سجين الوحدة
زيزوومي جديد
- إنضم
- 10 أبريل 2009
- المشاركات
- 2
- مستوى التفاعل
- 0
- النقاط
- 0
غير متصل
ComboFix 09-11-18.06 - dr 11/18/2009 14:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1256.966.1033.18.2039.1493 [GMT 3:00]
Running from: c:\documents and settings\dr.DR-6C3073CC0534\Desktop\ComboFix.exe
.
The following files were disabled during the run:
c:\documents and settings\tazebama.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\documents and settings\dr\Application Data\inst.exe
c:\documents and settings\dr\Application Data\tazebama
c:\documents and settings\dr\Application Data\tazebama\zPharaoh.dat
c:\recycler\S-1-5-21-1123561945-492894223-1606980848-1004
C:\zPharaoh.exe
D:\Autorun.inf
D:\zPharaoh.exe
C:\autorun.inf . . . . failed to delete
D:\autorun.inf . . . . failed to delete
c:\windows.0\explorer.exe . . . is infected!!
c:\windows.0\pchealth\helpctr\binaries\HelpCtr.exe . . . is infected!!
c:\windows.0\pchealth\helpctr\binaries\msconfig.exe . . . is infected!!
c:\windows.0\system32\calc.exe . . . is infected!!
c:\windows.0\system32\charmap.exe . . . is infected!!
c:\windows.0\system32\cmd.exe . . . is infected!!
c:\windows.0\system32\fsquirt.exe . . . is infected!!
c:\windows.0\system32\magnify.exe . . . is infected!!
c:\windows.0\system32\mobsync.exe . . . is infected!!
c:\windows.0\system32\mspaint.exe . . . is infected!!
c:\windows.0\system32\mstsc.exe . . . is infected!!
Infected copy of c:\windows.0\system32\notepad.exe was found and disinfected
Restored copy from - c:\windows.0\NOTEPAD.EXE
c:\windows.0\system32\ntbackup.exe . . . is infected!!
c:\windows.0\system32\odbcad32.exe . . . is infected!!
c:\windows.0\system32\osk.exe . . . is infected!!
c:\windows.0\system32\sndvol32.exe . . . is infected!!
c:\windows.0\system32\Restore\rstrui.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.
2009-11-18 11:32 . 2009-11-18 11:34 155883 --sh--r- C:\zPharaoh.exe
2009-11-18 11:32 . 2009-11-18 11:34 155883 --sh--r- \zPharaoh.exe
2009-11-18 11:24 . 2009-11-18 11:34 -------- d-----w- c:\documents and settings\dr\Application Data\tazebama
2009-11-18 11:20 . 2009-11-18 11:20 -------- d-sha-r- \cmdcons
2009-11-18 11:17 . 2009-11-18 11:34 -------- d-----w- \ComboFix
2009-11-18 11:16 . 2009-11-18 11:33 -------- d---a-w- \Qoobox
2009-11-09 19:23 . 2009-11-09 19:23 -------- d-----w- c:\program files\Nuclear Coffee
2009-11-09 18:34 . 2009-11-09 18:34 -------- d-----w- C:\Intel
2009-11-09 18:34 . 2009-11-09 18:34 -------- d-----w- \Intel
2009-11-09 18:28 . 2009-11-09 18:28 -------- d-----w- c:\windows.0\srchasst
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 11:34 . 2009-11-18 11:32 155883 --sh--r- \zPharaoh.exe
2009-11-18 11:24 . 2008-12-09 22:34 1962863 ----a-w- c:\windows.0\explorer.exe
2009-11-09 18:34 . 2009-11-09 12:56 31320 ----a-w- c:\documents and settings\dr.DR-6C3073CC0534\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-09 13:45 . 2009-10-08 17:35 -------- d-----w- c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility
2009-11-09 13:35 . 2009-11-09 13:35 0 ----a-w- c:\windows.0\nsreg.dat
2009-11-09 12:56 . 2009-11-09 12:32 -------- d-----w- c:\program files\Styler
2009-11-09 12:56 . 2009-11-09 12:56 -------- d-----w- c:\documents and settings\dr.DR-6C3073CC0534\Application Data\Styler
2009-11-09 12:56 . 2009-11-09 12:56 15086 ----a-r- c:\documents and settings\dr.DR-6C3073CC0534\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_7b12541d.exe
2009-11-09 12:56 . 2009-11-09 12:56 15086 ----a-r- c:\documents and settings\dr.DR-6C3073CC0534\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe
2009-11-09 12:50 . 2009-11-09 12:33 -------- d-----w- c:\program files\Windows Sidebar
2009-11-09 12:50 . 2009-11-09 12:50 -------- d-----w- c:\documents and settings\Default User.WINDOWS.0\Application Data\Winamp
2009-11-09 12:48 . 2009-11-09 12:48 -------- d-----w- c:\program files\Alky for Applications
2009-11-09 12:48 . 2009-11-09 12:48 -------- d-----w- c:\program files\CCleaner
2009-11-09 12:45 . 2009-11-09 12:45 69664 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-09 12:45 . 2009-11-09 12:45 -------- d-----w- c:\program files\MSBuild
2009-11-09 12:45 . 2009-11-09 12:45 -------- d-----w- c:\program files\Reference Assemblies
2009-11-09 12:40 . 2009-11-09 12:40 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-09 12:35 . 2009-11-09 12:35 -------- d-----w- c:\program files\VistaExperience.org
2009-11-09 12:33 . 2009-11-09 12:54 -------- d-----w- c:\documents and settings\dr.DR-6C3073CC0534\Application Data\uTorrent
2009-11-09 12:33 . 2009-11-09 12:33 -------- d-----w- c:\program files\uTorrent
2009-11-09 12:33 . 2009-11-09 12:33 -------- d-----w- c:\documents and settings\Default User.WINDOWS.0\Application Data\uTorrent
2009-11-09 12:31 . 2009-11-09 12:29 -------- d-----w- c:\program files\Microsoft Games
2009-11-09 12:30 . 2009-11-09 12:29 -------- d-----w- c:\program files\LClock
2009-11-09 12:29 . 2009-11-09 12:29 -------- d-----w- c:\program files\HashTab Shell Extension
2009-11-09 12:29 . 2009-11-09 12:29 -------- d-----w- c:\program files\Unlocker
2009-11-09 12:29 . 2009-11-09 12:29 -------- d-----w- c:\program files\Microsoft PowerToys
2009-11-08 19:50 . 2009-11-08 19:50 -------- d-----w- c:\program files\BandRich
2009-11-05 17:52 . 2009-10-08 12:09 -------- d-----w- c:\documents and settings\dr\Application Data\DMCache
2009-11-05 17:47 . 2009-11-05 17:47 -------- d-----w- c:\program files\CCcamInfoPHP v0.9
2009-11-03 10:53 . 2009-11-03 10:53 -------- d-----w- c:\documents and settings\dr\Application Data\Ahead
2009-11-03 10:52 . 2009-11-03 10:52 -------- d-----w- c:\program files\Common Files\Ahead
2009-11-03 10:52 . 2009-11-02 00:11 -------- d-----w- c:\program files\Nero
2009-11-03 10:34 . 2009-11-03 10:34 89293 ----a-w- c:\documents and settings\dr\Application Data\IDM\DwnlData\dr\nero7PremiumReloaded_36\nero7PremiumReloaded.exe
2009-11-03 03:34 . 2009-11-03 03:34 -------- d-----w- c:\program files\MSXML 4.0
2009-11-02 20:03 . 2009-11-02 20:03 -------- d-----w- c:\documents and settings\dr\Application Data\VitySoft
2009-11-02 01:34 . 2009-11-02 00:36 -------- d-----w- c:\documents and settings\dr\Application Data\Vso
2009-11-02 00:36 . 2009-11-02 00:36 47360 ----a-w- c:\documents and settings\dr\Application Data\pcouffin.sys
2009-11-02 00:36 . 2009-11-02 00:36 47360 ----a-w- c:\documents and settings\dr\Application Data\pcouffin.sys
2009-11-02 00:36 . 2009-11-02 00:36 -------- d-----w- c:\program files\VSO
2009-11-02 00:15 . 2009-11-02 00:12 -------- d-----w- c:\documents and settings\dr\Application Data\Nero
2009-11-02 00:11 . 2009-11-02 00:10 -------- d-----w- c:\program files\Common Files\Nero
2009-11-02 00:07 . 2009-11-02 00:07 -------- d-----w- c:\documents and settings\dr\Application Data\Thinstall
2009-10-31 11:42 . 2009-10-31 11:42 -------- d-----w- c:\program files\Amor Photo Downloader
2009-10-31 11:12 . 2009-10-31 11:12 -------- d-----w- c:\program files\Sky.1
2009-10-31 11:12 . 2009-10-31 11:12 -------- d-----w- c:\program files\Conduit
2009-10-30 21:05 . 2009-10-09 12:14 -------- d-----w- c:\program files\Google
2009-10-19 19:29 . 2009-10-08 10:34 -------- d-----w- c:\program files\Java
