ComboFix 10-03-22.02 - AAFFAA 03/22/2010 11:58:21.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.1014.701 [GMT -8:00] Running from: c:\documents and settings\AAFFAA\Desktop\برنامج الفيروسات\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\AAFFAA\Start Menu\Programs\Startup\srvanc32.exe c:\windows\Alcmtr.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ABP470N5 -------\Service_abp470n5 ((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 ))))))))))))))))))))))))))))))) . 2010-03-15 05:04 . 2010-03-15 05:04 -------- d-----w- c:\windows\system32\LogFiles 2010-03-13 06:03 . 2010-03-13 06:22 2034632 ----a-w- c:\documents and settings\AAFFAA\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe 2010-03-09 12:27 . 2010-03-09 12:27 -------- d-s---w- c:\documents and settings\AAFFAA\UserData 2010-03-09 12:18 . 2010-03-09 12:24 -------- d-----w- c:\documents and settings\AAFFAA\Local Settings\Application Data\Conduit 2010-03-09 12:18 . 2010-03-09 12:24 -------- d-----w- c:\documents and settings\AAFFAA\Local Settings\Application Data\4shared.com 2010-03-09 12:18 . 2010-03-09 12:20 -------- d-----w- c:\program files\4shared.com 2010-03-09 12:18 . 2010-03-09 12:18 -------- d-----w- c:\program files\Conduit 2010-03-09 12:18 . 2010-03-22 19:32 -------- d-----w- c:\documents and settings\AAFFAA\Application Data\4shared Desktop 2010-03-09 12:18 . 2010-03-09 12:18 -------- d-----w- c:\program files\4shared Desktop 2010-03-09 04:53 . 2010-03-09 04:53 513544 ----a-w- c:\documents and settings\AAFFAA\Application Data\Real\Update\setup3.10\setup.exe 2010-03-09 04:43 . 2010-03-09 04:43 106072 ----a-w- c:\documents and settings\AAFFAA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-03-09 04:31 . 2010-03-09 04:31 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-03-09 04:28 . 2010-03-09 04:28 -------- d-----w- c:\documents and settings\AAFFAA\Application Data\Malwarebytes 2010-03-09 04:28 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-09 04:28 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-09 04:28 . 2010-03-09 04:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-09 04:28 . 2010-03-09 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-03-09 04:16 . 2010-03-09 04:16 -------- d-----w- c:\documents and settings\AAFFAA\Local Settings\Application Data\Google 2010-03-09 04:16 . 2010-03-09 04:16 -------- d-----w- c:\program files\Google 2010-03-09 04:06 . 2010-03-09 04:06 -------- d-----w- c:\documents and settings\AAFFAA\Local Settings\Application Data\Adobe 2010-03-09 04:05 . 2010-03-09 04:05 -------- d-----w- c:\program files\Common Files\Adobe 2010-03-09 03:59 . 2004-08-04 07:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys 2010-03-09 03:58 . 2010-03-09 03:58 -------- d-----w- c:\documents and settings\AAFFAA\Application Data\vlc 2010-03-09 03:58 . 2010-03-09 03:58 -------- d-----w- c:\program files\VideoLAN 2010-03-09 03:57 . 2010-03-09 03:57 -------- d-----w- c:\program files\Common Files\xing shared 2010-03-09 03:57 . 2010-03-09 03:57 499712 ----a-w- c:\windows\system32\msvcp71.dll 2010-03-09 03:57 . 2010-03-09 03:57 348160 ----a-w- c:\windows\system32\msvcr71.dll 2010-03-09 03:56 . 2010-03-09 03:57 -------- d-----w- c:\program files\Common Files\Real 2010-03-09 03:56 . 2010-03-09 03:56 -------- d-----w- c:\program files\Real 2010-03-09 03:50 . 2008-07-06 10:27 676224 ----a-w- c:\windows\system32\ogacheckcontrol.dll 2010-03-09 03:40 . 2006-10-27 03:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll 2010-03-09 03:40 . 2006-10-27 03:56 32592 ----a-w- c:\windows\system32\msonpmon.dll 2010-03-09 03:39 . 2010-03-09 03:39 -------- d-----w- c:\program files\Microsoft Works 2010-03-09 03:39 . 2010-03-09 03:39 -------- d-----w- c:\program files\MSBuild 2010-03-09 03:35 . 2010-03-09 03:38 -------- d-----w- c:\windows\SHELLNEW 2010-03-09 03:35 . 