لقد ادخلت الجهاز في الوضع الامن واعدت تشغيل البرنامج واعطاني هذا التقرير
كود:
ComboFix 09-04-24.01 - Golden CT 04/25/2009 2:30.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.189.101 [GMT 3:00]
Running from: E:\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
FW: Kaspersky Anti-Virus *disabled*
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\xp\Desktop\239BA2989350A6C0\239BA2989350A6C0
c:\windows\system32\bgywapx.dll
c:\windows\system32\twain32
c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\system32\twain32\user.ds.lll
.
---- Previous Run -------
.
C:\2.bat
C:\a1agmur.cmd
C:\autorun.inf
C:\cv22.cmd
c:\documents and settings\xp\Desktop\239BA2989350A6C0\
c:\documents and settings\xp\Desktop\239BA2989350A6C0\239BA2989350A6C0
c:\documents and settings\xp\reader_s.exe
c:\documents and settings\xp\Start Menu\Programs\Startup\userinit.exe
c:\documents and settings\xp\svchost.exe
C:\em8tqm.cmd
C:\i.cmd
C:\jeorels.cmd
C:\lsass.exe
C:\minm.cmd
c:\program files\Bifrost
c:\program files\Bifrost\logg.dat
c:\program files\Bifrost\server.exe
c:\program files\evey.dll
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\program files\outlook express\svchost.exe
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\bgywapx.dll
c:\windows\system32\ckvo.exe
c:\windows\system32\ckvo0.dll
c:\windows\system32\config\systemprofile\svchost.exe
c:\windows\system32\cyoavzhq.dll
c:\windows\system32\drivers\services.exe
c:\windows\system32\drivers\vdttxgsr.sys
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\olhrwef.exe
c:\windows\system32\reader_s.exe
c:\windows\system32\twain32\user.ds.lll
c:\windows\system32\twex.exe
c:\windows\Tasks\At1.job
C:\xih9.cmd
C:\xsia.bat
D:\2.bat
D:\a1agmur.cmd
D:\Autorun.inf
D:\cv22.cmd
D:\em8tqm.cmd
D:\i.cmd
D:\jeorels.cmd
D:\minm.cmd
D:\xih9.cmd
D:\xsia.bat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_pquasboqi
-------\Legacy_svqgoxdt
-------\Service_PquasboQi
-------\Service_svqgoxdt
-------\Legacy_pquasboqi
-------\Legacy_svqgoxdt
-------\Service_pquasboqi
-------\Service_svqgoxdt
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.
2009-04-24 23:35 . 2009-04-24 21:21 20480 ----a-w C:\lsass.exe
2009-04-24 23:27 . 2009-04-24 23:27 7302 ----a-w c:\windows\system32\rrt_vf.wav
2009-04-24 23:27 . 2009-04-24 23:27 7148 ----a-w c:\windows\system32\rrt_tv.wav
2009-04-24 23:27 . 2009-04-24 23:27 6282 ----a-w c:\windows\system32\rrt_tn.wav
2009-04-24 23:27 . 2009-04-24 23:27 16244 ----a-w c:\windows\system32\rrt_is.wav
2009-04-24 12:18 . 2009-04-24 12:18 -------- d-----w c:\documents and settings\xp\Application Data\rznmdwwx
2009-04-24 12:18 . 2009-04-24 12:18 -------- d-----w c:\documents and settings\xp\Local Settings\Application Data\rznmdwwx
2009-04-24 10:04 . 2009-04-24 10:04 -------- d-----w c:\documents and settings\xp\WINDOWS
2009-04-24 10:03 . 2009-04-24 23:36 115836 ----a-w c:\windows\system32\drivers\9d4712d6.sys
2009-04-24 10:03 . 2009-04-24 10:03 175104 ----a-w C:\jikweuy.exe
2009-04-24 10:03 . 2009-04-24 10:03 23040 ----a-w C:\fmvrd.exe
2009-04-24 10:02 . 2009-04-24 10:03 2 ----a-w C:\-197674704
2009-04-24 10:02 . 2009-04-24 10:02 65536 ----a-w c:\windows\system32\absvyjyx.dll
2009-04-24 10:02 . 2009-04-24 10:02 7680 ----a-w C:\dute.exe
2009-04-24 10:02 . 2009-04-24 10:02 6144 ----a-w c:\windows\fd.dll
2009-04-24 10:02 . 2009-04-24 21:21 20480 ----a-w C:\bgfooob.exe
2009-04-21 21:46 . 2009-04-24 07:09 109601 --sh--r C:\g1ljsm.com
2009-04-17 10:49 . 2009-04-17 10:49 108169 --sh--r C:\husyu8n.exe
2009-04-15 18:20 . 2009-04-15 18:19 109249 --sh--r C:\0xuc.com
2009-04-07 20:50 . 2009-04-09 20:04 109396 --sh--r C:\1ogf.exe
2009-04-03 14:27 . 2009-04-23 18:45 -------- d-----w c:\documents and settings\xp\Application Data\IDM
2009-04-03 14:27 . 2009-04-24 17:55 -------- d-----w c:\documents and settings\xp\Application Data\DMCache
