هذا هو التقرير في الوضع العادي
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:27:58, on 2008/09/25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HUSSAM\Desktop\Zyzoom_HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [protect_autorun] C:\DOCUME~1\HUSSAM\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Docs\CPE17AntiAutoruna.exe /start
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ???? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) -
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
--
End of file - 7741 bytes
وهذا التقرير في الوضع الامن
ComboFix 08-09-24.05 - HUSSAM 09/25/2008 1:15:43.3 -
FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.333 [GMT 2:00]
Running from: C:\Documents and Settings\HUSSAM\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\kakle.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 23:12 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-24 23:12 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-24 23:12 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-24 23:12 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-24 03:05 3,826,952 ----a-w C:\?????? ??????? temp2cc90cc.zip
2008-09-24 02:45 2,304 ----a-w C:\WINDOWS\system32\tmp.reg
2008-09-24 01:23 668,952 ----a-w C:\HC2Setup.exe
2008-09-21 23:02 --------- d-----w C:\Program Files\FormatFactory
2008-09-20 03:54 --------- d-----w C:\Program Files\Common Files\xing shared
2008-09-20 02:44 --------- d-----w C:\Program Files\Xilisoft
2008-09-19 23:44 499,712 ----a-w C:\WINDOWS\system32\MSVCP71.DLL
2008-09-19 23:44 348,160 ----a-w C:\WINDOWS\system32\MSVCR71.DLL
2008-09-19 23:12 90,112 ----a-w C:\WINDOWS\system32\agsaami.dll
2008-09-19 23:12 610,304 ----a-w C:\WINDOWS\system32\agsaamg.dll
2008-09-19 23:12 372,736 ----a-w C:\WINDOWS\system32\agsaamc.dll
2008-09-19 23:12 2,535,424 ----a-w C:\WINDOWS\system32\agsaamj.dll
2008-09-19 23:12 196,608 ----a-w C:\WINDOWS\system32\maag.dll
2008-09-19 23:12 1,986,560 ----a-w C:\WINDOWS\system32\akll.dll
2008-09-19 23:12 1,245,184 ----a-w C:\WINDOWS\system32\bkll.dll
2008-09-19 23:12 1,212,416 ----a-w C:\WINDOWS\system32\ckll.dll
2008-09-18 00:09 3,028 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP
2008-09-14 07:14 --------- d-----w C:\Documents and Settings\Hebrew\Application Data\bluemathbody
2008-09-12 21:19 --------- d-----w C:\Documents and Settings\HUSSAM\Application Data\Ulead Systems
2008-09-12 18:54 --------- d-----w C:\Documents and Settings\Arabic\Application Data\OOVOOTOOLBAR
2008-09-11 22:00 --------- d-----w C:\Program Files\ICQ6Toolbar
2008-09-11 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\ICQ
2008-09-11 21:58 --------- d-----w C:\Documents and Settings\HUSSAM\Application Data\ICQ
2008-09-11 21:56 --------- d-----w C:\Program Files\ICQ6
2008-09-11 21:38 --------- d-----w C:\Documents and Settings\HUSSAM\Application Data\ooVoo Details
2008-09-11 21:37 --------- d-----w C:\Program Files\oovooToolbar
2008-09-10 14:32 --------- d-----w C:\Documents and Settings\Arabic\Application Data\bluemathbody
2008-09-10 12:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-09-10 12:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Joy coal mpeg heck
2008-09-10 12:53 --------- d-----w C:\Documents and Settings\HUSSAM\Application Data\bluemathbody
2008-09-10 12:52 --------- d-----w C:\Program Files\Windows Live
2008-09-10 12:52 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-09-10 12:52 --------- d-----w C:\Program Files\Circle Developement
2008-09-07 14:55 15,452,536 ----a-w C:\IE7-WindowsXP-x86-enu.exe
2008-09-07 14:24 837,184 ----a-w C:\GoogleToolbarInstaller.exe
2008-09-07 13:50 --------- d-----w C:\Program Files\FairStars Audio Converter
2008-09-07 13:50 --------- d-----w C:\Documents and Settings\HUSSAM\Application Data\InterTrust
2008-09-05 00:16 --------- d-----w C:\Documents and Settings\HUSSAM\Application Data\FairStars Audio Converter
