d-----w c:\program files\AxBx
2009-05-13 03:22 . 2009-05-13 03:23 -------- d-----w c:\documents and settings\user\Application Data\QuickScan
2009-05-11 03:17 . 2009-05-11 03:17 -------- d-----w c:\program files\Common Files\xing shared
2009-05-09 20:49 . 2009-05-09 20:49 -------- d-sh--w c:\documents and settings\Administrator\IECompatCache
2009-05-09 20:37 . 2009-05-09 20:37 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-05-09 20:21 . 2009-05-09 20:21 -------- d-----w C:\Inetpub
2009-05-08 14:59 . 2009-05-11 03:53 -------- d-----w c:\windows\ie8updates
2009-05-08 14:20 . 2009-05-08 14:20 -------- d-sh--w c:\documents and settings\user\PrivacIE
2009-05-08 14:20 . 2009-05-08 14:20 -------- d-sh--w c:\documents and settings\user\IECompatCache
2009-05-08 14:19 . 2009-05-08 14:19 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-08 14:19 . 2009-05-08 14:19 -------- d-sh--w c:\documents and settings\user\IETldCache
2009-05-08 14:14 . 2009-02-20 16:50 78336 ----a-w c:\windows\system32\ieencode.dll
2009-05-08 13:43 . 2006-05-13 18:29 843 ----a-w C:\ChangeWinXPKey.vbs
2009-05-04 07:18 . 2009-05-04 07:18 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-05-04 07:18 . 2009-05-10 05:05 -------- d-----w c:\documents and settings\user\Application Data\skypePM
2009-05-04 07:16 . 2009-05-12 23:35 -------- d-----w c:\documents and settings\user\Application Data\Skype
2009-05-04 07:16 . 2009-05-04 07:16 -------- d-----w c:\program files\Common Files\Skype
2009-05-04 07:16 . 2009-05-04 07:16 -------- d-----r c:\program files\Skype
2009-05-04 07:16 . 2009-05-04 07:16 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-05-03 21:32 . 2009-05-03 21:32 -------- d-----w c:\program files\Messenger Plus! Live
2009-05-03 21:19 . 2009-05-03 21:22 -------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2009-05-03 21:19 . 2009-05-03 21:30 -------- d-----w c:\program files\Windows Live
2009-05-03 21:19 . 2009-05-03 21:21 -------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-05-03 20:09 . 2000-05-10 22:00 90112 -c----w c:\windows\Updreg.EXE
2009-05-02 08:27 . 2009-05-02 08:27 -------- d-----w c:\documents and settings\user\Local Settings\Application Data\Identities
2009-05-02 03:49 . 2009-05-13 04:42 -------- d-----w c:\documents and settings\user\Application Data\IDM
2009-05-02 03:49 . 2009-05-02 08:28 -------- d-----w c:\documents and settings\user\Application Data\DMCache
2009-05-01 20:10 . 2009-05-13 15:28 -------- d-----w c:\documents and settings\Administrator
2009-04-30 13:58 . 2009-04-30 13:58 -------- d-----w c:\documents and settings\user\Application Data\CyberScrub
2009-04-30 13:58 . 2009-05-13 20:06 -------- d-----w c:\documents and settings\user\Application Data\cleaner
2009-04-29 14:31 . 2009-04-29 14:33 -------- d-----w c:\program files\Camtech
2009-04-26 15:32 . 2009-04-26 15:32 -------- d-----w c:\documents and settings\user\Application Data\VitySoft
2009-04-26 15:32 . 2009-04-26 15:32 -------- d-----w c:\windows\Sun
2009-04-26 15:32 . 2009-04-26 15:32 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-26 15:32 . 2009-04-26 15:32 -------- d-----w c:\program files\Java
2009-04-25 15:53 . 2009-04-25 15:53 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-25 15:51 . 2009-04-29 12:35 -------- d-----w c:\windows\system32\drivers\UMDF
2009-04-25 13:58 . 2009-04-25 13:58 -------- d-----w c:\windows\l2schemas
2009-04-25 13:58 . 2009-04-25 13:58 -------- d-----w c:\windows\system32\ar
2009-04-25 13:58 . 2009-04-25 13:58 -------- d-----w c:\windows\system32\bits
2009-04-25 13:57 . 2009-04-25 13:59 -------- d-----w c:\windows\ServicePackFiles
2009-04-25 13:46 . 2004-08-03 19:29 25471 ------w c:\windows\system32\drivers\watv10nt.sys
2009-04-25 13:46 . 2004-08-03 19:29 22271 ------w c:\windows\system32\drivers\watv06nt.sys
2009-04-25 13:46 . 2004-08-03 19:29 11871 ------w c:\windows\system32\drivers\wadv09nt.sys
2009-04-25 13:46 . 2004-08-03 19:29 11935 ------w c:\windows\system32\drivers\wadv11nt.sys
2009-04-25 13:46 . 2004-08-03 19:29 11807 ------w c:\windows\system32\drivers\wadv07nt.sys
2009-04-25 13:46 . 2004-08-03 19:29 11295 ------w c:\windows\system32\drivers\wadv08nt.sys
2009-04-25 13:44 . 2004-08-03 19:29 31744 ------w c:\windows\system32\drivers\atinxbxx.sys
2009-04-25 03:55 . 2009-04-26 08:09 -------- d-----w c:\program files\Circle Developement
2009-04-23 06:16 . 2009-04-23 06:16 -------- d--h--w c:\windows\PIF
