دويتو غريب
زيزوومى مميز
- إنضم
- 25 أغسطس 2008
- المشاركات
- 528
- مستوى التفاعل
- 0
- النقاط
- 520
- الإقامة
- يبي
- الموقع الالكتروني
- www,algrabiya.net
غير متصل
ComboFix 08-11-22.02 - alsadi 11/24/2008 0:57:24.19 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.105 [GMT 3:00]
Running from: c:\documents and settings\alsadi\سطح المكتب\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 17:40 21,145,632 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-23 17:33 1,113,888 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-11-22 23:27 327,428 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-22 23:27 110,144 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-11-20 15:21 --------- dc----w c:\documents and settings\alsadi\Application Data\cleaner
2008-11-19 16:09 --------- dc----w c:\program files\Notepad++
2008-11-18 21:52 --------- dc----w c:\program files\NauzNet Solutions
2008-11-16 22:37 --------- dc----w c:\documents and settings\alsadi\Application Data\Notepad++
2008-11-16 14:26 --------- dc----w c:\documents and settings\All Users\Application Data\Bluetooth
2008-11-16 10:28 --------- dc----w c:\program files\Paltalk Messenger
2008-11-16 10:27 --------- dc----w c:\program files\No-IP
2008-11-16 10:25 --------- dc----w c:\program files\AMSN
2008-11-14 08:38 --------- dc----w c:\program files\PHP Expert Editor
2008-11-12 21:28 --------- dc----w c:\program files\LeapFTP
2008-11-12 19:48 30,615 -c--a-w c:\windows\java\x.exe
2008-11-04 17:38 --------- dc----w c:\program files\Kelk 2000
2008-11-04 17:34 --------- dc----w c:\program files\FlashFXP
2008-10-31 21:41 --------- dc----w c:\program files\Circle Developement
2008-10-31 21:40 --------- dc----w c:\program files\Messenger Plus! Live
2008-10-27 22:35 --------- dc----w c:\documents and settings\alsadi\Application Data\bif
2008-10-18 12:03 --------- dc----w c:\program files\Hotspot Shield
2008-10-17 09:05 64,502 -c--a-w c:\windows\BricoPackUninst.cmd
2008-10-17 09:05 6,108 -c--a-w c:\windows\BricoPackFoldersDelete.cmd
2008-10-17 09:05 218,624 -c--a-w c:\windows\system32\uxtheme.dll
2008-10-09 21:04 --------- dc----w c:\program files\LtUcx
2008-10-09 12:00 --------- dc----w c:\program files\Kaspersky Lab
2008-10-03 14:16 --------- dc----w c:\program files\Java
2008-10-03 14:14 --------- dc----w c:\program files\Common Files\Java
2008-10-03 13:49 --------- dc----w c:\program files\DirectVobSub
2008-10-03 13:49 --------- dc----w c:\program files\CD Audio Reader Filter
2008-10-03 13:47 --------- dc----w c:\program files\SHOUTcast Source
2008-10-01 13:02 --------- dc----w c:\documents and settings\All Users\Application Data\FlashFXP
2008-09-30 04:18 --------- dc----w c:\program files\Yahoo!
2008-09-15 15:37 1,845,888 -c--a-w c:\windows\system32\win32k.sys
2008-08-29 14:43 25,088 -c--a-w c:\windows\system32\msxml3a.dll
2008-08-28 14:54 155,995 -c--a-w c:\windows\java\Packages\80NJZPRJ.ZIP
2008-08-28 14:23 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-08-28 14:23 348,160 ----a-w c:\windows\system32\msvcr71.dll
.
((((((((((((((((((((((((((((( snapshot_Sun 11-16-2008_17.37.42.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-04-14 14:34:36 872,448 -c--a-w c:\windows\system32\iconv.dll
+ 2004-04-14 14:34:48 1,327,104 -c--a-w c:\windows\system32\php4ts.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [08/04/2004 03:56 AM 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [11/29/2007 07:25 PM 5724184]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [08/04/2004 01:09 AM 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [08/28/2008 05:23 PM 185896]
"kav"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [02/15/2006 05:37 PM 135271]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_04\bin\jusched.exe" [06/03/2005 03:52 AM 36975]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [08/04/2004 03:56 AM 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"81:TCP"= 81:TCP:biforst
R1 is-VS2F2drv;is-VS2F2drv;c:\windows\system32\drivers\97304137.sys [2008-08-28 148496]
S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\tdi.sys [2004-08-04 18560]
S4 is-VS2F2;is-VS2F2;"c:\documents and settings\All Users\سطح المكتب\Kaspersky Lab Tool\is-VS2F2\is-VS2F2.exe" -r []
.
