جهازي مصاب بفيروس Win32/Alman.NAB

  • بادئ الموضوع بادئ الموضوع palphoenix
  • تاريخ البدء تاريخ البدء
  • المشاهدات 1,047
P

palphoenix

زيزوومي جديد
إنضم
1 فبراير 2008
المشاركات
2
مستوى التفاعل
0
النقاط
0
الإقامة
فلسطين
الموقع الالكتروني
www.gazasoft.com
غير متصل
جهازي مصاب بفيروس Win32/Alman.NAB

قمت بتحميل ادارة ******** واعملت فحص للجهاز بعد طبعا فحصي السابق عن طريق برنامج NOD32
ال1ي اعطيني هذه الراسلة
C:\WINDOWS\system32\drivers\nvmini.sys - Win32/Alman.NAB virus - unable to clean

ولا يمكن حذف الفيروس

الآن قم بعمل فحص بهذه الأداه ******** وهذا تقرير الفحص



-------------------------------------------------------





******** 09-02-19.01 - Cool 02/21/2009 17:39:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.1919.1510 [GMT 2:00]
Running from: c:\downloads\********.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 10:46 --------- d-----w c:\program files\Hair Pro 2008 Light
2009-02-20 08:08 --------- d-----w c:\program files\FlashGet
2009-02-18 20:51 --------- d-----w c:\documents and settings\Cool\Application Data\MiniDm
2009-02-17 15:34 --------- d-----w c:\documents and settings\Cool\Application Data\IBP
2009-02-16 22:05 --------- d-----w c:\program files\IBP 10
2009-02-16 19:28 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-16 18:10 --------- d-----w c:\documents and settings\Administrator\Application Data\Ipswitch
2009-02-16 16:10 --------- d-----w c:\documents and settings\Administrator\Application Data\IEPro
2009-02-14 21:17 --------- d-----w c:\documents and settings\Cool\Application Data\Lavasoft
2009-02-10 12:31 --------- d-----w c:\program files\ReflexiveArcade
2009-02-10 12:31 --------- d-----w c:\program files\DDD Pool
2009-02-09 14:18 --------- d-----w c:\program files\RegCure
2009-02-03 08:10 --------- d-----w c:\documents and settings\Guest\Application Data\Ipswitch
2009-02-02 15:37 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-01 15:23 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-30 11:10 --------- d-----w c:\program files\Common Files\Nero
2009-01-30 11:08 --------- d-----w c:\program files\Common Files\Ahead
2009-01-30 11:08 --------- d-----w c:\program files\Ahead
2009-01-29 19:54 --------- d-----w c:\program files\Conflict Desert Storm II
2009-01-29 19:49 720,896 ----a-w c:\windows\iun6002.exe
2009-01-29 11:50 --------- d-----w c:\program files\Ipswitch
2009-01-29 11:50 --------- d-----w c:\documents and settings\Cool\Application Data\Ipswitch
2009-01-29 11:50 --------- d-----w c:\documents and settings\All Users\Application Data\Ipswitch
2009-01-25 12:36 --------- d-----w c:\program files\Google
2009-01-24 15:45 --------- d-----w c:\documents and settings\Guest\Application Data\IEPro
2009-01-24 11:20 --------- d-----w c:\program files\IEPro
2009-01-24 11:20 --------- d-----w c:\documents and settings\Cool\Application Data\IEPro
2009-01-22 15:05 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-01-22 15:05 --------- d-----w c:\program files\Common Files\xing shared
2009-01-22 15:05 --------- d-----w c:\program files\Common Files\Real
2009-01-22 15:04 --------- d-----w c:\program files\Real
2009-01-22 15:03 --------- d-----w c:\program files\WinAMP
2009-01-22 15:03 --------- d-----w c:\documents and settings\Cool\Application Data\DeskSoft
2009-01-22 10:48 --------- d-----w c:\program files\EditPlus 2
2009-01-20 03:30 1,158,281 ----a-w c:\windows\java\Packages\NR3PVJLJ.ZIP
2009-01-19 16:42 --------- d-----w c:\program files\Photo To Cartoon
2009-01-17 14:41 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-17 13:39 --------- d-----w c:\program files\FairStars Audio Converter
2008-12-28 18:39 --------- d-----w c:\documents and settings\All Users\Application Data\DeskSoft
2008-12-26 12:32 --------- d-----w c:\documents and settings\Guest\Application Data\Media Player Classic
2008-12-23 15:23 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-23 15:23 --------- d-----w c:\program files\Java
2008-12-16 20:32 155,995 ----a-w c:\windows\java\Packages\C45F9RHJ.ZIP
2008-12-16 20:18 315,392 ----a-w c:\windows\HideWin.exe
.

------- Sigcheck -------

08/03/2004 11:14 PM 359040 9f4b36614a0fc234525ba224957de55c c:\windows\system32\dllcache\tcpip.sys
08/03/2004 11:14 PM 359040 6a603809f598332dbedd535bdbce313e c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@Sat 02-21-2009_17.36.06.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-21 14:26:39 58,722 ----a-w c:\windows\system32\perfc001.dat
+ 2009-02-21 15:38:33 58,722 ----a-w c:\windows\system32\perfc001.dat
- 2009-02-21 14:26:39 58,732 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-21 15:38:33 58,732 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-21 14:26:39 328,418 ----a-w c:\windows\system32\perfh001.dat
+ 2009-02-21 15:38:33 328,418 ----a-w c:\windows\system32\perfh001.dat
- 2009-02-21 14:26:39 392,432 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-21 15:38:33 392,432 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [08/04/2004 12:56 AM 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [01/23/2009 07:52 PM 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"svhost"="c:\documents and settings\Cool\قائمة ابدأ\البرامج\بدء التشغيل\msn.exe" [02/20/2009 11:09 AM 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [08/04/2004 12:56 AM 15360]

c:\documents and settings\Cool\çں‍ê، ں §ڑ\ںé ©ںê¤\ §ک ں颬نïé\
msn [2009-02-21 23978]
msn.exe [2009-02-20 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HelpSvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UIHost.kxp]
"Debugger"=ntsd -d

