فيرس Sality

[حبيبة87 3]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:35:20 AM, on 4/8/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\VIAudioi\SBADeck\ADeck.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\DOCUME~1\XPPRESP3\LOCALS~1\Temp\winlxwtb.exe

C:\DOCUME~1\XPPRESP3\LOCALS~1\Temp\winxpjybb.exe

C:\DOCUME~1\XPPRESP3\LOCALS~1\Temp\windspx.exe

C:\DOCUME~1\XPPRESP3\LOCALS~1\Temp\wb2e1f.exe

C:\DOCUME~1\XPPRESP3\LOCALS~1\Temp\hqgy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gomlab.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.google.com

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

 

--

End of file - 5499 bytes

[*زمـــردة* 59]

وعليكم السلام ورحمة الله وبركاته

 

حياكِ الله حبوبة الحبيبة

 

ولا يهمك حبيبتى على الرحب والسعة دائماً

 

شغلي البرنامج مرة أخرى واعملى سكان

 

وبعد مايظهر لكِ التقرير الذى فى البرنامج نفسه وليس ملف التيكست اتبعى التالى

 

علمى صح أمام هذه القيم وانتبهى بارك الله فيكِ حتى لانفسد شىء

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gomlab.com/

 

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

 

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

 

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')

 

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')

 

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

 

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

 

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

 

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

 

O14 - IERESET.INF: START_PAGE_URL=http://www.google.com

بعد وضع علامة صح ثم اختارى fix وتابعى مثل الصور

 

 

ثم

 

 

 

تفضلى حملى هذا البرنامج

 

http://67.222.53.25/noor/MWB.exe

 

دبل كليك على ايقونة البرنامج

 

 

ستفتح لنا واجهة البرنامج

 

أول شىء أعملى له Updat

 

 

 

بعد الانتهاء من التحديث نبدأ عمل Scan

 

نضغط كما بالصورة لبدء الفحص

 

 

 

نحدد الأقراص المراد فحصها

 

 

جارى عملية الفحص

 

 

 

بدء البرنامج يكتشف الإصابات

 

 

انتهى الفحص

 

 

نضغط في المكان المشار اليه لرؤيــة النتائج

 

 

هذه هي الملفات الخبيثة التي اكتشفها

 

 

نقوم بحذفها سيظهر لكِ ملف تيكست فضلاً الصقيه بردك القادم

 

 

يطلب منا اعادة تشغيل الجهاز

 

 

 

بعد ذلك اريد تقرير هايجاك جديد + تقرير المالوير

 

وبانتظارك بإذن الله

[حبيبة87 3]

حبيبتى عملت زى ما قلتى بالنسبة للهايجاك

 

لكن لبرنامج التانى رابطه لا يعمل

 

وعموما هذا التقرير الجديد

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:56:41 AM, on 4/9/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\VIAudioi\SBADeck\ADeck.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\DOCUME~1\XPPRESP3\LOCALS~1\Temp\ispjty.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\XPPRESP3\LOCALS~1\Temp\we5995.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

 

--

End of file - 4742 bytes

[حبيبة87 3]

جزاكـــــــــ الله خيرا غاليتى

[*زمـــردة* 59]

وعليكم السلام ورحمة الله وبركاته

 

حياكِ الله حبوبة الحبيبة

 

وأنتِ من اهل الجزاء ياحبيبة

 

نريد اصلاح هذه القيم بنفس الطريقة السابقة

O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')

 

O4 - HKUS\S-1-5-20\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'NETWORK SERVICE')

 

O4 - HKUS\S-1-5-18\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'SYSTEM')

 

O4 - HKUS\.DEFAULT\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'Default user')

 

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

للأسف أعتقد الفيرس مازال موجود لذلك سنمشى معه خطوة خطوة

 

أول شىء هل التاسك مانجر عندك شغال Task Maneger

 

 

هل سيظهر لكِ نافذة مكتوب عليها Task Maneger

 

بالنسبة لبرنامج المالوير تفضلى

 

https://akhawat.islamway.net/forum/index.php?showtopic=235233

 

بعد ذلك اريد تقرير هايجاك جديد + تقرير المالوير

 

وبانتظارك بإذن الله

[حبيبة87 3]

بالنسبة لل Task Maneger موجود لكن غير مفعل

[حبيبة87 3]

السلام عليكــم ورحمـة الله وبركاتــة ،،

 

ده تقرير المالوير

 

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

 

Database version: 6344

 

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

 

4/12/2011 9:28:49 PM

mbam-log-2011-04-12 (21-28-49).txt

 

Scan type: Full scan (C:\|D:\|E:\|F:\|)

Objects scanned: 169115

Time elapsed: 15 minute(s), 40 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 2

Registry Values Infected: 2

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 43

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

c:\WINDOWS\system32\wmdrtc32.dll (Virus.Sality) -> Delete on reboot.