2010-03-09 03:35 -------- d-----w- c:\documents and settings\AAFFAA\Local Settings\Application Data\Microsoft Help 2010-03-09 03:35 . 2010-03-09 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-03-09 03:35 . 2010-03-09 03:35 -------- d-----r- C:\MSOCache 2010-03-09 03:19 . 2009-02-17 18:04 50752 ----a-r- c:\windows\agrsmdel.exe 2010-03-09 03:19 . 2009-02-17 18:04 13312 ----a-r- c:\windows\system32\agrscoin.dll 2010-03-09 03:19 . 2009-02-17 18:04 1161888 ----a-r- c:\windows\system32\drivers\AGRSM.sys 2010-03-09 03:18 . 2004-08-04 07:07 6400 -c--a-w- c:\windows\system32\dllcache\splitter.sys 2010-03-09 03:18 . 2004-08-04 07:07 6400 ----a-w- c:\windows\system32\drivers\splitter.sys 2010-03-09 03:18 . 2004-08-04 06:39 142464 -c--a-w- c:\windows\system32\dllcache\aec.sys 2010-03-09 03:18 . 2004-08-04 06:39 142464 ----a-w- c:\windows\system32\drivers\aec.sys 2010-03-09 03:17 . 2001-08-17 22:00 54272 -c--a-w- c:\windows\system32\dllcache\swmidi.sys 2010-03-09 03:17 . 2001-08-17 22:00 54272 ----a-w- c:\windows\system32\drivers\swmidi.sys 2010-03-09 03:17 . 2004-08-04 07:07 52864 -c--a-w- c:\windows\system32\dllcache\dmusic.sys 2010-03-09 03:17 . 2004-08-04 07:07 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys 2010-03-09 03:16 . 2004-08-04 06:58 7552 -c--a-w- c:\windows\system32\dllcache\mskssrv.sys 2010-03-09 03:16 . 2004-08-04 06:58 7552 ----a-w- c:\windows\system32\drivers\MSKSSRV.sys 2010-03-09 03:16 . 2004-08-04 06:58 5376 -c--a-w- c:\windows\system32\dllcache\mspclock.sys 2010-03-09 03:16 . 2004-08-04 06:58 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys 2010-03-09 03:16 . 2004-08-04 07:15 60800 -c--a-w- c:\windows\system32\dllcache\sysaudio.sys 2010-03-09 03:16 . 2004-08-04 07:15 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys 2010-03-09 03:16 . 2004-08-04 07:07 171776 -c--a-w- c:\windows\system32\dllcache\kmixer.sys 2010-03-09 03:16 . 2004-08-04 07:07 171776 ----a-w- c:\windows\system32\drivers\kmixer.sys 2010-03-09 03:15 . 2004-08-04 07:15 82944 -c--a-w- c:\windows\system32\dllcache\wdmaud.sys 2010-03-09 03:15 . 2004-08-04 07:15 82944 ----a-w- c:\windows\system32\drivers\wdmaud.sys 2010-03-09 03:15 . 2004-08-04 06:58 4992 -c--a-w- c:\windows\system32\dllcache\mspqm.sys 2010-03-09 03:15 . 2004-08-04 06:58 4992 ----a-w- c:\windows\system32\drivers\MSPQM.sys 2010-03-09 03:14 . 2004-08-04 07:07 2944 -c--a-w- c:\windows\system32\dllcache\drmkaud.sys 2010-03-09 03:14 . 2004-08-04 07:07 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys 2010-03-09 03:14 . 2004-08-04 08:56 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll 2010-03-09 03:14 . 2004-08-04 08:56 4096 ----a-w- c:\windows\system32\ksuser.dll 2010-03-09 03:14 . 2004-08-04 07:08 60288 -c--a-w- c:\windows\system32\dllcache\drmk.sys 2010-03-09 03:14 . 2004-08-04 07:08 60288 ----a-w- c:\windows\system32\drivers\drmk.sys 2010-03-09 03:12 . 2009-02-17 18:05 2808832 ------r- c:\windows\alcwzrd.exe 2010-03-09 03:12 . 2010-03-09 03:12 -------- d-----w- c:\windows\system32\RTCOM 2010-03-09 03:12 . 2009-02-17 18:05 1904640 ------r- c:\windows\SkyTel.exe 2010-03-09 03:12 . 2009-02-17 18:05 159744 ------r- c:\windows\SoundMan.exe 2010-03-09 03:12 . 2009-02-17 18:05 9715200 ------r- c:\windows\RTLCPL.exe 2010-03-09 03:12 . 2009-02-17 18:05 1191936 ------r- c:\windows\RtlUpd.exe 2010-03-09 03:12 . 2009-02-17 18:05 4608000 ------r- c:\windows\system32\drivers\RtkHDAud.sys 2010-03-09 03:12 . 2009-02-17 18:05 16384512 ------r- c:\windows\RTHDCPL.exe 2010-03-09 03:12 . 2009-02-17 18:05 2165760 ------r- c:\windows\MicCal.exe 2010-03-09 03:12 . 2009-02-17 18:04 49152 ------r- c:\windows\system32\ChCfg.exe 2010-03-09 03:11 . 2004-11-18 18:42 22752 ----a-w- c:\windows\system32\spupdsvc.exe 2010-03-09 03:11 . 2010-03-09 03:11 -------- d-----w- c:\program files\Realtek 2010-03-09 03:11 . 