سساعدوني جهازي مخترق او لا [الأرشيف]

حياتي ملكي

05-27-2010, 06:08 AM

السسلام عليكم

انا من كم يوم اميلي انسرق وشاكه جهازي مخترق مدري شسوي المهم سويت فحص للجهاز في الاداه ComboFix

وهذا تقرير الاداه بلييييييييييييييييز احد يسساعدني شسوي عشان اتاكد ان جهازي سليم وماهو مخترق

ComboFix 10-05-26.01 - Administrator 05/26/2010 21:55:48.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1256.966.1033.18.1014.671 [GMT 3:00]
Running from: c:\********s and settings\Administrator\My ********s\Downloads\Programs\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.
2010-06-10 20:02 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-02 22:19 . 2010-04-01 23:04 -------- d-----w- c:\********s and settings\Administrator\Local Settings\Application Data\Temp
2010-06-02 22:00 . 2010-06-02 22:00 -------- d-----w- c:\********s and settings\Administrator\Local Settings\Application Data\Real
2010-06-02 21:55 . 2010-06-02 21:55 118784 ----a-w- c:\********s and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims \rpnpshimwmp.dll
2010-06-02 21:55 . 2010-06-02 21:55 118784 ----a-w- c:\********s and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims \rpnpshimswf.dll
2010-06-02 21:55 . 2010-06-02 21:55 118784 ----a-w- c:\********s and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims \rpnpshimrp.dll
2010-06-02 21:55 . 2010-06-02 21:55 118784 ----a-w- c:\********s and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims \rpnpshimqt.dll
2010-06-02 21:55 . 2010-06-02 21:55 118784 ----a-w- c:\********s and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\E xt\Components\nprpffbrowserrecordext.dll
2010-06-02 21:55 . 2010-06-02 21:55 300616 ----a-w- c:\********s and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rp mainbrowserrecordplugin.dll
2010-06-02 21:55 . 2010-06-02 21:55 118784 ----a-w- c:\********s and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ho ok\rpchromebrowserrecordhelper.dll
2010-06-02 21:55 . 2010-06-02 21:55 329312 ----a-w- c:\********s and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrow serrecordplugin.dll
2010-06-02 21:54 . 2010-06-02 21:54 -------- d-----w- c:\program files\Common Files\xing shared
2010-05-21 04:03 . 2010-05-22 05:24 -------- d-----w- c:\********s and settings\Administrator\Application Data\X-NetStat
2010-05-21 04:03 . 2010-05-23 07:53 -------- d-----w- c:\program files\X-NetStat Professional
2010-05-16 20:28 . 2010-05-16 22:33 -------- d-----w- c:\********s and settings\Administrator\Local Settings\Application Data\OpenCandy
2010-05-16 20:28 . 2010-05-16 20:28 256899 ----a-w- c:\********s and settings\Administrator\Application Data\OpenCandy\DlMgr3Wrapper.exe
2010-05-16 20:28 . 2010-05-16 20:38 -------- d-----w- c:\********s and settings\Administrator\Application Data\OpenCandy
2010-05-07 06:57 . 2010-05-07 06:57 -------- d-----w- c:\program files\TRAYTEST
2010-05-07 06:54 . 2010-05-07 06:54 -------- d-----w- c:\program files\Windows Live
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-06-02 21:54 . 2009-06-30 16:59 -------- d-----w- c:\program files\Common Files\Real
2010-06-02 21:54 . 2009-06-30 16:59 -------- d-----w- c:\program files\Real
2010-06-02 21:53 . 2009-06-30 16:59 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-05-24 20:14 . 2010-04-01 03:28 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-05-24 20:14 . 2009-06-29 20:13 -------- d-----w- c:\program files\Atheros
2010-05-24 18:46 . 2009-12-24 03:54 -------- d---a-w- c:\********s and settings\All Users\Application Data\TEMP
2010-05-16 22:06 . 2009-10-23 01:30 -------- d-----w- c:\program files\iTunes
2010-05-16 20:28 . 2009-12-26 16:20 -------- d-----w- c:\********s and settings\Administrator\Application Data\AnvSoft
2010-05-16 20:28 . 2009-12-26 16:20 -------- d-----w- c:\program files\AnvSoft
2010-05-16 06:10 . 2009-12-29 20:48 -------- d-----w- c:\********s and settings\Administrator\Application Data\TRAYTEST
2010-05-16 06:10 . 2009-12-29 20:47 -------- d-----w- c:\program files\Circle Development
2010-05-12 07:20 . 2009-12-29 20:48 -------- d-----w- c:\********s and settings\All Users\Application Data\hide cool shim link
2010-05-07 06:57 . 2009-12-29 20:47 -------- d-----w- c:\program files\Messenger Plus! Live
2010-04-17 18:41 . 2009-06-30 17:32 -------- d-----w- c:\program files\BS.Player
2010-04-12 02:07 . 2009-06-29 15:20 93656 ----a-w- c:\********s and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 02:45 . 2010-04-07 02:45 -------- d-----w- c:\program files\Stardock
2010-04-06 20:33 . 2010-04-06 20:33 -------- d-----w- c:\program files\Trend Micro
2010-04-04 01:33 . 2009-11-22 06:55 -------- d-----w- c:\program files\Google
2010-04-03 03:19 . 2010-04-03 03:19 26694 ----a-r- c:\********s and settings\Administrator\Application Data\Microsoft\Installer\{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}\UNINST_Uninstall_G_3DE5E7D47B88403CA 3FD2017A8240C5B.exe
2010-04-03 03:19 . 2010-04-03 03:19 26694 ----a-r- c:\********s and settings\Administrator\Application Data\Microsoft\Installer\{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}\googleearth.exe1_407B9B5CDAC54F44A75 6B57CAB4E6A8B.exe
2010-04-03 03:19 . 2010-04-03 03:19 26694 ----a-r- c:\********s and settings\Administrator\Application Data\Microsoft\Installer\{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}\googleearth.exe_407B9B5CDAC54F44A756 B57CAB4E6A8B.exe