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

c:\WINDOWS\system32\wmdrtc32.dll (Virus.Sality) -> Delete on reboot.

c:\Documents and Settings\XPPRESP3\Local Settings\Temp\cufkmg.exe (Trojan.Agent) -> Delete on reboot.

c:\Documents and Settings\XPPRESP3\Local Settings\Temp\windqrkdv.exe (Trojan.Downloader) -> Delete on reboot.

c:\vfyog.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\XPPRESP3\local settings\application data\thinstall\Cache\Stubs\d11e5148d7ff0f6b23298234fbe701e253886c\svchost.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\cmdow.exe (PUP.Tool) -> Not selected for removal.

d:\ojbebj.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

d:\qmjco.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

d:\bgcl.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

d:\bcgw.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

d:\berb.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

d:\txwra.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

d:\sxta.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

d:\g\games\jojo's fashion show 2 - las cruces\uninstall.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.

d:\برامج\Docs\all genuine\se7en crack\removewat\removewat.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.

d:\برامج\برامج\اخفاء و اظهار الملفات بكلمة سر\باسوورد\encrypted_magic_folder_v-98.10a .exe (Spyware.AdaEbook) -> Quarantined and deleted successfully.

e:\rrip.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\oqsv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\kqqs.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\ppevs.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\duhnvq.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\huts.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\afxf.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\pwes.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\tiog.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\xtpqu.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\ghrvnj.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\xakf.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\ISLEMEC\مكتبة\lnp-quraan.exe (Spyware.AdaEbook) -> Quarantined and deleted successfully.

f:\uxdx.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\fney.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\ywqw.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\bdofue.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\wevsdq.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\ieued.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\isknu.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\tbpl.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\mqqh.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\fcscey.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\xtshdw.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\smdxb.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\rbpc.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\wmdrtc32.dl_ (Virus.Sality) -> Quarantined and deleted successfully.

[حبيبة87 3]

وده تقرير الهايجاك بعد ما عملت كل حاجة

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:32:01 PM, on 4/12/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\VIAudioi\SBADeck\ADeck.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (file missing)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1

O4 - HKLM\..\Run: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

O4 - HKLM\..\Run: [switchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (file missing)

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

 

--

End of file - 4725 bytes

[*زمـــردة* 59]

وعليكم السلام ورحمة الله وبركاته

 

حياكِ الله حبوبة الحبيبة

 

شغلي البرنامج مرة أخرى واعملى سكان

 

وبعد مايظهر لكِ التقرير الذى فى البرنامج نفسه وليس ملف التيكست اتبعى التالى

 

علمى صح أمام هذه القيم وانتبهى بارك الله فيكِ حتى لانفسد شىء

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (file missing)

 

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

 

O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

 

O4 - HKLM\..\Run: [switchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

 

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

 

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (file missing)

بعد وضع علامة صح ثم اختارى fix وتابعى مثل الصور

 

 

ثم

 

 

 

 

نريد أن نقوم بخطوة تعطيل إستعادة النظام

 

 

 

حملى هذه الاداة

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

نضع الأداة على سطح المكتب

 

 

ينصح بشدة قبل استخدام الاداة باغلاق كافة البرامج وتعطيل برامج الحماية وترك الاداة تكمل عملية الفحص مهما طالت

 

يتم تشغيها بدبل كلك بعد التشغيل تابعى الشرح

 

 

ثم انتظرى حتى تخرج هذه الرسالة وتابعى الشرح

 

 

 

وهذه بعض من مراحل الفحص وتاكدى من عدم تحريك الجهاز او مقاطعة الفحص

 

 

 

عند المرحلة التالية قد يعاد تشغيل الجهاز في حال وجود اصابة قوية

 

وبعد اعادة التشغيل يكمل الفحص بشكل تلقائي

 

 

وعند المرحلة التالية يكون عملية انها الفحص وانشاء تقرير الفحص على القرص C كما هو واضح

 

 

بعد ذلك فضلاً أرفعى لى نسخة من التقرر الخاص بهذه الأداة

 

وتقرير جديد للهايجاك

 

 

وبانتظارك بإذن الله

[حبيبة87 3]

يا خبر

 

هى المشكلة كبيرة اوى كده؟

[حبيبة87 3]

