تقرير ComboFix
ComboFix 08-11-22.02 - user 2008-11-23 17:44:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.974.1033.18.684 [GMT 3:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\shell31.dll
.
((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.
2008-11-23 00:20 . 2008-11-23 00:20 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-11-23 00:17 . 2008-08-14 13:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-23 00:17 . 2008-08-14 12:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-23 00:17 . 2008-08-14 12:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-23 00:17 . 2008-08-14 12:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-23 00:17 . 2007-12-18 17:40 450,560 --a------ c:\windows\system32\SETAF.tmp
2008-11-23 00:17 . 2008-06-13 16:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-23 00:17 . 2008-06-13 16:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-23 00:04 . 2008-10-24 14:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-22 23:59 . 2008-11-23 03:10 <DIR> d--h----- c:\windows\$hf_mig$
2008-11-22 23:53 . 2008-11-22 23:53 <DIR> d-------- c:\documents and settings\user\Application Data\Thinstall
2008-11-22 23:30 . 2008-11-22 23:30 23,600 --a------ c:\windows\system32\drivers\TVICHW32.SYS
2008-11-22 23:13 . 2008-11-22 23:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2008-11-22 22:13 . 2008-11-22 22:13 <DIR> d-------- C:\Deckard
2008-11-22 12:52 . 2008-11-22 12:52 <DIR> d--h----- c:\windows\PIF
2008-11-22 12:24 . 2008-11-22 12:27 <DIR> d-------- c:\program files\NoAdware
2008-11-20 18:27 . 2008-11-20 18:27 <DIR> d-------- c:\windows\PaltalkScene
2008-11-20 18:27 . 2008-11-20 18:39 <DIR> d-------- c:\program files\Paltalk Messenger
2008-11-20 18:27 . 2008-11-20 18:39 <DIR> d-------- c:\documents and settings\user\Application Data\Paltalk
2008-11-19 15:43 . 2008-11-19 15:43 <DIR> d-------- c:\documents and settings\user\Application Data\PC Suite
2008-11-19 15:43 . 2008-11-19 15:43 <DIR> d-------- c:\documents and settings\user\Application Data\Nokia
2008-11-19 15:43 . 2008-11-19 15:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2008-11-19 15:39 . 2008-11-20 13:37 <DIR> d-------- c:\program files\Nokia
2008-11-19 15:39 . 2008-11-19 15:39 <DIR> d-------- c:\program files\DIFX
2008-11-19 15:39 . 2008-05-07 07:38 90,624 --a------ c:\windows\system32\nmwcdcls.dll
2008-11-19 15:39 . 2007-09-17 15:53 21,632 --a------ c:\windows\system32\drivers\pccsmcfd.sys
2008-11-19 15:36 . 2008-11-19 15:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations
2008-11-19 15:21 . 2008-11-20 13:38 <DIR> d-------- c:\program files\NSS
2008-11-19 15:21 . 2006-08-29 17:56 32,377 --a------ c:\windows\system32\drivers\prodigy.sys
2008-11-18 17:30 . 2008-11-18 17:30 315,392 --a------ c:\windows\HideWin.exe
2008-11-18 16:13 . 2008-05-01 16:35 53,248 --a------ c:\windows\system32\CSVer.dll
2008-11-18 16:10 . 2008-07-16 22:35 9,728 --a------ c:\windows\system32\RtNicProp32.dll
2008-11-18 16:03 . 2008-11-18 17:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\ma-config.com
2008-11-18 16:02 . 2008-11-18 16:02 <DIR> d-------- C:\سجل محادثاتى
2008-11-18 15:58 . 2008-11-18 17:36 <DIR> d-------- c:\program files\ma-config.com
2008-11-18 15:43 . 1998-10-02 19:00 327,168 --a------ c:\windows\IsUninst.exe
2008-11-18 15:41 . 2008-11-18 15:41 <DIR> d-------- c:\program files\Setup Files
2008-11-18 15:39 . 2008-11-20 13:38 <DIR> d-------- c:\program files\MSI
2008-11-18 15:33 . 2008-11-18 15:33 16 --a------ c:\windows\wininit.ini
2008-11-17 15:37 . 2008-11-17 23:20 <DIR> d-------- c:\program files\Anti Trojan Elite
2008-11-17 13:42 . 2008-11-17 13:54 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-11-17 13:42 . 2008-11-17 13:42 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-11-17 13:41 . 2008-11-17 13:41 <DIR> d-------- c:\program files\Kaspersky Lab
2008-11-17 13:41 . 2008-11-23 03:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-17 13:41 . 2008-11-23 17:46 1,745,440 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-17 13:41 . 2008-11-23 17:46 319,520 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-11-17 13:41 . 2008-11-23 17:46 15,764 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-17 13:41 . 2008-11-23 17:46 3,220 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-11-17 13:39 . 2008-11-17 13:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-17 13:05 . 2008-11-18 01:04 <DIR> d-------- c:\program files\The Cleaner