2009-10-19 19:29 . 2009-10-19 19:29 152576 ----a-w- c:\documents and settings\dr\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-12 07:46 . 2009-10-12 07:44 -------- d-----w- c:\documents and settings\dr\Application Data\vlc
2009-10-12 07:41 . 2009-10-12 07:41 -------- d-----w- c:\program files\VideoLAN
2009-10-11 21:15 . 2009-10-10 13:10 -------- d-----w- c:\program files\Mbox Control Center
2009-10-08 19:14 . 2009-10-08 12:09 -------- d-----w- c:\documents and settings\dr\Application Data\IDM
2009-10-08 18:55 . 2009-10-08 12:09 -------- d-----w- c:\program files\Internet Download Manager
2009-10-08 18:42 . 2009-10-08 18:04 74560 ----a-w- c:\documents and settings\dr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 18:42 . 2009-10-08 18:36 -------- d-----w- c:\program files\Windows Live
2009-10-08 18:39 . 2009-10-08 18:39 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-10-08 18:38 . 2009-10-08 18:38 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-08 18:37 . 2009-10-08 18:37 -------- d-----w- c:\program files\Microsoft
2009-10-08 18:37 . 2009-10-08 18:37 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-08 18:14 . 2009-10-08 18:14 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-08 17:35 . 2009-10-08 10:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-08 12:33 . 2009-10-08 12:33 -------- d-----w- c:\program files\AVG
2009-10-08 12:14 . 2009-10-08 12:14 -------- d-----w- c:\documents and settings\dr\Application Data\AVG8
2009-10-08 12:09 . 2009-10-08 12:09 198064 ----a-w- c:\documents and settings\dr\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2009-10-08 11:34 . 2009-10-08 11:34 -------- d-----w- c:\documents and settings\dr\Application Data\Media Player Classic
2009-10-08 11:30 . 2009-10-08 11:30 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-08 11:30 . 2009-10-08 11:30 -------- d-----w- c:\documents and settings\dr\Application Data\InterTrust
2009-10-08 10:46 . 2009-10-08 10:46 -------- d-----w- c:\program files\Microsoft.NET
2009-10-08 10:34 . 2009-10-08 10:34 -------- d-----w- c:\program files\Common Files\Java
2009-10-08 10:33 . 2009-10-08 10:33 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-10-08 10:08 . 2009-10-08 10:08 -------- d-----w- c:\program files\Realtek Sound Manager
2009-10-08 10:08 . 2009-10-08 10:08 -------- d-----w- c:\program files\AvRack
2009-10-08 10:05 . 2009-10-08 10:05 -------- d-----w- c:\program files\Intel
2009-10-08 10:05 . 2009-10-08 10:05 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-08 09:18 . 2009-10-08 09:18 -------- d-----w- c:\program files\microsoft frontpage
2009-10-08 09:17 . 2009-10-08 09:17 0 --sha-r- \MSDOS.SYS
2009-10-08 09:17 . 2009-10-08 09:17 0 --sha-r- \IO.SYS
2009-10-08 09:17 . 2009-10-08 09:17 0 ----a-w- \CONFIG.SYS
2009-10-08 09:17 . 2009-10-08 09:17 0 ----a-w- \AUTOEXEC.BAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-11-23 1247232]
"ctfmon.exe"="c:\windows.0\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"="c:\windows.0\VistaDrive\VistaDrive.exe" [2006-10-05 280779]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"IgfxTray"="c:\windows.0\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows.0\system32\hkcmd.exe" [2004-11-02 126976]
"SoundMan"="SOUNDMAN.EXE" - c:\windows.0\SOUNDMAN.EXE [2005-04-15 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"CTFMON.EXE"="c:\windows.0\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"_nltide_3"="advpack.dll" - c:\windows.0\system32\advpack.dll [2008-12-22 124928]
c:\documents and settings\dr.DR-6C3073CC0534\Start Menu\Programs\Startup\
