ComboFix 10-02-24.03 - Administrator 02/25/2010 12
.gif)
30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1256.981.1033.18.2047.1420 [GMT 3.5:30]
Running from: j:\downloads\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
j:\documents and settings\Administrator\c1r9r26r3.exe
j:\documents and settings\Administrator\ddaqaex9.exe
j:\documents and settings\Administrator\o5k3h92i5.exe
j:\documents and settings\Administrator\w1v5z33h2.exe
j:\documents and settings\All Users\Start Menu\Programs\NasimSoft
j:\windows\Fonts\w1v5z33h2.exe
.
((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.
2010-02-24 19:41 . 2010-02-24 19:41 -------- d-----w- j:\program files\Common Files\Nero
2010-02-24 19:40 . 2010-02-24 19:41 -------- d-----w- j:\program files\Nero 9
2010-02-24 18:44 . 2010-02-24 18:44 661728 ----a-w- J:\times32(2).exe
2010-02-24 18:40 . 2010-02-24 18:44 661728 ----a-w- J:\times32.exe
2010-02-24 18:28 . 2010-02-24 18:28 -------- d-----w- j:\program files\Puff
2010-02-22 19:45 . 2010-02-22 19:45 -------- d-----w- j:\program files\ESET
2010-02-20 10:45 . 2010-02-20 10:45 -------- d-----w- j:\windows\Big Kahuna Words
2010-02-20 10:44 . 2010-02-20 10:44 -------- d-----w- j:\windows\Bricks Of Egypt 2
2010-02-20 10:43 . 2010-02-20 10:43 -------- d-----w- j:\windows\Break Quest
2010-02-18 09:27 . 2010-02-18 09:27 -------- d-----w- j:\program files\AVG
2010-02-18 09:22 . 2006-05-24 10:06 110592 ----a-w- j:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-02-18 08:08 . 2010-02-19 18:31 -------- d-----w- j:\documents and settings\Administrator\Application Data\U3
2010-02-17 19:27 . 2010-02-18 09:24 -------- d-----w- j:\windows\SxsCaPendDel
2010-02-14 19:47 . 2010-02-25 08:58 -------- d-----w- J:\Downloads
2010-02-14 19:47 . 2010-02-25 08:59 -------- d-----w- j:\documents and settings\Administrator\Application Data\Orbit
2010-02-14 19:47 . 2010-02-14 19:47 -------- d-----w- j:\program files\Orbitdownloader
2010-02-14 16:35 . 2010-02-14 16:35 -------- d-----w- j:\windows\Bubble Odyssey
2010-02-14 16:25 . 2010-02-14 16:25 -------- d-----w- j:\windows\Bistro Stars
2010-02-14 16:25 . 2010-02-14 16:25 -------- d-----w- j:\windows\Luxor
2010-02-14 16:24 . 2010-02-14 16:24 -------- d-----w- j:\program files\ReflexiveArcade
2010-02-14 16:19 . 2010-02-20 10:45 -------- d-----w- j:\program files\Emperor
2010-02-14 16:19 . 2010-02-14 16:19 -------- d-----w- j:\windows\Barnyard Invasion
2010-02-13 07:58 . 2010-02-13 07:58 -------- d-----w- j:\documents and settings\All Users\Application Data\FLEXnet
2010-02-13 07:50 . 2010-02-13 07:50 -------- d-----w- j:\program files\Common Files\Adobe AIR
2010-02-09 13:12 . 2010-02-19 16:45 -------- d-----w- j:\documents and settings\Administrator\Application Data\Spider Player
2010-01-31 14:41 . 2010-02-17 19:28 -------- d-----w- j:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-01-31 14:40 . 2010-02-19 16:42 -------- d-----w- j:\program files\Common Files\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-02-23 12:53 . 2009-10-04 11:05 -------- d-----w- j:\program files\Total Video Converter
2010-02-23 12:48 . 2009-09-30 06:25 168464 ----a-w- j:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 12:44 . 2009-09-30 06:38 -------- d-----w- j:\program files\Common Files\InstallShield
2010-02-23 12:43 . 2009-09-30 06:38 -------- d--h--w- j:\program files\InstallShield Installation Information
2010-02-23 12:42 . 2009-12-17 21:34 -------- d-----w- j:\program files\AviSynth 2.5
2010-02-23 12:42 . 2009-10-23 11:53 -------- d-----w- j:\documents and settings\Administrator\Application Data\Any DVD Converter Professional
2010-02-23 12:42 . 2009-11-28 08:52 -------- d-----w- j:\program files\7-Zip
2010-02-20 16:59 . 2009-09-30 17:20 1 ----a-w- j:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stam p.sys
2010-02-19 16:45 . 2009-12-17 21:34 -------- d-----w- j:\program files\Gabest
2010-02-19 16:44 . 2009-10-01 14:50 -------- d-----w- j:\program files\FIFA Soccer
2010-02-19 16:42 . 2009-12-26 13:59 -------- d-----w- j:\program files\TuneUp Utilities 2009
2010-01-21 15:08 . 2009-09-30 06:51 -------- d-----w- j:\program files\JetAudio
2009-12-26 14:00 . 2009-12-26 14:00 604416 ----a-w- j:\windows\system32\TUProgSt.exe
2009-12-26 14:00 . 2009-12-26 14:00 361216 ----a-w- j:\windows\system32\TuneUpDefragService.exe
2009-11-28 13:20 . 2009-11-28 13:20 276400 ----a-w- j:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.