2008-08-29 22:41 7,751,359 ----a-w C:\motherboard_driver_vga_intel_915_945.exe
2008-08-29 08:53 --------- d-----w C:\Documents and Settings\HUSSAM\Application Data\Thinstall
2008-08-25 13:38 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-08-25 08:29 --------- d-----w C:\Program Files\ImTOO
2008-08-23 19:59 --------- d-----w C:\Program Files\ImTOO(2)
2008-08-09 21:23 --------- d-----w C:\Documents and Settings\HUSSAM\Application Data\CyberScrub
2008-08-09 21:22 --------- d-----w C:\Documents and Settings\HUSSAM\Application Data\cleaner
2008-07-27 08:34 --------- d-----w C:\Documents and Settings\HUSSAM\Application Data\Hide IP NG
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-05-20 16:49 2,585,872 ----a-w C:\Program Files\WindowsInstaller-KB893803-v2-x86.exe
2008-05-20 16:47 59,392 ----a-w C:\Program Files\windows installer 3.1 EULA.doc
2008-05-10 19:29 367,544 ----a-w C:\Documents and Settings\HUSSAM\Application Data\GDIPFONTCACHEV1.DAT
2008-04-26 20:42 197,374 ----a-w C:\Program Files\MSN8513021018Patchvip600-com.zip
2008-03-13 21:42 1,058,538 ----a-w C:\Program Files\xpjava.exe
2008-02-06 18:33 839 ----a-w C:\Program Files\Nero Online Upgrade.lnk
2008-02-05 22:32 684 ----a-w C:\Program Files\ImTOO MPEG Encoder Wizard 3.lnk
2008-01-27 16:55 3,083 ----a-w C:\Program Files\control.txt
2007-11-28 21:28 89,598,186 ----a-w C:\Program Files\FunHouse.rar
2007-09-30 22:45 26,655 ----a-w C:\Program Files\Uninst.isu
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2001-09-25 15:56 2,776,064 ------w C:\Program Files\4x42.exe
2001-09-25 13:30 346,739 ----a-w C:\Program Files\GERTXT.POD
2001-09-25 13:25 338,173 ----a-w C:\Program Files\FRETXT.POD
2001-09-19 07:34 176,128 ----a-w C:\Program Files\tridx8tl.dll
2001-09-17 10:10 163,840 ----a-w C:\Program Files\Tridx8.dll
2001-09-14 14:36 8,261,390 ----a-w C:\Program Files\ISLAND2.POD
2001-09-14 13:12 12,293 ----a-w C:\Program Files\readme.txt
2001-09-13 17:10 86,016 ----a-w C:\Program Files\TRIGL.DLL
2001-09-13 15:59 235,223 ----a-w C:\Program Files\ENGTXT.POD
2001-09-10 11:51 109,696,013 ----a-w C:\Program Files\SOUND.POD
2001-09-05 18:29 591 ----a-w C:\Program Files\POD.INI
2001-09-05 09:21 15,876,996 ----a-w C:\Program Files\music.pod
2001-08-31 17:55 10,902,323 ----a-w C:\Program Files\DUST.pod
2001-08-30 14:57 11,970,974 ----a-w C:\Program Files\VULTURE.pod
2001-08-30 14:44 7,179,094 ----a-w C:\Program Files\TRIBAJA.pod
2001-08-30 14:02 8,735,798 ----a-w C:\Program Files\DVALLEY.pod
2001-08-30 13:15 12,167,152 ----a-w C:\Program Files\COSTRICA.pod
2001-08-30 12:55 24,191,490 ----a-w C:\Program Files\STARTUP.POD
2001-08-29 18:00 8,245,970 ----a-w C:\Program Files\ZONA.POD
2001-08-29 17:50 33,927,359 ----a-w C:\Program Files\UI.POD
2001-08-28 16:47 50,298 ----a-w C:\Program Files\PARTS.POD
2001-08-28 16:22 6,827,700 ----a-w C:\Program Files\AI.POD
2001-08-27 18:23 450,961 ----a-w C:\Program Files\SERIES.POD
2001-08-27 08:40 23,122,843 ----a-w C:\Program Files\wash.pod
2001-08-27 08:14 144,691,121 ----a-w C:\Program Files\TRUCK.POD
2001-08-23 09:27 9,909,728 ----a-w C:\Program Files\THAI.pod
2001-08-22 11:57 20,875,379 ----a-w C:\Program Files\THERIVER.pod
2001-08-22 11:45 23,054,411 ----a-w C:\Program Files\SKULL.pod
2001-08-22 10:31 21,586,558 ----a-w C:\Program Files\OBSPARK.pod
2001-08-22 10:23 22,321,211 ----a-w C:\Program Files\ELNORTE.pod
2001-08-22 10:10 27,698,421 ----a-w C:\Program Files\ALASKA.pod
2001-08-21 16:22 12,538,709 ----a-w C:\Program Files\EGYPT.pod
2001-08-19 15:55 8,837,781 ----a-w C:\Program Files\Jyard.pod
2001-08-17 12:33 10,571,665 ----a-w C:\Program Files\CASTLE.pod
2001-08-17 09:07 8,625,223 ----a-w C:\Program Files\Mcross.pod
2001-08-15 17:25 9,379,407 ----a-w C:\Program Files\con2.pod
2001-08-15 10:15 20,910,792 ----a-w C:\Program Files\cmaps-pc.pod
2001-08-14 07:29 8,196,562 ----a-w C:\Program Files\desert.pod
.
