mesoka
زيزوومى مميز
غير متصل
السلام عليكم ورحمه الله وبركاته
بعد التحيه
عند فحص الجهاز ببرنامج كاسبر سكاى 2010 طلع لعلى فيرس مستعصى :hh: لا يستطيع الكاسبر ان يمسحه :no:
عند دخولى على منتدى كاسبر سكاى الاجنبى وجدت اعضاء يواجهون هذه المشكله مع هذا الفيرس
ولاقيت الحل وهو استخدام برنامج combofix
واستخدته فعلا وعمل اسكان ومسح وخلص وكل حاجه
وطلع لى التقرير وهو مرفق فى الموضوع وياريت يا جماعه تقولولى ايه اخبار التقرير ده
عموما انا مش متاكد ان الفيرس اتحذف فهل هناك برنامج يحذف هذا الفيرس وهو :
network attack intrusion.win.netapi.buffer-overflow.exploit
فى انتظار ردودكم المفيده
التقرير
ComboFix 09-06-26.02 - Marina-Net 06/27/2009 17:30.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1256.20.1033.18.1983.1445 [GMT 3:00]
Running from: c:\documents and settings\Marina-Net\My Documents\Downloads\Programs\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Help\agt0401.hlp
c:\windows\Help\agt0405.hlp
c:\windows\Help\agt0408.hlp
c:\windows\Help\agt0415.hlp
c:\windows\Help\agt0419.hlp
.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.
2009-06-27 02:27 . 2001-08-23 12:00 77824 ----a-w- c:\windows\system32\dllcache\spcommon.dll
2009-06-27 02:27 . 2001-08-23 12:00 61440 ----a-w- c:\windows\system32\dllcache\spcplui.dll
2009-06-27 02:27 . 2001-08-23 12:00 774144 ----a-w- c:\windows\system32\dllcache\spttseng.dll
2009-06-27 02:27 . 2001-08-23 12:00 36864 ----a-w- c:\windows\system32\dllcache\sapisvr.exe
2009-06-27 02:05 . 2009-06-27 02:05 -------- d-----w- c:\documents and settings\Marina-Net\Contacts
2009-06-27 01:44 . 2009-06-27 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-27 01:44 . 2009-05-19 09:11 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-06-27 01:43 . 2009-06-27 01:43 -------- d-----w- c:\program files\Yahoo!
2009-06-27 01:40 . 2009-06-27 01:40 82898 ----a-w- c:\windows\uninstall.exe
2009-06-27 01:26 . 2004-08-03 20:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2009-06-27 01:18 . 2009-06-27 01:19 2926768 ----a-w- c:\documents and settings\Marina-Net\Application Data\IDM\idmupdt.exe
2009-06-27 01:12 . 2009-06-27 01:12 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-06-27 01:12 . 2009-06-27 01:12 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-06-27 01:12 . 2009-06-27 01:12 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-06-27 01:12 . 2009-06-27 01:12 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-06-27 01:12 . 2009-06-27 01:12 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2009-06-27 01:05 . 2009-06-27 01:05 198064 ----a-w- c:\documents and settings\Marina-Net\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2009-06-27 01:05 . 2009-06-27 01:05 -------- d-----w- c:\documents and settings\Marina-Net\Application Data\IDM
2009-06-27 01:05 . 2009-06-27 01:05 -------- d-----w- c:\documents and settings\Marina-Net\Application Data\DMCache
2009-06-27 01:04 . 2009-06-27 01:04 -------- d-----w- c:\program files\Internet Download Manager
2009-06-27 00:24 . 2009-06-27 00:24 0 ----a-w- c:\windows\nsreg.dat
2009-06-27 00:24 . 2009-06-27 00:24 -------- d-----w- c:\documents and settings\Marina-Net\Local Settings\Application Data\Mozilla
2009-06-27 00:19 . 2009-06-27 01:15 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-06-27 00:17 . 2009-06-27 00:17 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-27 00:17 . 2009-06-27 00:17 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-27 00:17 . 2009-06-27 00:17 -------- d-----w- c:\program files\Kaspersky Lab
2009-06-27 00:17 . 2009-06-27 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-27 00:16 . 2009-06-27 00:16 -------- d-s---w- c:\documents and settings\Marina-Net\UserData
2009-06-27 00:10 . 2009-06-27 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-27 00:03 . 2009-06-27 00:03 -------- d-----w- c:\windows\system32\DRVSTORE
2009-06-27 00:02 . 2009-06-27 00:02 -------- d-----w- c:\program files\MSN Messenger
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 00:00 . 2009-06-26 23:59 -------- d-----w- c:\program files\Winamp
2009-06-27 00:00 . 2009-06-26 23:59 -------- d-----w- c:\documents and settings\Marina-Net\Application Data\Winamp
2009-06-26 23:59 . 2009-06-26 23:59 -------- d-----w- c:\program files\Real Alternative
2009-06-26 23:59 . 2009-06-26 23:59 -------- d-----w- c:\program files\Media Player Classic
2009-06-26 23:49 . 2009-06-26 23:49 -------- d-----w- c:\documents and settings\Marina-Net\Application Data\InstallShield