Styler.lnk - c:\documents and settings\dr.DR-6C3073CC0534\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2009-11-9 15086]
c:\documents and settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\
REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe [2009-10-8 894319]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows.0\system32\userinit.exe,"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows.0\system32\drivers\RTL8187.sys [11/9/2009 5:23 PM 194304]
R3 SjyPkt;SjyPkt;c:\windows.0\system32\drivers\SjyPkt.sys [11/9/2009 4:45 PM 13532]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - SJYPKT
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows.0\system32\blank.htm
FF - ProfilePath - c:\documents and settings\dr.DR-6C3073CC0534\Application Data\Mozilla\Firefox\Profiles\afj1uy0m.default\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-11-18 14:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows.0\System32\smss.exe
c:\windows.0\system32\csrss.exe
c:\windows.0\system32\winlogon.exe
c:\windows.0\system32\services.exe
c:\windows.0\system32\lsass.exe
c:\windows.0\system32\svchost.exe
c:\windows.0\system32\svchost.exe
c:\windows.0\System32\svchost.exe
c:\windows.0\system32\svchost.exe
c:\windows.0\system32\svchost.exe
c:\windows.0\system32\spoolsv.exe
c:\windows.0\System32\alg.exe
c:\windows.0\system32\wscntfy.exe
c:\program files\Styler\Styler.exe
c:\windows.0\system32\wuauclt.exe
c:\windows.0\system32\dwwin.exe
c:\windows.0\system32\wbem\wmiprvse.exe
c:\windows.0\system32\dwwin.exe
c:\windows.0\system32\dwwin.exe
c:\windows.0\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2009-11-18 14:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-18 11:35
Pre-Run: 38,760,689,664 bytes free
Post-Run: 39,532,228,608 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 23DC334AAF013408497722B31E80CA6F
Microsoft Windows XP Professional 5.1.2600.3.1256.966.1033.18.2039.1493 [GMT 3:00]
Running from: c:\documents and settings\dr.DR-6C3073CC0534\Desktop\ComboFix.exe
.
The following files were disabled during the run:
c:\documents and settings\tazebama.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\documents and settings\dr\Application Data\inst.exe
c:\documents and settings\dr\Application Data\tazebama
c:\documents and settings\dr\Application Data\tazebama\zPharaoh.dat
c:\recycler\S-1-5-21-1123561945-492894223-1606980848-1004
C:\zPharaoh.exe
D:\Autorun.inf
D:\zPharaoh.exe
C:\autorun.inf . . . . failed to delete
D:\autorun.inf . . . . failed to delete
c:\windows.0\explorer.exe . . . is infected!!
c:\windows.0\pchealth\helpctr\binaries\HelpCtr.exe . . . is infected!!
c:\windows.0\pchealth\helpctr\binaries\msconfig.exe . . . is infected!!
c:\windows.0\system32\calc.exe . . . is infected!!
c:\windows.0\system32\charmap.exe . . . is infected!!
c:\windows.0\system32\cmd.exe . . . is infected!!
c:\windows.0\system32\fsquirt.exe . . . is infected!!
c:\windows.0\system32\magnify.exe . . . is infected!!
c:\windows.0\system32\mobsync.exe . . . is infected!!
c:\windows.0\system32\mspaint.exe . . . is infected!!
c:\windows.0\system32\mstsc.exe . . . is infected!!
Infected copy of c:\windows.0\system32\notepad.exe was found and disinfected
Restored copy from - c:\windows.0\NOTEPAD.EXE
c:\windows.0\system32\ntbackup.exe . . . is infected!!
c:\windows.0\system32\odbcad32.exe . . . is infected!!
c:\windows.0\system32\osk.exe . . . is infected!!
c:\windows.0\system32\sndvol32.exe . . . is infected!!
c:\windows.0\system32\Restore\rstrui.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.
