هذا تقرير ComboFix ونبي رئيكم فيه

شيخ نفسه · 09-01-2009, 10:20 PM

ComboFix 09-08-31.03 - Administrator 09/01/2009 18:352 - NTFSx86
Microsoft Windows XP Professional 52600.2.125610252037.1557 [GMT 3:00]
Running from: c:\documents and settings\Administrator.MADA\سطح المكتب\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))) )))))))))
.

c:\recycler\S-1-5-21-725345543-117609710-839522115-500
c:\windows\Installer\6ec4c.msi
c:\windows\Installer\a46baf.msi
c:\windows\system32\kakle.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))) )))))))))
.

-------\Service_AVPsys

((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-09-01 15:12 . 2009-09-01 15:12 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-01 14:44 . 2009-09-01 14:44 -------- d-----w- c:\program files\Panda Security
2009-09-01 14:44 . 2009-09-01 15:12 -------- d-----w- c:\windows\LastGood(2)
2009-08-26 02:25 . 2009-09-01 14:54 -------- d-----w- c:\windows\BDOSCAN8
2009-08-26 01:52 . 2009-08-26 01:52 -------- d-----w- c:\documents and settings\Administrator.MADA\.housecall6. 6
2009-08-25 01:02 . 2009-09-01 00:15 -------- d-----w- c:\documents and settings\Administrator.MADA\Application Data\skypePM
2009-08-25 01:02 . 2009-08-25 01:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-25 00:53 . 2009-09-01 15:12 -------- d-----w- c:\documents and settings\Administrator.MADA\Application Data\Skype
2009-08-25 00:52 . 2009-08-25 00:52 -------- d-----w- c:\program files\Common Files\Skype
2009-08-25 00:52 . 2009-08-28 19:26 -------- d-----r- c:\program files\Skype
2009-08-25 00:52 . 2009-08-25 00:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2009-08-24 01:03 . 2009-08-24 01:19 -------- d-----w- c:\documents and settings\Administrator.MADA\Local Settings\Application Data\IM
2009-08-24 01:03 . 2009-08-24 01:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\IM
2009-08-24 01:03 . 2009-08-24 01:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\IncrediMail
2009-08-22 13:37 . 2009-08-03 10:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarm y.sys
2009-08-22 13:37 . 2009-08-03 10:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 16:13 . 2009-08-20 16:13 -------- d-sh--w- c:\documents and settings\Administrator.MADA\IECompatCach e
2009-08-15 22:35 . 2009-08-15 22:38 -------- d-----w- c:\documents and settings\Administrator.MADA\Application Data\GetRightToGo
2009-08-08 07:04 . 2001-08-17 19:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-08-08 07:04 . 2001-08-17 19:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-08-08 07:04 . 2001-08-17 11:55 6144 ----a-w- c:\windows\system32\kbd106.dll
2009-08-08 07:04 . 2001-08-17 11:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-08-08 07:04 . 2001-08-17 11:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-08-08 07:04 . 2001-08-17 11:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-08-04 19:20 . 2009-08-17 11:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Messenger Plus!
2009-08-04 19:17 . 2009-08-04 19:20 -------- d-----w- c:\program files\MSN Messenger
2009-08-03 23:15 . 2009-08-28 19:27 -------- d-----w- c:\program files\Google
2009-08-03 23:11 . 2009-08-03 23:16 1962544 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\install_flash_p layer_ax.exe
2009-08-03 23:11 . 2009-08-04 02:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2009-08-03 23:11 . 2009-08-03 23:11 -------- d-----w- c:\program files\NOS
2009-08-03 04:06 . 2009-08-03 04:06 -------- d-----w- c:\documents and settings\Administrator.MADA\Application Data\.clamwin
2009-08-02 23:12 . 2009-08-02 23:12 -------- d-sh--w- c:\documents and settings\Administrator.MADA\PrivacIE
2009-08-02 23:12 . 2009-08-02 23:12 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2009-08-02 23:12 . 2009-08-02 23:12 -------- d-sh--w- c:\documents and settings\Administrator.MADA\IETldCache
2009-08-02 23:04 . 2009-08-02 23:05 -------- dc-h--w- c:\windows\ie8
2009-08-02 22:06 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))) ))))))))))))
.
2009-09-01 15:39 . 2009-09-01 15:39 -------- d-----w- c:\program files\microsoft frontpage
2009-09-01 15:18 . 2001-09-19 15:00 59922 ----a-w- c:\windows\system32\perfc001.dat
2009-09-01 15:18 . 2001-09-19 15:00 331536 ----a-w- c:\windows\system32\perfh001.dat
2009-09-01 15:17 . 2009-06-03 20:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-01 03:59 . 2009-07-08 15:52 -------- d-----w- c:\documents and settings\Administrator.MADA\Application Data\cleaner
2009-08-30 00:24 . 2009-02-13 02:58 9 ----a-w- c:\windows\system32\srss.dat
2009-08-24 01:05 . 2009-01-31 07:09 76544 ----a-w- c:\documents and settings\Administrator.MADA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 22:53 . 2009-06-26 22:12 -------- d-----w- c:\program files\SplitCam
2009-08-04 19:20 . 2009-03-15 00:33 -------- d-----w- c:\program files\Messenger Plus! Live
2009-08-04 19:07 . 2009-04-17 15:18 -------- d-----w- c:\program files\Windows Live
2009-07-29 13:05 . 2007-03-16 04:26 218624 ----a-w- c:\windows\system32\uxtheme.dll
2009-07-22 03:54 . 2009-01-27 12:57 -------- d---a-w- c:\program files\DAP
2009-07-21 10:26 . 2009-07-21 10:26 -------- d-----w- c:\documents and settings\Administrator.MADA\Application Data\Avant Profiles
2009-07-19 22:50 . 2009-07-19 22:50 -------- d-----w- c:\documents and settings\Administrator.MADA\Application Data\FastStone
2009-07-18 20:27 . 2009-07-18 20:27 -------- d-----w- c:\documents and settings\Administrator.MADA\Application Data\CyberLink
2009-07-18 01:31 . 2009-07-17 23:10 -------- d-----w- c:\program files\Bonjour
2009-07-18 01:25 . 2009-07-04 22:06 -------- d-----w- c:\documents and settings\Administrator.MADA\Application Data\IDM
2009-07-18 01:16 . 2009-06-27 05:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2009-07-17 23:39 . 2009-07-04 22:06 -------- d-----w- c:\documents and settings\Administrator.MADA\Application Data\DMCache
2009-07-08 15:52 . 2009-07-08 15:52 -------- d-----w- c:\documents and settings\Administrator.MADA\Application Data\CyberScrub
2009-07-01 10:24 . 2009-07-01 10:25 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-27 17:17 . 2009-02-01 02:56 90112 ----a-w- c:\windows\system32\agsaami.dll
2009-06-27 17:17 . 2009-02-01 02:56 610304 ----a-w- c:\windows\system32\agsaamg.dll
2009-06-27 17:17 . 2009-02-01 02:56 372736 ----a-w- c:\windows\system32\agsaamc.dll
2009-06-27 17:17 . 2009-02-01 02:56 2535424 ----a-w- c:\windows\system32\agsaamj.dll
2009-06-27 17:17 . 2009-02-01 02:56 1986560 ----a-w- c:\windows\system32\akll.dll
2009-06-27 17:17 . 2009-02-01 02:56 196608 ----a-w- c:\windows\system32\maag.dll
2009-06-27 17:17 . 2009-02-01 02:56 1245184 ----a-w- c:\windows\system32\bkll.dll
2009-06-27 17:17 . 2009-02-01 02:56 1212416 ----a-w- c:\windows\system32\ckll.dll
2009-06-15 01:58 . 2009-06-15 01:58 390664 ----a-w- c:\documents and settings\Administrator.MADA\Application Data\Real\RealPlayer\Update\realplayer11 gold.exe
2009-06-05 11:38 . 2009-06-05 11:38 152576 ----a-w- c:\documents and settings\Administrator.MADA\Application Data\Sun\Java\jre10_13\lzma.dll
.