2010-04-03 03:19 . 2010-04-03 03:19 26694 ----a-r- c:\********s and settings\Administrator\Application Data\Microsoft\Installer\{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}\ARPPRODUCTICON.exe
2010-04-01 04:20 . 2010-04-01 04:20 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-04-01 01:59 . 2010-04-01 01:59 3584 ----a-r- c:\********s and settings\Administrator\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-04-01 01:59 . 2010-04-01 01:59 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-04-01 01:58 . 2010-04-01 01:58 -------- d-----w- c:\program files\MSECACHE
2010-04-01 01:28 . 2010-04-01 01:28 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-03-21 13:54 . 2010-03-21 13:54 45200 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-03-21 13:54 . 2010-03-21 13:54 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-03-21 13:54 . 2010-03-21 13:54 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-03-21 13:54 . 2010-03-21 13:54 59888 ------w- c:\windows\system32\pxwma.dll
2010-03-11 12:38 . 2004-08-04 00:56 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 00:56 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 00:56 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 00:56 430080 ----a-w- c:\windows\system32\vbscript.dll
.
((((((((((((((((((((((((((((( SnapShot_2010-05-24_00.26.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-17 04:36 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
- 2009-09-17 04:36 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2009-10-23 23:36 . 2009-05-26 09:01 17272 c:\windows\system32\spmsg.dll
- 2009-10-23 23:36 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-09-18 5728112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-02 202256]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKLM\~\startupfolder\C:^********s and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\********s and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 14:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-07-17 19:40 53248 ------w- c:\program files\Realtek\InstallShield\AzMixerSel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationA gent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Security 360]
2009-11-14 08:51 1278736 ----a-w- c:\program files\IObit\IObit Security 360\is360tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTune****per]
2009-09-08 18:09 305440 ----a-w- c:\program files\iTunes\iTune****per.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-09-18 18:51 5728112 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2007-07-05 09:35 94208 ----a-w- c:\windows\PLFSetL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 22:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-07-05 13:08 16380416 ----a-w- c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-06-02 21:53 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\********s and Settings\\Administrator\\Desktop\\TeamViewer_4.1.6 873_Portable\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [29/06/2009 09:54 م 108289]
R2 BandLuxe_Service;BandLuxe Service;c:\program files\BandRich\BandLuxe HSDPA Utility R11\BRService.exe [03/10/2008 10:41 ص 87264]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [24/12/2009 07:29 ص 312592]
S3 br3gmdm;BandLuxe 3.5G HSDPA Adapter - USB;c:\windows\system32\drivers\br3gmdm.sys [05/07/2009 10:32 م 104192]
.
Contents of the 'Scheduled Tasks' folder
2010-06-16 c:\windows\Tasks\User_Feed_Synchronization-{FAA5F322-EBD0-4E75-911D-9A230044DD01}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 15:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.sa/
uInternet Settings,ProxyOverride = local
IE: &تصدير إلى Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab (file:///C:/WINDOWS/Java/classes/xmldso.cab)
DPF: {C171FF59-8C55-4796-A398-4F5D02B4C763} - hxxp://chat.ksacool.org:1994/talks3n.cab
FF - ProfilePath - c:\********s and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ztn98qx6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\********s and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\E xt\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistan****ension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://www.gmer.net)
Rootkit scan 2010-05-26 21:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-436374069-1606980848-839522115-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\CLSID]
@Denied: (Full) (LocalSystem)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0bafe31 e-aed4-4794-a14a-2a69c8e94915}]
@Denied: (Full) (Everyone)
"Model"=dword:00000165
"Therad"=dword:00000015
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED6077 9-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):8c,04,c1,72,4c,9a,48,3d,21,9e,61,97,43,b9, 8f,9a,01,25,24,f4,79,
92,52,cf,04,ae,ee,bf,14,5c,01,86,2c,c3,0b,c8,8c,f3 ,99,ea,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3452)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-26 22:01:44
ComboFix-quarantined-files.txt 2010-05-26 19:01
ComboFix2.txt 2010-04-06 18:20
Pre-Run: 16,801,402,880 bytes free
Post-Run: 16,812,445,696 bytes free
- - End Of File - - 54AC88915E85BD402CB576D199EAB126