2009-06-26 23:46 . 2009-06-26 23:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-26 23:46 . 2009-06-26 23:46 -------- d-----w- c:\program files\Realtek
2009-06-26 23:46 . 2009-06-26 23:46 319488 ----a-w- c:\windows\HideWin.exe
2009-06-26 23:46 . 2009-06-26 23:46 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-26 23:44 . 2009-06-26 23:44 27264 ----a-w- c:\documents and settings\Marina-Net\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-26 23:35 . 2009-06-26 23:35 -------- d-----w- c:\program files\microsoft frontpage
2009-06-26 23:34 . 2009-06-26 23:34 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-26 23:32 . 2009-06-26 23:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-25 02:21 . 2009-05-25 02:21 219664 ----a-w- c:\windows\system32\klogon.dll
2009-05-25 02:18 . 2009-05-25 02:18 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-05-25 01:41 . 2009-05-25 01:41 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.459\English\setup.exe
2009-05-24 12:30 . 2009-05-24 12:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-05-16 17:59 . 2009-05-16 17:59 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-05-13 14:46 . 2009-05-13 14:46 31760 ----a-w- c:\windows\system32\drivers\klim5.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-07-29 5354792]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-05-27 2815408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-19 5063920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-05-25 303376]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-31 1622016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-23 16804864]
"Resume copy"="copyfstq.exe" - c:\windows\copyfstq.exe [2003-06-10 57344]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - HTTPFILTER
*NewlyCreated* - KLBG
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.eg/
uInternet Connection Wizard,ShellNext = hxxp://ui.skype.com/ui/0/4.0.0.216/en/abandoninstall%20?page=tsMain
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: {{4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
IE: {{CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
TCP: {83B2A938-E815-4C11-90CB-E9C24CF0E801} = 4.2.2.2,4.2.2.3
FF - ProfilePath - c:\documents and settings\Marina-Net\Application Data\Mozilla\Firefox\Profiles\np58iboi.default\
FF - component: c:\documents and settings\Marina-Net\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-06-27 17:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-06-27 17:37
ComboFix-quarantined-files.txt 2009-06-27 14:37
Pre-Run: 2,959,265,792 bytes free
Post-Run: 2,972,463,104 bytes free
190
وشكرا
بعد التحيه
عند فحص الجهاز ببرنامج كاسبر سكاى 2010 طلع لعلى فيرس مستعصى :hh: لا يستطيع الكاسبر ان يمسحه :no:
عند دخولى على منتدى كاسبر سكاى الاجنبى وجدت اعضاء يواجهون هذه المشكله مع هذا الفيرس
ولاقيت الحل وهو استخدام برنامج combofix
واستخدته فعلا وعمل اسكان ومسح وخلص وكل حاجه وطلع لى التقرير وهو مرفق فى الموضوع وياريت يا جماعه تقولولى ايه اخبار التقرير ده
عموما انا مش متاكد ان الفيرس اتحذف فهل هناك برنامج يحذف هذا الفيرس وهو :
network attack intrusion.win.netapi.buffer-overflow.exploit
فى انتظار ردودكم المفيده
التقرير
ComboFix 09-06-26.02 - Marina-Net 06/27/2009 17:30.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1256.20.1033.18.1983.1445 [GMT 3:00]
Running from: c:\documents and settings\Marina-Net\My Documents\Downloads\Programs\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Help\agt0401.hlp
c:\windows\Help\agt0405.hlp
c:\windows\Help\agt0408.hlp
c:\windows\Help\agt0415.hlp
c:\windows\Help\agt0419.hlp
.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.
2009-06-27 02:27 . 2001-08-23 12:00 77824 ----a-w- c:\windows\system32\dllcache\spcommon.dll
2009-06-27 02:27 . 2001-08-23 12:00 61440 ----a-w- c:\windows\system32\dllcache\spcplui.dll
2009-06-27 02:27 . 2001-08-23 12:00 774144 ----a-w- c:\windows\system32\dllcache\spttseng.dll
2009-06-27 02:27 . 2001-08-23 12:00 36864 ----a-w- c:\windows\system32\dllcache\sapisvr.exe
2009-06-27 02:05 . 2009-06-27 02:05 -------- d-----w- c:\documents and settings\Marina-Net\Contacts
2009-06-27 01:44 . 2009-06-27 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-27 01:44 . 2009-05-19 09:11 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-06-27 01:43 . 2009-06-27 01:43 -------- d-----w- c:\program files\Yahoo!