الخطوة بتاع إغلاق إستعادة النظام مفعلة أصلا عندى

[*زمـــردة* 59]

يا خبر

 

هى المشكلة كبيرة اوى كده؟

الخطوة بتاع إغلاق إستعادة النظام مفعلة أصلا عندى

للأسف حبيبة الموضوع كبير

 

طيب كملى الخطوات

 

حملى الاداة وشغليها

 

وبانتظارك بإذن الله

[حبيبة87 3]

ده التقرير البرنامج بعد ما خلص

 

على فكرة عمل ريستارت مرتين

 

ComboFix 11-04-12.01 - XPPRESP3 04/12/2011 23:39:50.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.503.342 [GMT 2:00]

Running from: c:\documents and settings\XPPRESP3\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\autorun.inf

c:\windows\system32\1.txt

c:\windows\system32\Drivers\mklhmn.sys

c:\windows\system32\msconfig.exe

c:\windows\system32\wmdrtc32.dl_

c:\windows\system32\wmdrtc32.dll

D:\Autorun.inf

D:\khq

E:\autorun.inf

E:\khq

F:\autorun.inf

F:\khq

.

c:\windows\regedit.exe . . . is infected!!

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_ABP470N5

-------\Legacy_NDISFILESERVICES32

-------\Service_abp470n5

-------\Service_amsint32

-------\Service_NdisFileServices32

.

.

((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))

.

.

2011-04-12 19:31 . 2011-04-12 19:31 103140 ----a-w- C:\vfyog.exe

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-12 21:46 . 2011-04-12 21:46 103140 --sh--r- C:\rxassy.pif

2011-04-11 13:34 . 2003-03-19 06:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-04-11 13:34 . 2003-02-21 01:42 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-03-18 17:57 . 2011-04-06 17:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

.

.

[-] 2005-12-19 . 784DDC1F40C4F729284D5A73930F0C9D . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll

.

[-] 2004-08-04 . BC588C6C10B15A8EA672028D2E04CB2D . 97280 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe

.

.

.

.

c:\windows\System32\wscntfy.exe ... is missing !!

c:\windows\System32\regsvc.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]

@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"

[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]

2011-03-02 15:23 68216 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-11-15 4367792]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2005-03-04 540672]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 476624]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 97280]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\qmjco.exe"=

"d:\\تعريف\\Viga\\BrookdaleG\\WIN2K_XP\\Graphics\\Setup.exe"=

"d:\\برامج\\جوممممممم بلاير\\GOMPLAYERENSETUP.EXE"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Internet Download Manager\\IDMan.exe"=

"c:\\Program Files\\Adobe Photoshop CS4 ME\\Start.exe"=

"d:\\برامج\\Docs\\Firefox Setup 4.0.exe"=

"c:\\WINDOWS\\System32\\logon.scr"=

"c:\\Program Files\\Internet Download Manager\\IEMonitor.exe"=

"c:\\Program Files\\Real\\RealUpgrade\\realupgrade.exe"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE"=

"d:\\برامج\\HJTInstall.exe"=

"c:\\WINDOWS\\system32\\msiexec.exe"=

"c:\\Program Files\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\UpdaterStartupUtility.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS5ServiceManager\\CS5ServiceManager.exe"=

"c:\\WINDOWS\\PEV.exe"=

"d:\\E????\\Viga\\BrookdaleG\\WIN2K_XP\\Graphics\\Setup.exe"=

"d:\\E?C??\\Docs\\Firefox Setup 4.0.exe"=

.

R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [4/5/2011 8:01 PM 98160]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/12/2011 9:00 PM 38224]

S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 541696]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - ABP470N5

*NewlyCreated* - NDISFILESERVICES32

.

NETSVCS REQUIRES REPAIRS - current entries shown

6to4

AppMgmt

AudioSrv

Browser

CryptSvc

DMServer

DHCP

ERSvc

EventSystem

FastUserSwitchingCompatibility

HidServ

Ias

Iprip

Irmon

LanmanServer

LanmanWorkstation

Netman

Nla

NWCWorkstation

Nwsapagent

Rasauto

Rasman

Remoteaccess

Schedule

Seclogon

SENS

Sharedaccess

SRService

Tapisrv

Themes

TrkWks

WZCSVC

Wmi

WmdmPmSp

winmgmt

xmlprov

BITS

wuauserv

ShellHWDetection

WmdmPmSN

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-602162358-1547161642-682003330-1001.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 12:25]

.