2009-04-03 14:26 . 2009-04-03 14:25 109512 --sh--r C:\cqxj.exe
2009-03-31 12:01 . 2009-04-01 17:46 110067 --sh--r C:\0bcobed.exe
2009-03-27 21:07 . 2009-03-27 21:07 -------- d-----w c:\documents and settings\xp\Application Data\BitDefender
2009-03-27 21:06 . 2009-03-27 21:39 -------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-03-27 21:06 . 2009-03-27 21:39 -------- d-----w c:\windows\SxsCaPendDel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 19:23 . 2007-08-11 07:31 9418 ----a-w C:\MP4debug.log
2009-03-19 04:00 . 2009-03-19 04:01 110053 --sh--r C:\q0dhfjf.exe
2009-03-17 15:21 . 2009-03-17 04:05 111363 --sh--r C:\luk1ylq.com
2009-03-01 10:40 . 2009-03-01 10:41 108843 --sh--r C:\gi2ky.exe
2009-02-21 16:36 . 2009-02-21 09:42 106970 --sh--r C:\w2.com
2009-02-15 16:19 . 2009-02-15 16:20 106803 --sh--r C:\qphdin.com
2008-12-29 19:34 . 2004-12-03 06:40 94632 ----a-w c:\documents and settings\xp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8880"="C:\bgfooob.exe" [2009-04-24 20480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\absvyjyx]
2009-04-24 10:02 65536 ----a-w c:\windows\system32\absvyjyx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
R3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
R3 AVPsys;AVPsys;c:\windows\system32\drivers\cdaudio.sys [2001-08-17 18688]
R3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2008-08-12 108864]
R3 vvftav;vvftav;c:\windows\system32\drivers\vvftav.sys [2007-08-31 474368]
S1 navigator;navigator;c:\windows\fd.dll [2009-04-24 6144]
S2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 82568]
S2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe [2004-08-04 14336]
S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2009-02-03 104328]
S3 HSFHWSIS;HSFHWSIS;c:\windows\system32\DRIVERS\HSFHWSIS.sys [2004-12-15 200576]
--- Other Services/Drivers In Memory ---
*Deregistered* - NwSapAgent
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - WZCSVC
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dea36b8-d5bc-11dd-827d-00c09fbc42ad}]
\shell\autorun\command - G:\xih9.cmd
\shell\explore\command - G:\xih9.cmd
\shell\open\command - G:\xih9.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38dbe118-19f3-11de-8316-00c09fbc42ad}]
\Shell\AutoRun\command - G:\em8tqm.cmd
\Shell\open\Command - G:\em8tqm.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f0a1608-fb7c-11dd-82e1-00c09fbc42ad}]
\Shell\AutoRun\command - E:\xih9.cmd
\Shell\explore\Command - E:\xih9.cmd
\Shell\open\Command - E:\xih9.cmd
.
- - - - ORPHANS REMOVED - - - -
BHO-{003d7b25-e7e6-498f-a586-d0549a9c2a04} - c:\windows\system32\cyoavzhq.dll
BHO-{ecf7190e-0f51-4d07-9294-0f09eb97dbbc} - c:\windows\system32\bgywapx.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.qa/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com.qa/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: تحميل الكل بواسطة Internet Download Manager - d:\برامج\Internet Download Manager\IEGetAll.htm
IE: تحميل بواسطة Internet Download Manager - d:\برامج\Internet Download Manager\IEExt.htm
IE: تحميل محتوى FLV بواسطة Internet Download Manager - d:\برامج\Internet Download Manager\IEGetVL.htm
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 02:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"14867"="c:\\bgfooob.exe"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\9d4712d6]
"ImagePath"="\SystemRoot\System32\drivers\9d4712d6.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\absvyjyx.dll
- - - - - - - > 'explorer.exe'(496)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
C:\lsass.exe
.
**************************************************************************
.
Completion time: 2009-04-24 2:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-24 23:39
Pre-Run: 36,712,640,512 bytes free
Post-Run: 36,660,199,424 bytes free
251