[HKLM\~\startupfolder\C:^Documents and Settings^Cool^قائمة ابدأ^البرامج^بدء التشغيل^msn]
path=c:\documents and settings\Cool\قائمة ابدأ\البرامج\بدء التشغيل\msn
backup=c:\windows\pss\msnStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cool^قائمة ابدأ^البرامج^بدء التشغيل^msn.exe]
path=c:\documents and settings\Cool\قائمة ابدأ\البرامج\بدء التشغيل\msn.exe
backup=c:\windows\pss\msn.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 08/04/2004 12:56 AM 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 10/24/2008 08:50 PM 1451264 c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IBP]
--a------ 03/17/2008 12:51 PM 8491008 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 03/17/2008 12:51 PM 8491008 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 01/23/2009 07:52 PM 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\IBP 10\\IBP.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-03-13 34824]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-24 468224]
.
*******s of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [02/09/2009 04:13 PM]

2009-02-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [02/09/2009 04:13 PM]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: &تصدير إلى Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dll
DPF: Arab Bank Online Banking Service - hxxps://www.arabi-online.com/abr/english/actual/mainpages/ibs.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Cool\Application Data\Mozilla\Firefox\Profiles\5yjjy68q.default\
FF - prefs.js: browser.startup.homepage - about:blank
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

Rootkit scan 2009-02-21 17:40:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
svhost = c:\documents and settings\Cool\????? ????\???????\??? ???????\msn.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05AF50AA-22D7-AA1D-A4F48F393CAE2202}\{78C6AA3D-BD77-7FA2-B188C82FA3887936}\{102B7915-3D5B-6524-E77B0FDDDBDD9024}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,99,aa,12,
12,64,a1,2f,0b,b1,09,db,63,6d,f0,2e,08,2b,44,63,5a,e6,3d,e5,83,db,57,c5,92,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0A2C6EC6-E1BC-9BF5-B3F7D282645EFB0F}\{C08E0694-C5E1-48EE-3ACF6A24AC2BF796}\{A9549B8D-B7EF-15E1-4BD44DC35FFCD192}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,99,aa,12,
12,64,a1,2f,0b,b1,09,db,63,6d,f0,2e,08,2b,44,63,5a,e6,3d,e5,83,db,57,c5,92,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3C314B03-F43E-BA89-952BA1DFD2D5EFE8}\{7539A87C-0FED-33C5-609B84E8BF01550C}\{B9902A55-37BA-35DE-AA3E0A7380F9249D}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,99,aa,12,
12,64,a1,2f,0b,b1,09,db,63,6d,f0,2e,08,2b,44,63,5a,e6,3d,e5,83,db,57,c5,92,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{866E5309-4DE4-EC1D-5303B5015403F078}\{E4D7DA31-B59C-2F42-84703E9617E7637D}\{F8D6A80B-EA06-4220-85CE61582D500BD8}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD7DA6D0-C8A5-2AB7-AFAFBAF6CCA2EFA4}\{BFF22B84-84BD-C376-CF902D4CFF2D2B8A}\{C30500AE-8022-F8A1-791309212C4775E7}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EAE54BA3-56A0-7636-9D760FE75B19E95C}\{32AED356-A62E-B541-0C1631C471EC4552}\{622BCC28-1320-8061-75578A77CF92A31A}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,99,aa,12,
12,64,a1,2f,0b,b1,09,db,63,6d,f0,2e,08,2b,44,63,5a,e6,3d,e5,83,db,57,c5,92,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
"LastWPAEventLogged"=hex:d5,07,05,00,06,00,07,00,0f,00,38,00,24,00,fd,02
.
Completion time: 02/21/2009 17:41:07
********-quarantined-files.txt 2009-02-21 15:41:06
********2.txt 2009-02-21 15:36:35

Pre-Run: 2,472,067,072 bytes free
Post-Run: 2,461,495,296 bytes free

186




:ok:
 

ترتيب حسب التاريخ ترتيب حسب الأصوات

اهلااا بك اخي
وعذرا بنقله للقسم المناسب للمتابعة
هذا القسم خاص بتحليل تقارير برامج الحماية ،، وباقي التقارير تكون عند الطلب فقط

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي
 
توقيع : Demo-dashDemo-dash is verified member.
تأييد 0
توقيع : Demo-dashDemo-dash is verified member.
تأييد 0
مشكور جدا اخي الكريم ولكن .....

لقد قمت بحذف ملف الفيروس والذي اسمه nvmini.sys

حسب تواجه مساره التالي:- C:\WINDOWS\system32\drivers\nvmini.sys - Win32/Alman.NAB virus

ولكن للسف تظل مشكلة ان الكمبيوتر غير طبيعي يعني انو يعمل مشغول دوما بمؤشر الموس ويدل ان الهارد دسك يحمل او نشط

مع اني اقف لعدده دقائق بدول عمل اي شي ..

يا ريت تفيدوني وايضا دفودوني بمعلومات عن هذا الفيروس Win32/Alman.NAB

مشكور جدا
 
تأييد 0
يجب تسجيل الدخول أو التسجيل كي تتمكن من الرد هنا.
عودة
أعلى