2009-04-14 20:38 . 2008-04-13 18:39 5504 ----a-w c:\windows\system32\drivers\mstee.sys
2009-04-14 20:38 . 2008-04-13 18:46 10880 ----a-w c:\windows\system32\drivers\ndisip.sys
2009-04-14 20:38 . 2008-04-13 18:46 15232 ----a-w c:\windows\system32\drivers\streamip.sys
2009-04-14 20:38 . 2008-04-13 18:46 11136 ----a-w c:\windows\system32\drivers\slip.sys
2009-04-14 20:38 . 2008-04-13 18:46 19200 ----a-w c:\windows\system32\drivers\wstcodec.sys
2009-04-14 20:38 . 2008-04-13 18:46 85248 ----a-w c:\windows\system32\drivers\nabtsfec.sys
2009-04-14 20:38 . 2008-04-13 18:46 17024 ----a-w c:\windows\system32\drivers\ccdecode.sys
2009-04-14 20:31 . 2007-06-22 00:08 139776 ----a-w c:\windows\system32\dhSQLite.dll
2009-04-14 20:31 . 2007-06-18 15:57 219136 -c--a-w c:\windows\sqlite3_engine.dll
2009-04-14 20:26 . 2007-10-04 14:42 48128 ----a-w c:\windows\system32\Remove.exe
2009-04-14 20:26 . 2009-04-14 20:26 -------- d-----w c:\program files\ANC
2009-04-14 20:26 . 2006-10-12 08:57 14336 ----a-w c:\windows\system32\P7302USD.dll
2009-04-14 20:26 . 2009-04-14 20:26 -------- d-----w c:\windows\PixArt
2009-04-14 20:26 . 2009-04-14 20:26 -------- d-----w c:\program files\Common Files\PAC7302
2009-04-14 20:08 . 2008-04-14 15:59 53760 ----a-w c:\windows\system32\vfwwdm32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 21:27 . 2009-03-31 02:06 434208 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-13 21:27 . 2009-03-31 02:06 3612 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-13 21:27 . 2009-03-31 02:06 17552 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-13 21:27 . 2009-03-31 02:06 1706016 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-13 20:33 . 2001-09-19 12:00 67438 ----a-w c:\windows\system32\perfc001.dat
2009-05-13 20:33 . 2001-09-19 12:00 366874 ----a-w c:\windows\system32\perfh001.dat
2009-05-11 03:17 . 2009-03-04 17:59 -------- d-----w c:\program files\Common Files\Real
2009-05-11 03:16 . 2009-03-04 17:59 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-05-11 03:16 . 2009-03-04 17:43 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-05-03 21:09 . 2009-03-04 16:36 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-03 20:11 . 2009-03-28 10:05 -------- d--h--w c:\program files\Creative Installation Information
2009-05-03 20:09 . 2009-03-28 09:59 -------- d-----w c:\program files\Creative
2009-05-02 07:51 . 2009-03-28 15:05 409600 ----a-w c:\windows\system32\wrap_oal.dll
2009-05-02 07:51 . 2003-03-28 03:24 114688 ----a-w c:\windows\system32\OpenAL32.dll
2009-04-29 16:15 . 2009-03-04 16:34 94632 ----a-w c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-12 14:43 . 2009-03-31 12:24 -------- d-----w c:\program files\Paltalk Messenger
2009-04-09 18:46 . 2009-04-09 18:46 203776 ----a-w c:\windows\system32\clrviddc.dll
2009-03-31 20:14 . 2009-03-04 17:45 -------- d-----w c:\program files\Common Files\Adobe
2009-03-31 09:44 . 2009-03-31 09:44 -------- d-----w c:\program files\CCleaner
2009-03-31 09:04 . 2009-03-31 09:04 -------- d-----w c:\program files\MSBuild
2009-03-31 09:04 . 2009-03-31 09:04 -------- d-----w c:\program files\Reference Assemblies
2009-03-31 09:00 . 2009-03-31 09:00 -------- d-----w c:\program files\MSXML 6.0
2009-03-31 05:48 . 2009-03-28 23:30 -------- d-----w c:\program files\LtUcx
2009-03-31 02:25 . 2008-01-29 14:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-31 02:25 . 2009-03-31 02:07 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-03-31 02:25 . 2009-03-31 02:07 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-03-31 02:06 . 2009-03-31 02:06 -------- d-----w c:\program files\Kaspersky Lab
2009-03-29 07:55 . 2009-03-04 16:27 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-29 00:30 . 2009-03-04 17:50 -------- d-----w c:\program files\JetAudio
2009-03-28 17:15 . 2009-03-04 16:54 -------- d-----w c:\program files\Microsoft Works
2009-03-28 15:05 . 2009-03-28 15:05 2678 ----a-w c:\windows\java\Packages\Data\B31FZPFR.DAT
2009-03-28 15:05 . 2009-03-28 15:05 2678 ----a-w c:\windows\java\Packages\Data\17PRTVHJ.DAT
2009-03-28 15:05 . 2009-03-28 15:05 2678 ----a-w c:\windows\java\Packages\Data\XZFD7XVD.DAT
2009-03-28 15:05 . 2009-03-28 15:05 2678 ----a-w c:\windows\java\Packages\Data\FHZBBXRH.DAT
2009-03-28 15:05 . 2009-03-28 15:05 2678 ----a-w c:\windows\java\Packages\Data\EAJ7PNDB.DAT
2009-03-28 11:50 . 2009-03-04 18:02 -------- d-----w c:\program files\Yahoo!