((((((((((((((((((((((((((((( snapshot_Thu 09-18-2008_18.52.09.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-21 23:02:56 15,086 ----a-r C:\WINDOWS\Installer\{7D5E6E9C-0C9A-49CB-94ED-F0C8C14769BE}\controlPanelIcon.exe
+ 2008-09-21 23:02:56 10,134 ----a-r C:\WINDOWS\Installer\{7D5E6E9C-0C9A-49CB-94ED-F0C8C14769BE}\SystemFolder_msiexec.exe
- 2007-08-21 16:17:30 167,936 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-09-18 22:11:30 167,936 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2007-08-21 16:17:30 2,560 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-09-18 22:11:30 2,560 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2007-08-21 16:17:30 81,920 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2008-09-18 22:11:30 81,920 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2007-08-21 16:17:30 34,304 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-09-18 22:11:30 34,304 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2007-08-21 16:17:30 8,192 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-09-18 22:11:30 8,192 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2007-08-21 16:17:30 3,584 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-09-18 22:11:30 3,584 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2007-08-21 16:17:30 114,688 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-09-18 22:11:30 114,688 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2007-08-21 16:17:30 16,384 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-09-18 22:11:30 16,384 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2007-08-21 16:17:30 30,720 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-09-18 22:11:30 30,720 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2007-08-21 16:17:30 22,528 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-09-18 22:11:30 22,528 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2007-08-21 16:17:30 45,056 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-09-18 22:11:30 45,056 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2007-08-21 16:17:30 90,112 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-09-18 22:11:30 90,112 ----a-r C:\WINDOWS\Installer\{9028040D-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2008-08-28 01:00:10 8,416 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2008-09-18 21:34:32 8,724 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
- 2008-03-30 16:04:04 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll
+ 2008-09-19 23:44:08 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll
- 2008-03-30 16:04:14 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll
+ 2008-09-19 23:44:14 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll
- 2008-03-30 16:04:14 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll
+ 2008-09-19 23:44:14 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll
- 2008-09-18 16:28:24 135,236 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-09-20 03:55:40 964,148 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
- 2008-03-30 16:04:52 185,944 ----a-w C:\WINDOWS\system32\rmoc3260.dll
+ 2008-09-19 23:44:48 185,944 ----a-w C:\WINDOWS\system32\rmoc3260.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0A94B116-4504-4e26-AB05-E61E474AA38B}"= "C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL" [11/30/2007 09:47 PM 61440]
[HKEY_CLASSES_ROOT\clsid\{0a94b116-4504-4e26-ab05-e61e474aa38b}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [09/07/2008 04:25 PM 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:07 AM 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:55 PM 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="C:\WINDOWS\system32\sti_ci.dll" [08/04/2004 01:07 AM 136704]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 01:07 AM 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [08/04/2004 01:59 AM 44544]