2011-04-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-602162358-1547161642-682003330-1001.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 12:25]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: Download All by FlashGet - c:\progra~1\FlashGet\jc_all.htm

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download using FlashGet - c:\progra~1\FlashGet\jc_link.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

FF - ProfilePath - c:\documents and settings\XPPRESP3\Application Data\Mozilla\Firefox\Profiles\o2mzg0er.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.eg/

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-TkBellExe - c:\program files\real\realplayer\update\realsched.exe

AddRemove-RealPlayer 12.0 - c:\program files\real\realplayer\Update\r1puninst.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-12 23:45

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint32]

"ImagePath"="\??\c:\windows\system32\drivers\jjltl.sys"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(796)

c:\program files\Internet Download Manager\IDMShellExt.dll

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

c:\windows\system32\MSCTF.dll

c:\windows\system32\wmdrtc32.dll

c:\windows\system32\msls31.dll

c:\windows\system32\shdoclc.dll

c:\windows\system32\msimtf.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\crypserv.exe

c:\program files\Internet Download Manager\IEMonitor.exe

.

**************************************************************************

.

Completion time: 2011-04-12 23:48:16 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-12 21:48

.

Pre-Run: 511,504,384 bytes free

Post-Run: 389,160,960 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - D14D0501C506CA8BDA352D9E5244C4A7

[حبيبة87 3]

وده تقرير الهايجاك

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:51:49 PM, on 4/12/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\VIAudioi\SBADeck\ADeck.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1

O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

 

--

End of file - 4182 bytes

[حبيبة87 3]

يا خبر

 

هى المشكلة كبيرة اوى كده؟

الخطوة بتاع إغلاق إستعادة النظام مفعلة أصلا عندى

للأسف حبيبة الموضوع كبير

 

طيب كملى الخطوات

 

حملى الاداة وشغليها

 

وبانتظارك بإذن الله

 

أقلقتينى؟؟؟؟؟؟؟؟؟؟؟؟؟ :sad: :sad: :unsure:

[*زمـــردة* 59]

لا تقلقى ياحبيبة بإذن الله خير

 

هو الفيرس رخم شوية لكن بإذن الله بنقضى عليه

 

ياترى اخبار التاسك مانجر إيه لسة مش مفعل؟

 

تفضلى حملى هذه الاداة

 

https://akhawat.islamway.net/forum/index.ph...t&id=221021

 

فكِ الضغط عن الملف ثم دبل كليك عليه

 

ستظهر لكِ صفحة الدوس السوداء اتركيه يعمل حتى ينتهى

 

ثم بعد ذلك فضلاً حملى هذه الاداة

 

https://akhawat.islamway.net/forum/index.ph...t&id=221027

 

فكِ الضغط ثم دبل كليك ستظهر لكِ هذه الصور

 

 

 

 

 

وبانتظارك بإذن الله مع تقرير هايجاك جديد

 

مضطرة اخرج الآن

 

: )

[حبيبة87 3]

السلام عليكــم ورحمـة الله وبركاتــة ،،

 

جزاك الله خيرا غاليتى وبارك فى جهودك

 

تقرير الهايجاك بعد أخر خطوة أضفتيها

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:38:46 AM, on 4/13/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\VIAudioi\SBADeck\ADeck.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

 

--

End of file - 3953 bytes

[حبيبة87 3]

على فكرة لسة التاسك مانجر غير مفعل

[حبيبة87 3]

السلام عليكم ورحمة الله وبركاته،،

 

زمردة الحبيبة تظهر لي علامة صفراء تشبه (!) بجوار الساعة أسفل الشاشة لتحديث الويندوز

هل أضغط عليها للتحديث؟

[*زمـــردة* 59]

وعليكم السلام ورحمة الله وبركاته

 

حياكِ الله حبوبة الحبيبة

 

شغلي البرنامج مرة أخرى واعملى سكان

 

ثم حملى هذه الاداة وفكِ الضغط عنها ودبل كليك عليها (لازم تركبى أى فلاش عندك اثناء الفحص)

 

https://akhawat.islamway.net/forum/index.ph...t&id=221218

 

ستفتح لكِ صفحة الدوس السوداء اتركيها لحين الانتهاء

 

بعد ذلك حملى هذه الاداة

 

https://akhawat.islamway.net/forum/index.ph...t&id=221221

 

ايضاً فكِ الضغط عنها وشغليها بدبل كليك

 

واتركيها حتى تنتهى وفى الاخير سيظهر لكِ هذه النافذة

 

 

ثم

 

 