2009-11-18 11:32 . 2009-11-18 11:34 155883 --sh--r- C:\zPharaoh.exe
2009-11-18 11:32 . 2009-11-18 11:34 155883 --sh--r- \zPharaoh.exe
2009-11-18 11:24 . 2009-11-18 11:34 -------- d-----w- c:\documents and settings\dr\Application Data\tazebama
2009-11-18 11:20 . 2009-11-18 11:20 -------- d-sha-r- \cmdcons
2009-11-18 11:17 . 2009-11-18 11:34 -------- d-----w- \ComboFix
2009-11-18 11:16 . 2009-11-18 11:33 -------- d---a-w- \Qoobox
2009-11-09 19:23 . 2009-11-09 19:23 -------- d-----w- c:\program files\Nuclear Coffee
2009-11-09 18:34 . 2009-11-09 18:34 -------- d-----w- C:\Intel
2009-11-09 18:34 . 2009-11-09 18:34 -------- d-----w- \Intel
2009-11-09 18:28 . 2009-11-09 18:28 -------- d-----w- c:\windows.0\srchasst
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 11:34 . 2009-11-18 11:32 155883 --sh--r- \zPharaoh.exe
2009-11-18 11:24 . 2008-12-09 22:34 1962863 ----a-w- c:\windows.0\explorer.exe
2009-11-09 18:34 . 2009-11-09 12:56 31320 ----a-w- c:\documents and settings\dr.DR-6C3073CC0534\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-09 13:45 . 2009-10-08 17:35 -------- d-----w- c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility
2009-11-09 13:35 . 2009-11-09 13:35 0 ----a-w- c:\windows.0\nsreg.dat
2009-11-09 12:56 . 2009-11-09 12:32 -------- d-----w- c:\program files\Styler
2009-11-09 12:56 . 2009-11-09 12:56 -------- d-----w- c:\documents and settings\dr.DR-6C3073CC0534\Application Data\Styler
2009-11-09 12:56 . 2009-11-09 12:56 15086 ----a-r- c:\documents and settings\dr.DR-6C3073CC0534\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_7b12541d.exe
2009-11-09 12:56 . 2009-11-09 12:56 15086 ----a-r- c:\documents and settings\dr.DR-6C3073CC0534\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe
2009-11-09 12:50 . 2009-11-09 12:33 -------- d-----w- c:\program files\Windows Sidebar
2009-11-09 12:50 . 2009-11-09 12:50 -------- d-----w- c:\documents and settings\Default User.WINDOWS.0\Application Data\Winamp
2009-11-09 12:48 . 2009-11-09 12:48 -------- d-----w- c:\program files\Alky for Applications
2009-11-09 12:48 . 2009-11-09 12:48 -------- d-----w- c:\program files\CCleaner
2009-11-09 12:45 . 2009-11-09 12:45 69664 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-09 12:45 . 2009-11-09 12:45 -------- d-----w- c:\program files\MSBuild
2009-11-09 12:45 . 2009-11-09 12:45 -------- d-----w- c:\program files\Reference Assemblies
2009-11-09 12:40 . 2009-11-09 12:40 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-09 12:35 . 2009-11-09 12:35 -------- d-----w- c:\program files\VistaExperience.org
2009-11-09 12:33 . 2009-11-09 12:54 -------- d-----w- c:\documents and settings\dr.DR-6C3073CC0534\Application Data\uTorrent
2009-11-09 12:33 . 2009-11-09 12:33 -------- d-----w- c:\program files\uTorrent
2009-11-09 12:33 . 2009-11-09 12:33 -------- d-----w- c:\documents and settings\Default User.WINDOWS.0\Application Data\uTorrent
2009-11-09 12:31 . 2009-11-09 12:29 -------- d-----w- c:\program files\Microsoft Games
2009-11-09 12:30 . 2009-11-09 12:29 -------- d-----w- c:\program files\LClock
2009-11-09 12:29 . 2009-11-09 12:29 -------- d-----w- c:\program files\HashTab Shell Extension
2009-11-09 12:29 . 2009-11-09 12:29 -------- d-----w- c:\program files\Unlocker
2009-11-09 12:29 . 2009-11-09 12:29 -------- d-----w- c:\program files\Microsoft PowerToys
2009-11-08 19:50 . 2009-11-08 19:50 -------- d-----w- c:\program files\BandRich
2009-11-05 17:52 . 2009-10-08 12:09 -------- d-----w- c:\documents and settings\dr\Application Data\DMCache
2009-11-05 17:47 . 2009-11-05 17:47 -------- d-----w- c:\program files\CCcamInfoPHP v0.9