s of the 'Scheduled Tasks' folder
2008-11-23 c:\windows\Tasks\AA0CFB6991A77529.job
- c:\docume~1\81ee~1\applic~1\chinfo~1\Start Load Flap.exe []
2008-11-02 c:\windows\Tasks\One-Click Tweak.job
- c:\program files\Advanced PC Tweaker\OneClick.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = local
IE: &تصدير إلى Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {14CD80A0-CDE4-4B56-8662-AEBF3B859D72} = 192.168.1.254
O16 -: Microsoft XML Parser for Java -
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\system32\msvcrt.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\imcv1.dll
O16 -: {6924091F-CD97-41E1-B1D4-D9079409D413}
hxxp://voice2.maxvoice.net/talk.cab
c:\windows\Downloaded Program Files\talk.inf
c:\windows\Downloaded Program Files\ReadUid.ocx - O16 -: {B7FDB0C3-4724-46D2-B8DB-6FA1DC63F7CA}
hxxp://voice2.maxvoice.net/ReadUid.CAB
c:\windows\Downloaded Program Files\ReadUid.INF
d:\ltucx\1003\c0.dll - c:\windows\system32\msvcrt.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\IMCSec.dll
O16 -: {C171FF59-8C55-4796-A398-4F5D02B4C763}
hxxp://76.76.24.68/imscp/talks3n.cab
c:\windows\Downloaded Program Files\talks.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-11-24 01:01:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\klogon.dll
c:\windows\system32\rsaenh.dll
- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
Completion time: 11/24/2008 1:03:28
ComboFix-quarantined-files.txt 2008-11-23 22:03:24
ComboFix2.txt 2008-11-16 14:38:41
ComboFix3.txt 2008-10-28 14:40:12
ComboFix4.txt 2008-10-13 20:11:31
ComboFix5.txt 2008-11-23 21:54:39
Pre-Run: 11,476,893,696 bytes free
Post-Run: 11,486,666,752 bytes free
147 --- E O F --- 2008-10-23 22:34:06
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.105 [GMT 3:00]
Running from: c:\documents and settings\alsadi\سطح المكتب\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 17:40 21,145,632 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-23 17:33 1,113,888 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-11-22 23:27 327,428 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-22 23:27 110,144 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-11-20 15:21 --------- dc----w c:\documents and settings\alsadi\Application Data\cleaner
2008-11-19 16:09 --------- dc----w c:\program files\Notepad++
2008-11-18 21:52 --------- dc----w c:\program files\NauzNet Solutions
2008-11-16 22:37 --------- dc----w c:\documents and settings\alsadi\Application Data\Notepad++
2008-11-16 14:26 --------- dc----w c:\documents and settings\All Users\Application Data\Bluetooth
2008-11-16 10:28 --------- dc----w c:\program files\Paltalk Messenger
2008-11-16 10:27 --------- dc----w c:\program files\No-IP
2008-11-16 10:25 --------- dc----w c:\program files\AMSN
2008-11-14 08:38 --------- dc----w c:\program files\PHP Expert Editor
2008-11-12 21:28 --------- dc----w c:\program files\LeapFTP
2008-11-12 19:48 30,615 -c--a-w c:\windows\java\x.exe
2008-11-04 17:38 --------- dc----w c:\program files\Kelk 2000
2008-11-04 17:34 --------- dc----w c:\program files\FlashFXP
2008-10-31 21:41 --------- dc----w c:\program files\Circle Developement
2008-10-31 21:40 --------- dc----w c:\program files\Messenger Plus! Live
2008-10-27 22:35 --------- dc----w c:\documents and settings\alsadi\Application Data\bif
2008-10-18 12:03 --------- dc----w c:\program files\Hotspot Shield
2008-10-17 09:05 64,502 -c--a-w c:\windows\BricoPackUninst.cmd
2008-10-17 09:05 6,108 -c--a-w c:\windows\BricoPackFoldersDelete.cmd
2008-10-17 09:05 218,624 -c--a-w c:\windows\system32\uxtheme.dll
2008-10-09 21:04 --------- dc----w c:\program files\LtUcx
2008-10-09 12:00 --------- dc----w c:\program files\Kaspersky Lab
2008-10-03 14:16 --------- dc----w c:\program files\Java
2008-10-03 14:14 --------- dc----w c:\program files\Common Files\Java
2008-10-03 13:49 --------- dc----w c:\program files\DirectVobSub
2008-10-03 13:49 --------- dc----w c:\program files\CD Audio Reader Filter
2008-10-03 13:47 --------- dc----w c:\program files\SHOUTcast Source
2008-10-01 13:02 --------- dc----w c:\documents and settings\All Users\Application Data\FlashFXP
2008-09-30 04:18 --------- dc----w c:\program files\Yahoo!
