السلام عليكم من جديد ..
توضيح :
طبعا رد العضو bully سبقني .. لأني دخلت من جهازه .. لأن جهازي كان معلق ( منتدى زيزووم لم يكن يفتح من على جهازي .. حيث أعتقد أنه كان هناك مشاكل في مساء أمس .. قبل إغلاق المنتدى لفترة .. ودخلت على جهازه بعضويته ( سهوا )خوفا من ألا يفتح على جهازي .. وحتى أوضح لكم أنني أقوم بتنفيذ تعليماتكم )
وثانيا : أعتذر عن التأخير في الرد اليوم .. ولكن على فكرة التقرير كان جاهز من مساء أمس ..
الرد :
1 إلى هذه اللحظة القص وللصق شغال .. ولكن الخوف من أن تعود المشكلة مرة أخرى كالعادة ( بإذن الله لن تعود )
2 التقرير للأداة الأولى ComboFix
ComboFix 08-05-21.3 - FRESH 2008-05-24 23:48:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.971.1033.18.211 [GMT 4:00]
Running from: C:\Documents and Settings\FRESH\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\FRESH\Application Data\macromedia\Flash Player\#Shareds\EQYHBRFT\iforex.com
C:\Documents and Settings\FRESH\Application Data\macromedia\Flash Player\#Shareds\EQYHBRFT\iforex.com\Emerp\Events\flash_.swf\user_data.sol
C:\Documents and Settings\FRESH\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\FRESH\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\FRESH\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\WINDOWS\system32\prsgrc.dll
C:\WINDOWS\system32\ssprs.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NWSAPAGENT
-------\Service_NwSapAgent
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.
2008-05-23 18:33 . 2008-05-23 18:33 1,024 --a------ C:\WINDOWS\system32\r1wha73.tgz
2008-05-23 15:06 . 2008-05-23 15:06 <DIR> d-------- C:\Program Files\SuperBladePro
2008-05-20 17:35 . 2008-05-20 17:35 <DIR> d-------- C:\WINDOWS\Sun
2008-05-19 23:38 . 2008-05-19 23:38 <DIR> d-------- C:\Documents and Settings\FRESH\Application Data\CyberScrub
2008-05-19 23:32 . 2008-05-24 02:06 <DIR> d-------- C:\Documents and Settings\FRESH\Application Data\cleaner
2008-05-19 22:58 . 2008-05-19 23:09 <DIR> d-------- C:\Program Files\Golden Al-Wafi Translator
2008-05-19 22:54 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-19 22:53 . 2008-05-19 22:54 <DIR> d-------- C:\Program Files\Java
2008-05-19 22:53 . 2008-05-19 22:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-19 22:40 . 2008-05-19 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-09 19:39 . 2008-05-19 21:24 <DIR> d-------- C:\Documents and Settings\FRESH\temp
2008-05-09 19:39 . 2008-05-09 19:39 <DIR> d-------- C:\Documents and Settings\FRESH\Application Data\TeamViewer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 19:54 12,782,368 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-24 19:53 732,960 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-24 19:53 71,876 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-24 19:53 177,464 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-24 19:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 11:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-22 20:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-19 19:19 96,645 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-05-19 19:19 87,941 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-05-19 18:58 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-05-19 18:58 172,032 ------w C:\WINDOWS\Setup1.exe
2008-05-19 14:30 --------- d-----w C:\Documents and Settings\FRESH\Application Data\SUPERAntiSpyware.com
2008-05-19 14:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 18:52 10,345 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-05-13 18:42 --------- d-----w C:\Documents and Settings\FRESH\Application Data\Hamachi
2008-04-05 10:45 --------- d-----w C:\Program Files\Common Files\GetWare Shared
2008-04-05 07:53 --------- d-----w C:\Program Files\Thinstall.VS
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 06:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:00 335872]
"SystemInit"="" []
"Karen"="" []
"raVe"="" []
"Win32BaseServiceMOD"="" []
"startIE"="" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"raVe"="" []
"Driver32"="" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:56 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)
"NoDispScrSavPage"= 0 (0x0)
"NoDispSettingsPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"NoFolderOptions"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoClose"= 0 (0x0)
"NoFind"= 0 (0x0)
"NoRun"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ZDSV"= scrvid.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-11-03 04:50 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\zyzoom.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-06-01 13:32 94208 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
--a------ 2003-11-08 03:00 4608 C:\WINDOWS\system32\carpserv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Karen]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NS Agnt]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\raVe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startIE]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemInit]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-13 00:36 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32BaseServiceMOD]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Documents and Settings\\FRESH\\My Documents\\My Games\\ألعاب حربية\\c-strike 1\\CSTRIKE.EXE"=
"C:\\Documents and Settings\\FRESH\\My Documents\\My Games\\c-strike\\CSTRIKE.EXE"=
"C:\\Documents and Settings\\FRESH\\My Documents\\My Games\\مقاتلون حتى الموت\\QUAKE3.EXE"=
"F:\\العاب\\games\\FIFA2005 AHLY ZAMALEK\\FIFA2005.EXE"=
"F:\\العاب\\games\\fifa 2005\\FIFA2005.EXE"=
"C:\\Documents and Settings\\FRESH\\My Documents\\My Games\\fifa 2005\\FIFA2005.EXE"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"C:\\Documents and Settings\\FRESH\\My Documents\\My Programs\\الإختصارات\\الهاماشي\\hamachi.exe"=
"D:\\PES 6\\Pro Evolution Soccer 6\\Eng-emad.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24457:TCP"= 24457:TCP:BitComet 24457 TCP
"24457:UDP"= 24457:UDP:BitComet 24457 UDP
"15530:TCP"= 15530:TCP:BitComet 15530 TCP
"15530:UDP"= 15530:UDP:BitComet 15530 UDP
R3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\alifir.sys [2001-08-17 13:49]
R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 16:12]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys []
.
s of the 'Scheduled Tasks' folder
"2008-05-24 20:02:00 C:\WINDOWS\Tasks\hamachi.job"
- C:\Documents and Settings\FRESH\My Documents\My Programs\ ©ںê¤ êëيم،\ںéىںêں¬ï\hamachi.exe
"2008-05-23 13:18:00 C:\WINDOWS\Tasks\LiveUpdate.job"
- C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
"2008-05-23 13:19:00 C:\WINDOWS\Tasks\More Symantec Solutions.job"
- C:\PROGRA~1\COMMON~1\SYMANT~1\SMNLnch.exe*-dll NAVUI.dll -func
_Upsell@8 -hint 2016
"2008-05-24 19:54:11 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-14 20:01:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-05-24 23:55:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-25 0:03:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-24 20:03:32
Pre-Run: 1,826,877,440 bytes free
Post-Run: 1,833,099,264 bytes free
188 --- E O F --- 2008-05-23 10:36:04
3 التقرير للأداة الثانية Hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 00:05:33, on 25/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\FRESH\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
