ComboFix 09-07-31.04 - ALGAZLAH HACKER 08/01/2009 8:43.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1025.18.1978.1448 [GMT 3:00]
Running from: c:\documents and settings\ALGAZLAH HACKER\سطح المكتب\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\Desktop_.ini
.
((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.
2009-08-01 05:14 . 2009-08-01 05:14 -------- d-----w- c:\program files\Trend Micro
2009-08-01 04:40 . 2009-08-01 04:47 -------- d-----w- c:\documents and settings\ALGAZLAH HACKER\Application Data\Passware
2009-08-01 04:38 . 2009-08-01 04:47 -------- d-----w- c:\windows\LastGood
2009-08-01 04:14 . 2009-08-01 04:14 -------- d-----w- c:\documents and settings\ALGAZLAH HACKER\Local Settings\Application Data\DFX
2009-08-01 03:57 . 2009-08-01 03:57 -------- d-----w- c:\documents and settings\ALGAZLAH HACKER\Local Settings\Application Data\Help
2009-08-01 03:41 . 2006-03-17 00:38 28672 ------w- c:\windows\system32\verclsid.exe
2009-08-01 03:38 . 2009-08-01 03:38 -------- d-----w- c:\program files\No-IP
2009-08-01 03:25 . 2009-08-01 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-08-01 03:16 . 2009-08-01 03:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-01 03:14 . 2009-08-01 03:14 -------- d-sh--w- c:\documents and settings\ALGAZLAH HACKER\IETldCache
2009-08-01 03:08 . 1998-10-29 13:45 306688 ----a-w- c:\windows\IsUninst.exe
2009-08-01 03:08 . 2009-08-01 03:08 -------- d-----w- c:\program files\AskBarDis
2009-08-01 03:07 . 2009-08-01 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\DFX
2009-08-01 03:07 . 2009-08-01 03:07 -------- d-----w- c:\program files\DFX
2009-08-01 03:07 . 2009-08-01 03:07 -------- d-----w- c:\program files\Common Files\DFX
2009-08-01 03:07 . 2009-08-01 03:07 818 ----a-w- c:\windows\unins000.dat
2009-08-01 03:07 . 2009-08-01 03:07 686858 ----a-w- c:\windows\unins000.exe
2009-08-01 03:05 . 2009-08-01 03:05 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-01 03:05 . 2009-08-01 03:05 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-01 03:05 . 2009-08-01 03:05 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-01 03:05 . 2009-08-01 03:05 -------- d-----w- c:\program files\Common Files\Real
2009-08-01 03:05 . 2009-08-01 03:05 -------- d-----w- c:\program files\Real
2009-08-01 02:48 . 2009-07-19 15:43 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-01 02:48 . 2009-07-03 16:55 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-01 02:48 . 2009-07-03 16:55 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-01 02:48 . 2009-07-03 16:55 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-01 02:48 . 2009-07-03 16:55 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-01 02:48 . 2009-07-03 16:55 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-01 02:48 . 2009-08-01 02:48 -------- d-----w- c:\windows\ie8updates
2009-08-01 02:48 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-01 02:46 . 2009-08-01 02:47 -------- d-----w- c:\windows\system32\ar-SA
2009-08-01 02:46 . 2009-08-01 02:47 -------- dc-h--w- c:\windows\ie8
2009-08-01 02:19 . 2009-08-01 02:19 -------- d-----w- c:\documents and settings\ALGAZLAH HACKER\Local Settings\Application Data\Identities
2009-08-01 02:17 . 2009-08-01 02:17 112144 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.1.321\X86\kl1.sys
2009-08-01 02:17 . 2009-08-01 02:17 25104 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.1.321\ushata.dll
2009-08-01 02:16 . 2009-08-01 02:17 772624 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.1.321\updater.dll
2009-08-01 02:16 . 2009-08-01 02:16 150032 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.1.321\diffs.dll
2009-08-01 02:16 . 2009-08-01 02:16 354832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.1.321\ckahum.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-01 05:47 . 2009-07-31 23:37 -------- d-----w- c:\documents and settings\ALGAZLAH HACKER\Application Data\DMCache
2009-08-01 05:47 . 2009-08-01 00:20 130848 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-01 05:46 . 2009-08-01 00:20 1560864 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-01 05:28 . 2009-07-31 23:35 -------- d-----w- c:\documents and settings\ALGAZLAH HACKER\Application Data\Paltalk
2009-08-01 05:26 . 2009-07-31 23:35 -------- d-----w- c:\program files\Paltalk Messenger
2009-08-01 04:37 . 2001-09-19 12:00 40180 ----a-w- c:\windows\system32\perfc001.dat
2009-08-01 04:37 . 2001-09-19 12:00 251750 ----a-w- c:\windows\system32\perfh001.dat
2009-08-01 04:36 . 2009-07-31 23:37 -------- d-----w- c:\documents and settings\ALGAZLAH HACKER\Application Data\IDM
2009-08-01 04:34 . 2009-07-31 23:33 -------- d-----w- c:\documents and settings\ALGAZLAH HACKER\Application Data\shimmedia
2009-08-01 04:34 . 2009-08-01 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-08-01 04:33 . 2009-07-31 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Poll Copy Size Bin
2009-08-01 04:32 . 2009-08-01 00:20 24020 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-01 04:32 . 2009-08-01 00:20 13112 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-01 02:17 . 2007-10-31 10:41 112144 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-01 02:17 . 2009-08-01 00:20 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-08-01 02:17 . 2009-08-01 00:20 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-08-01 01:35 . 2009-08-01 01:35 198064 ----a-w- c:\documents and settings\ALGAZLAH HACKER\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2009-08-01 01:26 . 2009-08-01 01:26 6345 ----a-w- c:\program files\un_Internet Download Manager_16575.txt
2009-08-01 01:26 . 2009-07-31 23:37 -------- d-----w- c:\program files\Internet Download Manager
2009-08-01 00:20 . 2009-08-01 00:20 -------- d-----w- c:\program files\Kaspersky Lab