2009-11-03 10:53 . 2009-11-03 10:53 -------- d-----w- c:\documents and settings\dr\Application Data\Ahead
2009-11-03 10:52 . 2009-11-03 10:52 -------- d-----w- c:\program files\Common Files\Ahead
2009-11-03 10:52 . 2009-11-02 00:11 -------- d-----w- c:\program files\Nero
2009-11-03 10:34 . 2009-11-03 10:34 89293 ----a-w- c:\documents and settings\dr\Application Data\IDM\DwnlData\dr\nero7PremiumReloaded_36\nero7PremiumReloaded.exe
2009-11-03 03:34 . 2009-11-03 03:34 -------- d-----w- c:\program files\MSXML 4.0
2009-11-02 20:03 . 2009-11-02 20:03 -------- d-----w- c:\documents and settings\dr\Application Data\VitySoft
2009-11-02 01:34 . 2009-11-02 00:36 -------- d-----w- c:\documents and settings\dr\Application Data\Vso
2009-11-02 00:36 . 2009-11-02 00:36 47360 ----a-w- c:\documents and settings\dr\Application Data\pcouffin.sys
2009-11-02 00:36 . 2009-11-02 00:36 47360 ----a-w- c:\documents and settings\dr\Application Data\pcouffin.sys
2009-11-02 00:36 . 2009-11-02 00:36 -------- d-----w- c:\program files\VSO
2009-11-02 00:15 . 2009-11-02 00:12 -------- d-----w- c:\documents and settings\dr\Application Data\Nero
2009-11-02 00:11 . 2009-11-02 00:10 -------- d-----w- c:\program files\Common Files\Nero
2009-11-02 00:07 . 2009-11-02 00:07 -------- d-----w- c:\documents and settings\dr\Application Data\Thinstall
2009-10-31 11:42 . 2009-10-31 11:42 -------- d-----w- c:\program files\Amor Photo Downloader
2009-10-31 11:12 . 2009-10-31 11:12 -------- d-----w- c:\program files\Sky.1
2009-10-31 11:12 . 2009-10-31 11:12 -------- d-----w- c:\program files\Conduit
2009-10-30 21:05 . 2009-10-09 12:14 -------- d-----w- c:\program files\Google
2009-10-19 19:29 . 2009-10-08 10:34 -------- d-----w- c:\program files\Java
2009-10-19 19:29 . 2009-10-19 19:29 152576 ----a-w- c:\documents and settings\dr\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-12 07:46 . 2009-10-12 07:44 -------- d-----w- c:\documents and settings\dr\Application Data\vlc
2009-10-12 07:41 . 2009-10-12 07:41 -------- d-----w- c:\program files\VideoLAN
2009-10-11 21:15 . 2009-10-10 13:10 -------- d-----w- c:\program files\Mbox Control Center
2009-10-08 19:14 . 2009-10-08 12:09 -------- d-----w- c:\documents and settings\dr\Application Data\IDM
2009-10-08 18:55 . 2009-10-08 12:09 -------- d-----w- c:\program files\Internet Download Manager
2009-10-08 18:42 . 2009-10-08 18:04 74560 ----a-w- c:\documents and settings\dr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 18:42 . 2009-10-08 18:36 -------- d-----w- c:\program files\Windows Live
2009-10-08 18:39 . 2009-10-08 18:39 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-10-08 18:38 . 2009-10-08 18:38 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-08 18:37 . 2009-10-08 18:37 -------- d-----w- c:\program files\Microsoft
2009-10-08 18:37 . 2009-10-08 18:37 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-08 18:14 . 2009-10-08 18:14 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-08 17:35 . 2009-10-08 10:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-08 12:33 . 2009-10-08 12:33 -------- d-----w- c:\program files\AVG
2009-10-08 12:14 . 2009-10-08 12:14 -------- d-----w- c:\documents and settings\dr\Application Data\AVG8
2009-10-08 12:09 . 2009-10-08 12:09 198064 ----a-w- c:\documents and settings\dr\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2009-10-08 11:34 . 2009-10-08 11:34 -------- d-----w- c:\documents and settings\dr\Application Data\Media Player Classic
2009-10-08 11:30 . 2009-10-08 11:30 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-08 11:30 . 2009-10-08 11:30 -------- d-----w- c:\documents and settings\dr\Application Data\InterTrust