------- Sigcheck -------
[-] 2008-10-26 . 6772154A2185F5FB42E37A87087C2398 . 361600 . . [5.1.2600.5649] . . j:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="j:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"NvCplDaemon"="j:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="j:\windows\system32\NvMcTray. dll" [2009-01-15 86016]
"egui"="j:\program files\ESET\ESET Smart Security\egui.exe" [2008-08-18 1447168]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"ctfmon.exe"="j:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"_nltide_3"="advpack.dll" [2008-06-23 124928]
j:\documents and settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - j:\program files\Orbitdownloader\orbitdm.exe [2010-2-14 1719496]
[HKLM\~\startupfolder\J:^Documents and Settings^Administrator^Start Menu^Programs^Startup^desktop.ini]
path=j:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini
backup=j:\windows\pss\desktop.iniStartup
[HKLM\~\startupfolder\J:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=j:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=j:\windows\pss\OpenOffice.org 3.0.lnkStartup
[HKLM\~\startupfolder\J:^Documents and Settings^Administrator^Start Menu^Programs^Startup^WordWeb Pro.lnk]
path=j:\documents and settings\Administrator\Start Menu\Programs\Startup\WordWeb Pro.lnk
backup=j:\windows\pss\WordWeb Pro.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 08:38 935288 ----a-r- j:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 00:38 35696 ----a-w- j:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 07:20 155648 ----a-w- j:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-01-15 00:19 1657376 ----a-w- j:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"j:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"j:\\WINDOWS\\system32\\sessmgr.exe"=
"j:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"j:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
R2 ekrn;Eset Service;j:\program files\ESET\ESET Smart Security\ekrn.exe [2008/08/18 01:25 ب.ظ 468224]
S3 ham50;Intel V92 HaM Data Fax Voice;j:\windows\system32\drivers\IntelH51.sys [2009/09/30 11:20 ق.ظ 454815]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{64KLC5K0-4OPM-00WE-AAX8-17EF1D187263}]
2010-02-16 16:22 73729 ----a-w- c:\quicktime\Q-43234FDHJ-0234567123-887321236-432\FEB2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{64KLC5K0-4OPM-00WE-AAX8-17EF1D187666}]
2010-02-19 07:52 49153 ----a-w- c:\rom\P-43553JIYW-8374322329-0909090987-120\sys32s.exe
.
Contents of the 'Scheduled Tasks' folder
2010-02-25 j:\windows\Tasks\1-Click Maintenance.job
- j:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 12:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com
IE: &Download by Orbit - j:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - j:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - j:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - j:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\msoffi~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - j:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ox8qu3un.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: j:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: j:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Rainlendar2 - j:\program files\Rainlendar2\Rainlendar2.exe
ActiveSetup-{63MAD6M8-1MAD-81AD-JIM6-32OP5G1234521} - c:\jim\carry\jIm.exe
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
کد:
برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید
Rootkit scan 2010-02-25 12:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2010-02-25 12:48:52
ComboFix-quarantined-files.txt 2010-02-25 09:18
Pre-Run: 21,573,648,384 bytes free
Post-Run: 22,414,536,704 bytes free
- - End Of File - - D063C96E181A57FE42880D1C1BED3A6D