ComboFix 09-06-07.01 - MEDO 2010 06/07/2009 22:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.20.1033.18.503.271 [GMT 3:00]
Running from: c:\documents and settings\MEDO 2010\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Autorun.inf
c:\windows\system32\d3d10core.dll
c:\windows\system32\D3DX10d_39.dll
c:\windows\system32\dxgi.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.
2009-06-07 19:07 . 2009-06-07 19:08 -------- d-----w- c:\windows\BDOSCAN8
2009-06-07 19:05 . 2009-06-07 19:05 -------- d-----w- c:\documents and settings\MEDO 2010\Local Settings\Application Data\WMTools Downloaded Files
2009-06-07 19:01 . 2009-06-07 19:01 14848 ----a-w- c:\windows\system32\uxthemed.dll
2009-06-07 18:59 . 2009-06-07 18:59 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-07 18:59 . 2009-06-07 18:59 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\skypePM
2009-06-07 18:27 . 2009-06-07 18:27 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-07 17:33 . 2009-06-07 17:33 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\Malwarebytes
2009-06-07 17:33 . 2009-05-26 10:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-07 17:33 . 2009-05-26 10:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-07 17:33 . 2009-06-07 18:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-07 17:33 . 2009-06-07 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 19:49 . 2009-06-07 15:17 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\DMCache
2009-06-07 19:44 . 2009-06-07 15:21 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\Skype
2009-06-07 19:28 . 2009-06-07 14:43 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-06-07 17:25 . 2009-06-07 15:07 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\SUPERAntiSpyware.com
2009-06-07 17:25 . 2009-06-07 15:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-07 16:39 . 2009-06-07 16:39 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\Ubisoft
2009-06-07 16:39 . 2009-06-07 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Ubisoft
2009-06-07 16:38 . 2009-06-07 16:38 2471 ----a-w- c:\program files\Common Files\unins000.dat
2009-06-07 16:38 . 2009-06-07 16:38 728858 ----a-w- c:\program files\Common Files\unins000.exe
2009-06-07 15:21 . 2009-06-07 15:21 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\Media Player Classic
2009-06-07 15:20 . 2009-06-07 15:20 -------- d-----r- c:\program files\Skype
2009-06-07 15:20 . 2009-06-07 15:20 -------- d-----w- c:\program files\Common Files\Skype
2009-06-07 15:20 . 2009-06-07 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-07 15:18 . 2009-06-07 15:17 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\IDM
2009-06-07 15:17 . 2009-06-07 15:17 198064 ----a-w- c:\documents and settings\MEDO 2010\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2009-06-07 15:17 . 2009-06-07 15:17 -------- d-----w- c:\program files\Internet Download Manager
2009-06-07 15:08 . 2009-06-07 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-07 14:43 . 2009-06-07 14:43 0 ----a-w- c:\windows\nsreg.dat
2009-06-07 14:26 . 2009-06-07 14:22 -------- d-----w- c:\program files\Realtek
2009-06-07 14:25 . 2009-06-07 14:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-07 14:25 . 2009-06-07 14:25 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\InstallShield
2009-06-07 14:25 . 2009-06-07 14:05 4716 ----a-w- c:\windows\gdrv.sys
2009-06-07 14:22 . 2009-06-07 14:22 315392 ----a-w- c:\windows\HideWin.exe
2009-06-07 14:22 . 2009-06-07 14:22 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-07 14:06 . 2009-06-07 14:06 -------- d-----w- c:\program files\Intel
2009-06-07 14:05 . 2009-06-07 14:05 -------- d-----w- c:\program files\Yahoo!
2009-06-07 14:03 . 2009-06-07 13:58 11744 ----a-w- c:\documents and settings\Default User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 14:03 . 2009-06-07 14:03 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-07 14:03 . 2009-06-07 14:03 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-06-07 14:02 . 2009-06-07 14:02 -------- d-----w- c:\program files\microsoft frontpage
2009-06-07 13:58 . 2009-06-07 14:02 11744 ----a-w- c:\documents and settings\MEDO 2010\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 13:58 . 2009-06-07 13:59 11744 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 13:57 . 2009-06-07 13:57 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-07 13:54 . 2009-06-07 13:54 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-03-26 15:35 . 2009-04-29 12:20 210352 ----a-w- c:\windows\system32\idmmbc.dll
2008-03-09 04:25 . 2009-06-07 16:38 236 ---ha-w- c:\program files\Common Files\dx.reg
.