"RunNarrator"="Narrator.exe" [08/04/2004 01:07 AM 53760 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\Hebrew\Start Menu\Programs\Startup\
Stardock Dock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\Dock\Dock.exe [2005-02-21 1826885]
Y'z ToolBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe [2002-09-29 90112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux7"= ctwdm32.dll
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\wpwin8.EXE]
"Debugger"=ntsd -d
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 3.0 SE Calendar Checker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 3.0 SE Calendar Checker.lnk
backup=C:\WINDOWS\pss\Ulead Photo Express 3.0 SE Calendar Checker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^????? ????^???????^??? ???????^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\????? ????\???????\??? ???????\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^????? ????^???????^??? ???????^Exif Launcher S.lnk]
path=C:\Documents and Settings\All Users\????? ????\???????\??? ???????\Exif Launcher S.lnk
backup=C:\WINDOWS\pss\Exif Launcher S.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^HUSSAM^Start Menu^Programs^Startup^portable Myproxy.lnk]
path=C:\Documents and Settings\HUSSAM\Start Menu\Programs\Startup\portable Myproxy.lnk
backup=C:\WINDOWS\pss\portable Myproxy.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 01/02/2006 04:41 PM 45056 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 06/28/2007 12:51 PM 218376 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog305]
C:\WINDOWS\VM305_STI.EXE [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
--a------ 06/02/2006 10:44 AM 20480 C:\WINDOWS\CameraFixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 08/04/2004 01:07 AM 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domino]
--a------ 06/28/2006 05:54 PM 49152 C:\WINDOWS\Domino.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
--a------ 04/04/2001 08:45 PM 767081 C:\Program Files\Evidence Eliminator\Ee.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 04/05/2005 02:19 PM 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 10/23/2003 07:51 PM 233472 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 06/25/2003 11:24 AM 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 09/01/2003 01:42 PM 176128 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--------- 08/24/2008 06:14 PM 173304 C:\Program Files\ICQ6\ICQ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
-ra------ 04/05/2005 02:19 PM 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
-ra------ 04/05/2005 02:23 PM 114688 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
-ra------ 04/05/2005 02:22 PM 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 08/23/2001 08:00 AM 44032 C:\WINDOWS\ime\IMKR6_1\imekrmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 08/03/2004 11:32 PM 208952 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 07/12/2006 11:58 AM 1397760 C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\liesreal]
--a------ 09/10/2008 02:53 PM 563200 C:\DOCUME~1\HUSSAM\APPLIC~1\BLUEMA~1\WARN USER.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mpeg heck log link]
--a------ 09/14/2008 09:32 AM 537088 C:\Documents and Settings\All Users\Application Data\Joy coal mpeg heck\Mpeg Manager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 04/14/2008 03:12 AM 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 01/19/2007 12:55 PM 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 07/09/2001 11:50 AM 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 08/29/2005 06:34 PM 86016 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
-ra------ 04/05/2005 02:23 PM 114688 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
--------- 04/21/2004 10:26 AM 86016 C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 11/02/2004 08:24 PM 32768 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd]