2009-06-27 01:40 . 2009-06-27 01:40 82898 ----a-w- c:\windows\uninstall.exe
2009-06-27 01:26 . 2004-08-03 20:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2009-06-27 01:18 . 2009-06-27 01:19 2926768 ----a-w- c:\documents and settings\Marina-Net\Application Data\IDM\idmupdt.exe
2009-06-27 01:12 . 2009-06-27 01:12 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-06-27 01:12 . 2009-06-27 01:12 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-06-27 01:12 . 2009-06-27 01:12 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-06-27 01:12 . 2009-06-27 01:12 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-06-27 01:12 . 2009-06-27 01:12 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2009-06-27 01:05 . 2009-06-27 01:05 198064 ----a-w- c:\documents and settings\Marina-Net\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2009-06-27 01:05 . 2009-06-27 01:05 -------- d-----w- c:\documents and settings\Marina-Net\Application Data\IDM
2009-06-27 01:05 . 2009-06-27 01:05 -------- d-----w- c:\documents and settings\Marina-Net\Application Data\DMCache
2009-06-27 01:04 . 2009-06-27 01:04 -------- d-----w- c:\program files\Internet Download Manager
2009-06-27 00:24 . 2009-06-27 00:24 0 ----a-w- c:\windows\nsreg.dat
2009-06-27 00:24 . 2009-06-27 00:24 -------- d-----w- c:\documents and settings\Marina-Net\Local Settings\Application Data\Mozilla
2009-06-27 00:19 . 2009-06-27 01:15 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-06-27 00:17 . 2009-06-27 00:17 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-27 00:17 . 2009-06-27 00:17 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-27 00:17 . 2009-06-27 00:17 -------- d-----w- c:\program files\Kaspersky Lab
2009-06-27 00:17 . 2009-06-27 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-27 00:16 . 2009-06-27 00:16 -------- d-s---w- c:\documents and settings\Marina-Net\UserData
2009-06-27 00:10 . 2009-06-27 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-27 00:03 . 2009-06-27 00:03 -------- d-----w- c:\windows\system32\DRVSTORE
2009-06-27 00:02 . 2009-06-27 00:02 -------- d-----w- c:\program files\MSN Messenger
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 00:00 . 2009-06-26 23:59 -------- d-----w- c:\program files\Winamp
2009-06-27 00:00 . 2009-06-26 23:59 -------- d-----w- c:\documents and settings\Marina-Net\Application Data\Winamp
2009-06-26 23:59 . 2009-06-26 23:59 -------- d-----w- c:\program files\Real Alternative
2009-06-26 23:59 . 2009-06-26 23:59 -------- d-----w- c:\program files\Media Player Classic
2009-06-26 23:49 . 2009-06-26 23:49 -------- d-----w- c:\documents and settings\Marina-Net\Application Data\InstallShield
2009-06-26 23:46 . 2009-06-26 23:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-26 23:46 . 2009-06-26 23:46 -------- d-----w- c:\program files\Realtek
2009-06-26 23:46 . 2009-06-26 23:46 319488 ----a-w- c:\windows\HideWin.exe
2009-06-26 23:46 . 2009-06-26 23:46 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-26 23:44 . 2009-06-26 23:44 27264 ----a-w- c:\documents and settings\Marina-Net\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-26 23:35 . 2009-06-26 23:35 -------- d-----w- c:\program files\microsoft frontpage
2009-06-26 23:34 . 2009-06-26 23:34 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-26 23:32 . 2009-06-26 23:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-25 02:21 . 2009-05-25 02:21 219664 ----a-w- c:\windows\system32\klogon.dll
2009-05-25 02:18 . 2009-05-25 02:18 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-05-25 01:41 . 2009-05-25 01:41 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.459\English\setup.exe
2009-05-24 12:30 . 2009-05-24 12:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-05-16 17:59 . 2009-05-16 17:59 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-05-13 14:46 . 2009-05-13 14:46 31760 ----a-w- c:\windows\system32\drivers\klim5.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-07-29 5354792]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-05-27 2815408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-19 5063920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-05-25 303376]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-31 1622016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-23 16804864]
"Resume copy"="copyfstq.exe" - c:\windows\copyfstq.exe [2003-06-10 57344]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - HTTPFILTER
*NewlyCreated* - KLBG
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.eg/
uInternet Connection Wizard,ShellNext = hxxp://ui.skype.com/ui/0/4.0.0.216/en/abandoninstall%20?page=tsMain
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: {{4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
IE: {{CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
TCP: {83B2A938-E815-4C11-90CB-E9C24CF0E801} = 4.2.2.2,4.2.2.3
FF - ProfilePath - c:\documents and settings\Marina-Net\Application Data\Mozilla\Firefox\Profiles\np58iboi.default\
FF - component: c:\documents and settings\Marina-Net\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
Rootkit scan 2009-06-27 17:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-06-27 17:37
ComboFix-quarantined-files.txt 2009-06-27 14:37
Pre-Run: 2,959,265,792 bytes free
Post-Run: 2,972,463,104 bytes free
190
وشكرا