------- Sigcheck -------
[-] 2007-10-19 22:15 2320640 8FD8B90823454018557166996F9F0F84 c:\windows\system32\ntoskrnl.exe
[-] 2007-10-25 01:47 974336 F046F2994069E168F966194BC6CC4BA4 c:\windows\explorer.exe
[-] 2007-09-22 02:02 100864 80CB133BD6C830E8CA7E90015E45C1CD c:\windows\system32\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{baba4958-f6f9-4515-b7a5-9e6ea4e924a9}]
2009-06-07 19:01 14848 ----a-w- c:\windows\system32\uxthemed.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-04-29 2799024]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-10-29 25795368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-05-26 414480]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-06-15 1826816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ViStart.lnk - c:\windows\system32\Effects\ViStart.exe [2009-6-7 376832]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)
"NoSMBalloonTip"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)
"NoSMBalloonTip"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [07/06/2009 08:33 مساءاً 19096]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-VisualTask - Windows\\system32\\VisualTask\\VisualTask.exe
HKU-Default-Run-VisualTask - Windows\\system32\\VisualTask\\VisualTask.exe
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
IE: تحميل الكل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEGetAll.htm
IE: تحميل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEExt.htm
IE: تحميل محتوى FLV بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEGetVL.htm
FF - ProfilePath - c:\documents and settings\MEDO 2010\Application Data\Mozilla\Firefox\Profiles\ww0b8fp0.default\
FF - component: c:\documents and settings\MEDO 2010\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\Mozilla Firefox 3.5 Beta 4\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-06-07 22:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\SETUPAPI.dll
.
Completion time: 2009-06-07 23:01
ComboFix-quarantined-files.txt 2009-06-07 20:00
Pre-Run: 12,683,964,416 bytes free
Post-Run: 12,692,107,264 bytes free
175
Microsoft Windows XP Professional 5.1.2600.2.1256.20.1033.18.503.271 [GMT 3:00]
Running from: c:\documents and settings\MEDO 2010\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Autorun.inf
c:\windows\system32\d3d10core.dll
c:\windows\system32\D3DX10d_39.dll
c:\windows\system32\dxgi.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.
2009-06-07 19:07 . 2009-06-07 19:08 -------- d-----w- c:\windows\BDOSCAN8
2009-06-07 19:05 . 2009-06-07 19:05 -------- d-----w- c:\documents and settings\MEDO 2010\Local Settings\Application Data\WMTools Downloaded Files
2009-06-07 19:01 . 2009-06-07 19:01 14848 ----a-w- c:\windows\system32\uxthemed.dll
2009-06-07 18:59 . 2009-06-07 18:59 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-07 18:59 . 2009-06-07 18:59 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\skypePM
2009-06-07 18:27 . 2009-06-07 18:27 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-07 17:33 . 2009-06-07 17:33 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\Malwarebytes
2009-06-07 17:33 . 2009-05-26 10:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-07 17:33 . 2009-05-26 10:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-07 17:33 . 2009-06-07 18:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-07 17:33 . 2009-06-07 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 19:49 . 2009-06-07 15:17 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\DMCache
2009-06-07 19:44 . 2009-06-07 15:21 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\Skype
2009-06-07 19:28 . 2009-06-07 14:43 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-06-07 17:25 . 2009-06-07 15:07 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\SUPERAntiSpyware.com
2009-06-07 17:25 . 2009-06-07 15:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-07 16:39 . 2009-06-07 16:39 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\Ubisoft
2009-06-07 16:39 . 2009-06-07 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Ubisoft
2009-06-07 16:38 . 2009-06-07 16:38 2471 ----a-w- c:\program files\Common Files\unins000.dat
2009-06-07 16:38 . 2009-06-07 16:38 728858 ----a-w- c:\program files\Common Files\unins000.exe
2009-06-07 15:21 . 2009-06-07 15:21 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\Media Player Classic
