السلام عليكم اخي
هذا تقرير للهايجاك
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:59 PM, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\winsersec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sdaemon.exe
C:\WINDOWS\winwd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AnchorFree\bin\ctrl\AFController.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AF BHO - {B7154C4D-87C0-4A2C-AB64-DA132BAC2EE6} - C:\Program Files\AnchorFree\bin\AFBho.dll
O3 - Toolbar: AFToolbar - {1F385865-F3D4-41ff-960D-7B7D0A7A72F6} - C:\Program Files\AnchorFree\bin\AFToolbar.dll
O4 - HKLM\..\Run: [SDaemon] C:\WINDOWS\sdaemon.exe
O4 - HKLM\..\Run: [SWd] C:\WINDOWS\winwd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AFProg] C:\Program Files\AnchorFree\bin\ctrl\AFController.exe
O4 - HKCU\..\Run: [loud four] C:\DOCUME~1\WHITEA~1\APPLIC~1\LONGPL~1\trans okay.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceM - Unknown owner - C:\WINDOWS\system32\ServiceM.exe
O23 - Service: winser - Unknown owner - C:\WINDOWS\system32\winsersec.exe
--
End of file - 4564 bytes
وهذا تقرير برنامج الثانيComboFix
ComboFix 08-07-17.4 - white angel 2008-07-19 11:39:56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.968.1033.18.543 [GMT 4:00]
Running from: C:\Documents and Settings\white angel\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.
2008-07-18 14:15 . 2008-07-18 14:15 68 --a------ C:\WINDOWS\cdplayer.ini
2008-07-18 13:40 . 2008-07-18 13:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-12 22:56 . 2008-07-12 22:56 <DIR> d-------- C:\Documents and Settings\white angel\Application Data\Uniblue
2008-07-12 14:00 . 2008-07-17 23:14 53 --a------ C:\WINDOWS\itlog.dat
2008-07-03 15:52 . 2008-07-03 15:52 <DIR> d-------- C:\Program Files\LONG PLATFORM BONE
2008-06-27 11:31 . 2008-06-27 11:37 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-27 11:31 . 2008-06-27 11:37 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-27 11:30 . 2008-07-19 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-27 11:30 . 2008-07-19 11:28 1,422,880 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-27 11:30 . 2008-07-19 11:28 213,024 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-27 11:30 . 2008-07-19 11:28 16,388 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-27 11:30 . 2008-07-19 11:28 2,856 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 19:32 --------- d-----w C:\Program Files\Google
2008-07-03 11:54 --------- d-----w C:\Documents and Settings\white angel\Application Data\LONG PLATFORM BONE
2008-07-03 11:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Boob Bind Clock Dvd
2008-06-27 07:30 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-27 07:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-27 07:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-06-07 17:23 --------- d-----w C:\Program Files\Unlocker
2008-05-31 10:32 --------- d-----w C:\Program Files\Hotspot Shield
2008-05-31 10:31 --------- d-----w C:\Program Files\AnchorFree
2008-05-31 10:23 --------- d-----w C:\Program Files\PC Camera
2008-05-31 09:22 --------- d-----w C:\Program Files\MSN Font Color Editor
2008-05-31 09:17 --------- d-----w C:\Program Files\BurstCopy
2008-05-31 09:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\BurstCopy Labs
2008-04-26 10:20 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-04-26 10:20 172,032 ------w C:\WINDOWS\Setup1.exe
2008-04-25 14:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.
(((((((((((((((((((((((((((((
snapshot@2008-07-19_11.27.38.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-19 07:17:27 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-19 07:33:28 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-19 07:17:27 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-19 07:33:28 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"AFProg"="C:\Program Files\AnchorFree\bin\ctrl\AFController.exe" [2006-11-20 12:19 81920]
"loud four"="C:\DOCUME~1\WHITEA~1\APPLIC~1\LONGPL~1\trans okay.exe" [2008-07-03 15:52 535040]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDaemon"="C:\WINDOWS\sdaemon.exe" [2005-04-19 01:57 111104]
"SWd"="C:\WINDOWS\winwd.exe" [2005-04-19 01:56 26624]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-26 14:03 185896]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\loud four]
--a------ 2008-07-03 15:52 535040 C:\DOCUME~1\WHITEA~1\APPLIC~1\LONGPL~1\trans okay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:55 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rscmpt]
-ra------ 2002-08-24 21:48 481792 C:\WINDOWS\system32\Rscmpt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDaemon]
--a------ 2005-04-19 01:57 111104 C:\WINDOWS\sdaemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SWd]
--a------ 2005-04-19 01:56 26624 C:\WINDOWS\winwd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-26 14:03 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 21:19 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R0 WINSEC;WINSEC;C:\WINDOWS\system32\drivers\WINSEC.SYS [2005-04-19 01:57]
R2 winser;winser;C:\WINDOWS\system32\winsersec.exe [2005-04-14 02:37]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2006-12-17 00:37]
S2 ServiceM;ServiceM;C:\WINDOWS\system32\ServiceM.exe [2002-01-18 22:29]
S3 CAM1210;SM0121 USB 2.0 Video Camera;C:\WINDOWS\system32\Drivers\cam1210.sys [2006-07-24 17:49]
.
s of the 'Scheduled Tasks' folder
"2008-07-18 21:00:01 C:\WINDOWS\Tasks\A849ACB6918A22D2.job"
- c:\docume~1\whitea~1\applic~1\longpl~1\Seek Curb Find.exe
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-clock dvd proxy close - C:\Documents and Settings\All Users\Application Data\Boob Bind Clock Dvd\book axis.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-07-19 11:41:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-19 11:42:11
ComboFix-quarantined-files.txt 2008-07-19 07:42:02
Pre-Run: 41,285,115,904 bytes free
Post-Run: 41,281,650,688 bytes free
140