2009-03-28 10:05 . 2009-03-28 10:05 -------- d-----w c:\program files\Common Files\Creative
2009-03-28 07:31 . 2009-03-28 07:31 -------- d-----w c:\program files\CONEXANT
2009-03-28 07:21 . 2009-03-04 16:39 -------- d-----w c:\program files\Realtek
2009-03-28 07:14 . 2009-03-28 07:14 -------- d-----w c:\program files\Realtek Sound Manager
2009-03-28 07:14 . 2009-03-28 07:13 -------- d-----w c:\program files\AvRack
2009-03-28 07:05 . 2009-03-04 16:36 16608 -c--a-w c:\windows\gdrv.sys
2009-03-21 14:08 . 2004-08-03 21:55 56880 ----a-w c:\windows\system32\scvideo.dll
2009-03-06 14:20 . 2004-08-03 21:55 283136 ----a-w c:\windows\system32\pdh.dll
2009-03-04 18:02 . 2009-03-04 18:02 2232 ----a-w c:\windows\java\Packages\Data\JLZNNVXV.DAT
2009-03-04 18:02 . 2009-03-04 18:02 155995 ----a-w c:\windows\java\Packages\KMSJRVV1.ZIP
2009-03-04 17:52 . 2009-03-04 17:52 47104 -c----w c:\windows\AKDeInstall.exe
2009-03-04 17:48 . 2009-03-04 17:48 172032 -c----w c:\windows\Setup1.exe
2009-03-04 17:48 . 2009-03-04 17:48 73216 -c--a-w c:\windows\ST6UNST.EXE
2009-03-04 16:39 . 2009-03-04 16:39 315392 -c--a-w c:\windows\HideWin.exe
2009-03-04 16:27 . 2001-09-19 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-03-04 16:25 . 2009-03-04 16:25 22144 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-03 00:06 . 2004-08-03 21:55 826368 ----a-w c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"Creative MediaSource Go"="c:\program files\Creative\MediaSource5\Go\CTCMSGoU.exe" [2006-11-09 204800]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-03-31 206088]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-11 198160]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
[HKLM\~\startupfolder\C:^Documents and Settings^user^قائمة ابدأ^البرامج^بدء التشغيل^Webshots.lnk]
path=c:\documents and settings\user\قائمة ابدأ\البرامج\بدء التشغيل\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\JetAudio\\JetAudio.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 05:29 م 33808]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/04/2008 05:06 م 24592]
S3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [20/03/2006 06:34 م 1452032]
S3 PAC7302;PAC7302 VGA SoC PC-Camera;c:\windows\system32\drivers\PAC7302.SYS [13/04/2009 04:41 ص 458752]
S3 ute0ntu0;AVZ Kernel Driver;c:\windows\system32\drivers\ute0ntu0.sys [13/05/2009 10:43 م 7168]
.
Contents of the 'Scheduled Tasks' folder
2009-05-13 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 14:04]
2009-05-13 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 14:04]
2009-05-13 c:\windows\Tasks\User_Feed_Synchronization-{AF92363F-5797-4F1C-9036-9792CDB8D6CB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 15:36]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
HKCU-Run-ColdWare - c:\windows\msa.exe
HKLM-Run-CTXFIREG - CTxfiReg.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = local
DPF: Microsoft XML Parser for Java -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-05-14 00:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3248)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-13 0:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-13 21:32
Pre-Run: 18,734,125,056 bytes free
Post-Run: 18,686,668,800 bytes free
243 --- E O F --- 2009-04-25 19:41