--------- 10/11/2005 01:54 PM 339968 C:\WINDOWS\vsnpstd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 09/07/2008 04:25 PM 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 09/20/2008 01:44 AM 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
--------- 08/11/2004 06:24 PM 90112 C:\Program Files\Common Files\Ulead Systems\Autodetector\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 02/01/2008 10:51 AM 1885464 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 03/30/2006 04:45 PM 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerbAce]
--a------ 04/21/2008 02:56 PM 139264 C:\Program Files\VerbAce\VerbAce.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMSnap5]
--a------ 06/28/2006 05:39 PM 49152 C:\WINDOWS\VMSnap5.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 08/30/2007 05:43 PM 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 03/29/2007 12:10 AM 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 05/03/2005 12:43 PM 69632 C:\WINDOWS\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 01/07/2005 05:07 PM 61952 C:\WINDOWS\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 11/14/2006 11:21 AM 16270848 C:\WINDOWS\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
-ra------ 07/10/2006 09:33 PM 176128 C:\WINDOWS\system32\S3Trayp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra------ 05/16/2006 12:04 PM 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 03/01/2006 10:22 AM 577536 C:\WINDOWS\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 08/03/2006 09:53 AM 53248 C:\WINDOWS\system32\VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
-ra------ 12/15/2006 08:04 AM 176128 C:\WINDOWS\system32\VTTrayp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"D:\\games2006\\hot2\\NFSHP2.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*
isabled
oVoo TCP ?????? 443
"443:UDP"= 443:UDP:*
isabled
oVoo UDP ?????? 443
"37674:TCP"= 37674:TCP:*
isabled
oVoo TCP ?????? 37674
"37674:UDP"= 37674:UDP:*
isabled
oVoo UDP ?????? 37674
"37675:UDP"= 37675:UDP:*
isabled
oVoo UDP ?????? 37675
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [02/23/2006 06:38 AM 9728]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [02/23/2006 06:39 AM 11264]
R1 HMFAxCore1064fee8d5145a8ae0eccbdbff329270;HMFAxCore1064fee8d5145a8ae0eccbdbff329270;C:\WINDOWS\system32\drivers\HMFAxCore1064fee8d5145a8ae0eccbdbff329270.sys [01/30/2008 10:23 AM 22304]
S2 ICQ Service;ICQ Service;C:\Program Files\ICQ6Toolbar\ICQ Service.exe [06/10/2008 07:26 PM 222456]
S2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [08/17/2001 10:36 PM 86016]
S3 atirage;atirage;C:\WINDOWS\system32\DRIVERS\atiragem.sys [08/17/2001 12:48 PM 70528]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [08/04/2004 01:07 AM 9344]
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys [ ]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [08/17/2001 01:28 PM 112574]
S3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [08/14/2006 05:51 AM 654848]
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [08/17/2001 12:51 PM 222336]
S3 ZSMC0305;Vimicro USB PC Camera (VC0305);C:\WINDOWS\system32\Drivers\usbVM305.sys [08/10/2006 06:32 AM 391737]
S4 Stormser;Stormser;C:\PROGRA~1\RINGZS~1\STORMC~1\Stormser.exe [06/20/2008 12:35 PM 991232]
.
s of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\HUSSAM\Application Data\Mozilla\Firefox\Profiles\m4v9o798.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.icq.com/
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-09-25 01:18:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 09/25/2008 1:19:40
ComboFix-quarantined-files.txt 2008-09-24 23:19:36
ComboFix4.txt 2008-09-02 01:37:32
ComboFix3.txt 2008-09-18 11:31:40
ComboFix2.txt 2008-09-18 16:53:24
Pre-Run: 9,242,492,928 bytes free
Post-Run: 9,372,598,272 bytes free
367 --- E O F --- 2008-09-09 23:04:25
.png)
.png)