2009-06-07 15:20 . 2009-06-07 15:20 -------- d-----r- c:\program files\Skype
2009-06-07 15:20 . 2009-06-07 15:20 -------- d-----w- c:\program files\Common Files\Skype
2009-06-07 15:20 . 2009-06-07 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-07 15:18 . 2009-06-07 15:17 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\IDM
2009-06-07 15:17 . 2009-06-07 15:17 198064 ----a-w- c:\documents and settings\MEDO 2010\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2009-06-07 15:17 . 2009-06-07 15:17 -------- d-----w- c:\program files\Internet Download Manager
2009-06-07 15:08 . 2009-06-07 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-07 14:43 . 2009-06-07 14:43 0 ----a-w- c:\windows\nsreg.dat
2009-06-07 14:26 . 2009-06-07 14:22 -------- d-----w- c:\program files\Realtek
2009-06-07 14:25 . 2009-06-07 14:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-07 14:25 . 2009-06-07 14:25 -------- d-----w- c:\documents and settings\MEDO 2010\Application Data\InstallShield
2009-06-07 14:25 . 2009-06-07 14:05 4716 ----a-w- c:\windows\gdrv.sys
2009-06-07 14:22 . 2009-06-07 14:22 315392 ----a-w- c:\windows\HideWin.exe
2009-06-07 14:22 . 2009-06-07 14:22 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-07 14:06 . 2009-06-07 14:06 -------- d-----w- c:\program files\Intel
2009-06-07 14:05 . 2009-06-07 14:05 -------- d-----w- c:\program files\Yahoo!
2009-06-07 14:03 . 2009-06-07 13:58 11744 ----a-w- c:\documents and settings\Default User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 14:03 . 2009-06-07 14:03 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-07 14:03 . 2009-06-07 14:03 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-06-07 14:02 . 2009-06-07 14:02 -------- d-----w- c:\program files\microsoft frontpage
2009-06-07 13:58 . 2009-06-07 14:02 11744 ----a-w- c:\documents and settings\MEDO 2010\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 13:58 . 2009-06-07 13:59 11744 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 13:57 . 2009-06-07 13:57 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-07 13:54 . 2009-06-07 13:54 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-03-26 15:35 . 2009-04-29 12:20 210352 ----a-w- c:\windows\system32\idmmbc.dll
2008-03-09 04:25 . 2009-06-07 16:38 236 ---ha-w- c:\program files\Common Files\dx.reg
.
------- Sigcheck -------
[-] 2007-10-19 22:15 2320640 8FD8B90823454018557166996F9F0F84 c:\windows\system32\ntoskrnl.exe
[-] 2007-10-25 01:47 974336 F046F2994069E168F966194BC6CC4BA4 c:\windows\explorer.exe
[-] 2007-09-22 02:02 100864 80CB133BD6C830E8CA7E90015E45C1CD c:\windows\system32\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{baba4958-f6f9-4515-b7a5-9e6ea4e924a9}]
2009-06-07 19:01 14848 ----a-w- c:\windows\system32\uxthemed.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-04-29 2799024]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-10-29 25795368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-05-26 414480]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-06-15 1826816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ViStart.lnk - c:\windows\system32\Effects\ViStart.exe [2009-6-7 376832]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)
"NoSMBalloonTip"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)
"NoSMBalloonTip"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [07/06/2009 08:33 مساءاً 19096]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-VisualTask - Windows\\system32\\VisualTask\\VisualTask.exe
HKU-Default-Run-VisualTask - Windows\\system32\\VisualTask\\VisualTask.exe
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
IE: تحميل الكل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEGetAll.htm
IE: تحميل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEExt.htm
IE: تحميل محتوى FLV بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEGetVL.htm
FF - ProfilePath - c:\documents and settings\MEDO 2010\Application Data\Mozilla\Firefox\Profiles\ww0b8fp0.default\
FF - component: c:\documents and settings\MEDO 2010\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\Mozilla Firefox 3.5 Beta 4\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
Rootkit scan 2009-06-07 22:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\SETUPAPI.dll
.
Completion time: 2009-06-07 23:01
ComboFix-quarantined-files.txt 2009-06-07 20:00
Pre-Run: 12,683,964,416 bytes free
Post-Run: 12,692,107,264 bytes free
175