2010-03-09 03:11 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-03-09 03:11 . 2010-03-09 03:11 315392 ----a-w- c:\windows\HideWin.exe 2010-03-09 03:11 . 2009-02-17 18:04 520192 ------r- c:\windows\RtlExUpd.dll 2010-03-09 03:11 . 2010-03-09 03:11 -------- d-----w- c:\program files\Common Files\InstallShield . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-09 10:01 . 2010-03-09 10:01 16 ----a-w- c:\documents and settings\NetworkService\Application Data\kwgxms.dat 2010-03-09 02:24 . 2010-03-09 02:02 166455 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2010-03-09 02:03 . 2010-03-09 02:03 -------- d-----w- c:\program files\microsoft frontpage 2010-03-09 02:00 . 2010-03-09 02:00 21640 ----a-w- c:\windows\system32\emptyregdb.dat . ------- Sigcheck ------- [-] 2007-11-11 . 0A874046BB7B547864811CFF0DD19724 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}"= "c:\program files\4shared.com\tb4sh1.dll" [2010-03-09 2349080] [HKEY_CLASSES_ROOT\clsid\{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}] 2010-03-09 12:21 2349080 ----a-w- c:\program files\4shared.com\tb4sh1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}"= "c:\program files\4shared.com\tb4sh1.dll" [2010-03-09 2349080] [HKEY_CLASSES_ROOT\clsid\{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{09EC805C-CB2E-4D53-B0D3-A75A428B81C7}"= "c:\program files\4shared.com\tb4sh1.dll" [2010-03-09 2349080] [HKEY_CLASSES_ROOT\clsid\{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-09 39408] "4shared Desktop"="c:\program files\4shared Desktop\desktop.exe" [2009-12-07 3632640] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-17 142104] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-17 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-17 138008] "RTHDCPL"="RTHDCPL.EXE" [2009-02-17 16384512] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 112936] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-09 185896] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 117872] "4shared Update"="c:\program files\4shared Desktop\checkUpdate.exe" [2009-09-29 1337344] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-3-8 118784] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) "DisableRegistryTools"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "d:\\برامج\\ريل بلير\\RealPlayer 11.0.2 Incl Patch\\RealPlayer11GOLD.exe"= "c:\\WINDOWS\\system32\\igfxtray.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe"= "c:\\Documents and Settings\\AAFFAA\\Application Data\\Real\\Update\\setup3.10\\setup.exe"= "c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"= "c:\\WINDOWS\\system32\\netsh.exe"= "c:\\WINDOWS\\system32\\hkcmd.exe"= "c:\\WINDOWS\\RTHDCPL.EXE"= "c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"= "c:\\WINDOWS\\system32\\wscntfy.exe"= S0 hwxdfw;hwxdfw; [x] --- Other Services/Drivers In Memory --- *NewlyCreated* - ABP470N5 . . ------- Supplementary Scan ------- . uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2233703 uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Download all 4shared files - c:\program files\4shared Desktop\down_all.htm IE: &Download using 4shared Desktop - c:\program files\4shared Desktop\down_link.htm IE: ت&صدير إلى Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-22 12:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\igfxsrvc.exe c:\windows\RTHDCPL.EXE c:\windows\system32\wscntfy.exe c:\program files\Internet Explorer\IEXPLORE.EXE c:\windows\system32\mspaint.exe . ************************************************************************** . Completion time: 2010-03-22 12:03:54 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-22 20:03 Pre-Run: 64,016,957,440 bytes free Post-Run: 65,186,025,472 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - C6A848B2997A0E8B9C661A71C90D69E4