2009-10-08 10:46 . 2009-10-08 10:46 -------- d-----w- c:\program files\Microsoft.NET
2009-10-08 10:34 . 2009-10-08 10:34 -------- d-----w- c:\program files\Common Files\Java
2009-10-08 10:33 . 2009-10-08 10:33 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-10-08 10:08 . 2009-10-08 10:08 -------- d-----w- c:\program files\Realtek Sound Manager
2009-10-08 10:08 . 2009-10-08 10:08 -------- d-----w- c:\program files\AvRack
2009-10-08 10:05 . 2009-10-08 10:05 -------- d-----w- c:\program files\Intel
2009-10-08 10:05 . 2009-10-08 10:05 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-08 09:18 . 2009-10-08 09:18 -------- d-----w- c:\program files\microsoft frontpage
2009-10-08 09:17 . 2009-10-08 09:17 0 --sha-r- \MSDOS.SYS
2009-10-08 09:17 . 2009-10-08 09:17 0 --sha-r- \IO.SYS
2009-10-08 09:17 . 2009-10-08 09:17 0 ----a-w- \CONFIG.SYS
2009-10-08 09:17 . 2009-10-08 09:17 0 ----a-w- \AUTOEXEC.BAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-11-23 1247232]
"ctfmon.exe"="c:\windows.0\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"="c:\windows.0\VistaDrive\VistaDrive.exe" [2006-10-05 280779]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"IgfxTray"="c:\windows.0\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows.0\system32\hkcmd.exe" [2004-11-02 126976]
"SoundMan"="SOUNDMAN.EXE" - c:\windows.0\SOUNDMAN.EXE [2005-04-15 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"CTFMON.EXE"="c:\windows.0\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"_nltide_3"="advpack.dll" - c:\windows.0\system32\advpack.dll [2008-12-22 124928]
c:\documents and settings\dr.DR-6C3073CC0534\Start Menu\Programs\Startup\
Styler.lnk - c:\documents and settings\dr.DR-6C3073CC0534\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2009-11-9 15086]
c:\documents and settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\
REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe [2009-10-8 894319]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows.0\system32\userinit.exe,"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows.0\system32\drivers\RTL8187.sys [11/9/2009 5:23 PM 194304]
R3 SjyPkt;SjyPkt;c:\windows.0\system32\drivers\SjyPkt.sys [11/9/2009 4:45 PM 13532]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - SJYPKT
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows.0\system32\blank.htm
FF - ProfilePath - c:\documents and settings\dr.DR-6C3073CC0534\Application Data\Mozilla\Firefox\Profiles\afj1uy0m.default\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
يجب عليك تسجيل الدخول أو التسجيل لمشاهدة الرابط المخفي
Rootkit scan 2009-11-18 14:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows.0\System32\smss.exe
c:\windows.0\system32\csrss.exe
c:\windows.0\system32\winlogon.exe
c:\windows.0\system32\services.exe
c:\windows.0\system32\lsass.exe
c:\windows.0\system32\svchost.exe
c:\windows.0\system32\svchost.exe
c:\windows.0\System32\svchost.exe
c:\windows.0\system32\svchost.exe
c:\windows.0\system32\svchost.exe
c:\windows.0\system32\spoolsv.exe
c:\windows.0\System32\alg.exe
c:\windows.0\system32\wscntfy.exe
c:\program files\Styler\Styler.exe
c:\windows.0\system32\wuauclt.exe
c:\windows.0\system32\dwwin.exe
c:\windows.0\system32\wbem\wmiprvse.exe
c:\windows.0\system32\dwwin.exe
c:\windows.0\system32\dwwin.exe
c:\windows.0\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2009-11-18 14:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-18 11:35
Pre-Run: 38,760,689,664 bytes free
Post-Run: 39,532,228,608 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 23DC334AAF013408497722B31E80CA6F