2008-11-17 01:34 . 2008-11-17 01:34 <DIR> d-------- c:\program files\Intel Desktop Board
2008-11-16 16:10 . 2008-11-23 03:02 <DIR> d-------- c:\program files\Hotspot Shield
2008-11-16 01:23 . 2008-11-16 01:23 <DIR> d-------- C:\Intel
2008-11-16 01:23 . 2008-11-16 01:23 <DIR> d-------- C:\Drivers
2008-11-16 01:06 . 2008-11-22 16:58 <DIR> d-------- c:\documents and settings\user\Application Data\Uniblue
2008-11-16 01:06 . 2008-11-20 13:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 14:34 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 14:28 --------- d-----w c:\program files\RogueRemover PRO
2008-10-18 14:27 2,015 ---h--r c:\windows\system32\drivers\hosts
2008-10-18 04:28 --------- d-----w c:\documents and settings\user\Application Data\MsgCenter
2008-10-16 11:14 --------- d-----w c:\program files\GRETECH
2008-10-16 11:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 11:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 11:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 11:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 11:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 11:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 11:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 11:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 00:51 --------- d-----w c:\program files\Power Email Harvester
2008-10-07 21:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 14:43 25,088 ----a-w c:\windows\system32\msxml3a.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper s\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2008-11-23 00:08 200192 --a------ c:\program files\Hotspot Shield\hssie\HssIE.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-21 185896]
"tcactive"="c:\program files\The Cleaner\tca.exe" [2001-01-10 295424]
"tcmonitor"="c:\program files\The Cleaner\tcm.exe" [2001-01-10 248320]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*
isabled
oVoo TCP المنفذ 443
"443:UDP"= 443:UDP:*
isabled
oVoo UDP المنفذ 443
"37674:TCP"= 37674:TCP:*
isabled
oVoo TCP المنفذ 37674
"37674:UDP"= 37674:UDP:*
isabled
oVoo UDP المنفذ 37674
"37675:UDP"= 37675:UDP:*
isabled
oVoo UDP المنفذ 37675
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2008-07-08 13696]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys []
S3 PRODIGY;PRODIGY;c:\windows\system32\Drivers\PRODIGY.SYS [2008-11-19 32377]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1f66863-5120-11dd-a249-00121791eceb}]
\Shell\AutoRun\command - 1rfw8hjr.com
\Shell\explore\Command - 1rfw8hjr.com
\Shell\open\Command - 1rfw8hjr.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed7013a2-574e-11dd-a253-00121791eceb}]
\Shell\AutoRun\command - hgu.bat
\Shell\explore\Command - hgu.bat
\Shell\open\Command - hgu.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0792a96-78dc-11dd-a2e2-00121791eceb}]
\Shell\Auto\command - Sever.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sever.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.freeze.com/?AcquisitionID=0db58d0f-2bd9-45fa-9c40-75175a2bf78d&s=&ipc=
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java -
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
c:\windows\Downloaded Program Files\MSIWDev.inf
O16 -: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} - hxxp://fichiers.touslesdrivers.com/fichiers/hardwaredetection/hardwaredetection_3_0_4_0.cab
c:\windows\Downloaded Program Files\hardwaredetection.inf
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-11-23 17:47:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Hotspot Shield\bin\openvpnas.exe
.
**************************************************************************
.
Completion time: 2008-11-23 17:50:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-23 14:50:04
Pre-Run: 33,958,793,216 bytes free
Post-Run: 33,938,223,104 bytes free
184 --- E O F --- 2008-11-23 00:10:36