ثم بنتظر التقريرلكن لاتضعيه بالصفحة بارك الله فيكِ اريده فى ملف تيكست وارفعيه بالمرفقات

 

وجربي التاسك مانجر بعد انتهاء هذه الخطوة

 

ولاداعى لتحديث الويندوز الآن إلا بعد القضاء على الفيرس لأنه سيعطلنا ولن يحدث فى النهاية

 

لاتنسى وضع أى فلاشات أى توصيلها بالجهاز اثناء الفحص

 

وبانتظارك بإذن الله

[حبيبة87 3]

شغلي البرنامج مرة أخرى واعملى سكان

 

أي برنامج؟

لاتنسى وضع أى فلاشات أى توصيلها بالجهاز اثناء الفحص

 

مش فاهمة دى

[*زمـــردة* 59]

بعتذر عن عدم التوضيح ياحبيبة

 

إذا عندك أى فلاشة سواء كارت ميمورى أو فلاشة لنقل الملفات من جهاز لجهاز

 

ففضلاً ركبيها بالجهاز واعملى فحص ببرنامج المالوير

 

وبعد انتهاءه اريد التقرير ثم اكملى باقى الخطوات

 

وبانتظارك بإذن الله

[حبيبة87 3]

السلام عليكــم ورحمـة الله وبركاتــة ،،

 

عملت الفحص هل أضغط remove selected

 

وهناك فى القائمة واحد مش محطوط امامه علامة صح أسمه pup tool فى c\windose32

 

فى انتظار ردك

[*زمـــردة* 59]

وعليكم السلام ورحمة الله وبركاته

 

نعم يا حبيبة علمى على الكل واعملى remove

 

وياريت ترفعى لى تقرير المالوير

 

وبانتظارك بإذن الله

[حبيبة87 3]

تقرير المالوير

 

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

 

Database version: 6344

 

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

 

4/13/2011 3:27:29 PM

mbam-log-2011-04-13 (15-27-28).txt

 

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|)

Objects scanned: 168643

Time elapsed: 41 minute(s), 3 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 25

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

c:\WINDOWS\system32\wmdrtc32.dll (Virus.Sality) -> Delete on reboot.

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

c:\WINDOWS\system32\wmdrtc32.dll (Virus.Sality) -> Delete on reboot.

c:\Documents and Settings\XPPRESP3\Local Settings\temp\fyygvb.exe (Trojan.Downloader) -> Delete on reboot.

c:\Documents and Settings\XPPRESP3\Local Settings\temp\itet.exe (Trojan.Agent) -> Delete on reboot.

c:\rxassy.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\vfyog.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\WINDOWS\system32\wmdrtc32.dll.vir (Virus.Sality) -> Quarantined and deleted successfully.

c:\system volume information\_restore{b55d3b3f-03c5-4f38-83e4-55c3b04d7886}\RP4\A0001344.dll (Virus.Sality) -> Quarantined and deleted successfully.

c:\system volume information\_restore{b55d3b3f-03c5-4f38-83e4-55c3b04d7886}\RP4\A0001808.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\cmdow.exe (PUP.Tool) -> Quarantined and deleted successfully.

d:\qmjco.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

d:\hgcxo.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

d:\system volume information\_restore{b55d3b3f-03c5-4f38-83e4-55c3b04d7886}\RP3\A0001091.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

d:\system volume information\_restore{b55d3b3f-03c5-4f38-83e4-55c3b04d7886}\RP4\A0001343.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

d:\system volume information\_restore{b55d3b3f-03c5-4f38-83e4-55c3b04d7886}\RP4\A0001353.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\xakf.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\axpfu.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\system volume information\_restore{b55d3b3f-03c5-4f38-83e4-55c3b04d7886}\RP3\A0001096.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\system volume information\_restore{b55d3b3f-03c5-4f38-83e4-55c3b04d7886}\RP4\A0001326.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

e:\system volume information\_restore{b55d3b3f-03c5-4f38-83e4-55c3b04d7886}\RP4\A0001452.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\rbpc.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\mydo.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\system volume information\_restore{b55d3b3f-03c5-4f38-83e4-55c3b04d7886}\RP4\A0001347.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

f:\system volume information\_restore{b55d3b3f-03c5-4f38-83e4-55c3b04d7886}\RP4\A0001350.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

h:\xbjkmm.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\wmdrtc32.dl_ (Virus.Sality) -> Quarantined and deleted successfully.

 

 

هعمل ريستارت وأعود لاأكمل باقى الخطوات

 

يارب أشوفك من أهل الجنة زمردة الحبيبة