2008-09-15 15:37 1,845,888 -c--a-w c:\windows\system32\win32k.sys
2008-08-29 14:43 25,088 -c--a-w c:\windows\system32\msxml3a.dll
2008-08-28 14:54 155,995 -c--a-w c:\windows\java\Packages\80NJZPRJ.ZIP
2008-08-28 14:23 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-08-28 14:23 348,160 ----a-w c:\windows\system32\msvcr71.dll
.
((((((((((((((((((((((((((((( snapshot_Sun 11-16-2008_17.37.42.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-04-14 14:34:36 872,448 -c--a-w c:\windows\system32\iconv.dll
+ 2004-04-14 14:34:48 1,327,104 -c--a-w c:\windows\system32\php4ts.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [08/04/2004 03:56 AM 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [11/29/2007 07:25 PM 5724184]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [08/04/2004 01:09 AM 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [08/28/2008 05:23 PM 185896]
"kav"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [02/15/2006 05:37 PM 135271]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_04\bin\jusched.exe" [06/03/2005 03:52 AM 36975]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [08/04/2004 03:56 AM 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"81:TCP"= 81:TCP:biforst
R1 is-VS2F2drv;is-VS2F2drv;c:\windows\system32\drivers\97304137.sys [2008-08-28 148496]
S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\tdi.sys [2004-08-04 18560]
S4 is-VS2F2;is-VS2F2;"c:\documents and settings\All Users\سطح المكتب\Kaspersky Lab Tool\is-VS2F2\is-VS2F2.exe" -r []
.
s of the 'Scheduled Tasks' folder
2008-11-23 c:\windows\Tasks\AA0CFB6991A77529.job
- c:\docume~1\81ee~1\applic~1\chinfo~1\Start Load Flap.exe []
2008-11-02 c:\windows\Tasks\One-Click Tweak.job
- c:\program files\Advanced PC Tweaker\OneClick.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = local
IE: &تصدير إلى Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {14CD80A0-CDE4-4B56-8662-AEBF3B859D72} = 192.168.1.254
O16 -: Microsoft XML Parser for Java -
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\system32\msvcrt.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\imcv1.dll
O16 -: {6924091F-CD97-41E1-B1D4-D9079409D413}
hxxp://voice2.maxvoice.net/talk.cab
c:\windows\Downloaded Program Files\talk.inf
c:\windows\Downloaded Program Files\ReadUid.ocx - O16 -: {B7FDB0C3-4724-46D2-B8DB-6FA1DC63F7CA}
hxxp://voice2.maxvoice.net/ReadUid.CAB
c:\windows\Downloaded Program Files\ReadUid.INF
d:\ltucx\1003\c0.dll - c:\windows\system32\msvcrt.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\IMCSec.dll
O16 -: {C171FF59-8C55-4796-A398-4F5D02B4C763}
hxxp://76.76.24.68/imscp/talks3n.cab
c:\windows\Downloaded Program Files\talks.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
يجب عليك
تسجيل الدخول
او
تسجيل لمشاهدة الرابط المخفي
Rootkit scan 2008-11-24 01:01:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\klogon.dll
c:\windows\system32\rsaenh.dll
- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
Completion time: 11/24/2008 1:03:28
ComboFix-quarantined-files.txt 2008-11-23 22:03:24
ComboFix2.txt 2008-11-16 14:38:41
ComboFix3.txt 2008-10-28 14:40:12
ComboFix4.txt 2008-10-13 20:11:31
ComboFix5.txt 2008-11-23 21:54:39
Pre-Run: 11,476,893,696 bytes free
Post-Run: 11,486,666,752 bytes free
147 --- E O F --- 2008-10-23 22:34:06