2009-08-01 00:17 . 2009-08-01 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-07-31 23:41 . 2009-07-31 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-07-31 23:36 . 2009-07-31 23:36 0 ----a-w- c:\windows\nsreg.dat
2009-07-31 23:34 . 2009-07-31 23:33 -------- d-----w- c:\program files\Golden Al-Wafi Translator
2009-07-31 23:33 . 2009-07-31 23:33 -------- d-----w- c:\program files\shimmedia
2009-07-31 23:33 . 2009-07-31 23:33 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-31 23:33 . 2009-07-31 23:33 172032 ------w- c:\windows\Setup1.exe
2009-07-31 23:33 . 2009-07-31 23:33 -------- d-----w- c:\program files\Circle Developement
2009-07-31 23:33 . 2009-07-31 23:33 -------- d-----w- c:\program files\Messenger Plus! Live
2009-07-31 23:33 . 2009-07-31 23:33 -------- d-----w- c:\program files\Windows Live
2009-07-31 23:33 . 2009-07-31 23:32 -------- d-----w- c:\program files\MSN Messenger
2009-07-31 23:33 . 2009-07-31 22:57 110912 ----a-w- c:\documents and settings\ALGAZLAH HACKER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-31 22:55 . 2009-07-31 22:55 -------- d-----w- c:\program files\Intel
2009-07-31 22:51 . 2009-07-31 22:51 -------- d-----w- c:\program files\Realtek
2009-07-31 22:51 . 2009-07-31 22:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-31 22:50 . 2009-07-31 22:49 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-31 22:49 . 2009-07-31 22:49 -------- d-----w- c:\program files\Synaptics
2009-07-31 22:49 . 2009-07-31 22:49 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-07-31 22:49 . 2009-07-31 22:49 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-31 22:48 . 2009-07-31 22:48 -------- d-----w- c:\program files\Apoint2K
2009-07-31 22:48 . 2009-07-31 22:48 -------- d-----w- c:\program files\Launch Manager
2009-07-31 22:46 . 2009-07-31 22:44 -------- d-----w- c:\program files\Broadcom
2009-07-31 22:43 . 2009-07-31 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Broadcom
2009-07-31 22:43 . 2009-07-31 22:43 -------- d-----w- c:\program files\Atheros
2009-07-31 22:43 . 2009-07-31 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Atheros
2009-07-31 22:42 . 2009-07-31 22:42 -------- d-----w- c:\program files\Common Files\SNP2UVC
2009-07-31 22:42 . 2009-07-31 22:42 -------- d-----w- c:\documents and settings\ALGAZLAH HACKER\Application Data\InstallShield
2009-07-31 22:41 . 2009-07-31 22:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-31 22:34 . 2009-07-31 22:34 -------- d-----w- c:\program files\microsoft frontpage
2009-07-31 22:33 . 2009-07-31 22:33 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-31 22:31 . 2009-07-31 22:31 22144 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-03 16:55 . 2004-08-03 21:55 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:00 . 2009-06-26 16:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:53 . 2004-08-03 21:55 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:53 . 2001-09-19 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:25 . 2004-08-03 21:55 1288704 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:42 . 2004-08-03 21:55 344064 ----a-w- c:\windows\system32\localspl.dll
2008-09-28 19:00 . 2009-08-01 01:26 439440 ----a-w- c:\program files\un_Internet Download Manager_16575.exe
2008-07-03 02:02 . 2009-07-31 23:36 134144 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-12-09 15:40 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-04-03 2794928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2009-01-17 862728]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-21 159744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1032192]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-17 53248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-27 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-27 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-27 150040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-01 198160]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-01-13 18084864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\All Users\çںê، ں §ڑ\ںé ©ںê¤\ §ک ں颬نïé\
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2009-6-30 11536384]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15963:TCP"= 15963:TCP:Turkojan 4.0
"15963:UDP"= 15963:UDP:Turkojan 4.0
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [13/12/2007 01:28 م 24592]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [01/08/2009 01:50 ص 38912]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [01/08/2009 01:48 ص 26144]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [01/08/2009 01:51 ص 1684736]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - APPMGMT
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: تحميل الكل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEGetAll.htm
IE: تحميل بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEExt.htm
IE: تحميل محتوى FLV بواسطة Internet Download Manager - c:\program files\Internet Download Manager\IEGetVL.htm
TCP: {99A0F407-B2C8-4948-9FE5-FCE0020E59C4} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\ALGAZLAH HACKER\Application Data\Mozilla\Firefox\Profiles\zae4ldyu.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13812&gct=&gc=1&q=
FF - component: c:\documents and settings\ALGAZLAH HACKER\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-08-01 08:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1096)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\windows\system32\klogon.dll
- - - - - - - > 'lsass.exe'(1152)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\fssync.dll
.
Completion time: 2009-08-01 8:48
ComboFix-quarantined-files.txt 2009-08-01 05:48
Pre-Run: 44,720,975,872 bytes free
Post-Run: 44,776,689,664 bytes free
213 --- E O F --- 2009-08-01 04:48