------- Sigcheck -------

[-] 2007-03-16 04:24 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\system32\drivers\tcpip.sys

[7] 2007-02-28 05:05 2060928 07EC56EB800A64228A42157D2FF161F3 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2007-02-28 16:05 2018816 C4C851B497BACEC88FEB21F04979D853 c:\windows\NiwradSoft Shell Pack\Backup\ntkrnlpa.exe
[-] 2007-02-28 16:05 2180096 2FA8539B1E3EB6EB616041D69AC1CDD6 c:\windows\system32\ntkrnlpa.exe
[-] 2007-02-28 16:05 2180096 2FA8539B1E3EB6EB616041D69AC1CDD6 c:\windows\system32\dllcache\ntkrnlpa.ex e

[7] 2007-02-28 16:05 2183680 BD6DEA71816E48DE42ADAB538296F596 c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2007-02-28 16:05 2139136 19A5914E00C87962B3E6E467D006F5FD c:\windows\NiwradSoft Shell Pack\Backup\ntoskrnl.exe
[-] 2007-02-28 16:05 2300416 1435A5898921CA96BC8BA4169BCD8E76 c:\windows\system32\ntoskrnl.exe
[-] 2007-02-28 16:05 2300416 1435A5898921CA96BC8BA4169BCD8E76 c:\windows\system32\dllcache\ntoskrnl.ex e

[-] 2004-08-04 00:56 1538048 0869AABEC6C4BD0A7FA28581D57BCB23 c:\windows\explorer.exe
[7] 2004-08-04 00:56 1029632 932F97B77F2625F7FF7DFC97552548F8 c:\windows\NiwradSoft Shell Pack\Backup\explorer.exe

[-] 2007-03-16 04:22 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\system32\spoolsv.exe

[7] 2004-08-04 00:56 110592 DB229DFB518B42754A510C5E101FA70F c:\windows\NiwradSoft Shell Pack\Backup\wuauclt.exe
[-] 2004-08-04 00:56 115712 78D1C9C1378ECB5D443E098EA08226E8 c:\windows\system32\wuauclt.exe

[-] 2007-03-16 04:25 927504 7FE8A96E86CAE07FAE99DC3E0FEAC79A c:\windows\system32\mfc40u.dll

[-] 2007-03-16 04:23 398848 9A0E58E91A5F0F23EB3F48D821CA774E c:\windows\system32\rpcss.dll

[-] 2007-03-16 04:24 617472 7037C70E7AC84B229E35E74D1D1A361F c:\windows\system32\comctl32.dll
[7] 2001-09-19 15:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows. Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2006-08-25 08:52 1054208 68DDAFDEE26BE9E2D615A97A5E45D15B c:\windows\WinSxS\x86_Microsoft.Windows. Common-Controls_6595b64144ccf1df_6.0.2600.2982_ x-ww_ac3f9c03\comctl32.dll

[-] 2007-03-16 04:22 248832 5B86344B87D41C77D752C1B2221C808A c:\windows\system32\tapisrv.dll

[-] 2007-03-16 04:23 197120 0BB6CE5523BAF1512314BAE179360B3C c:\windows\system32\netman.dll

[-] 2007-03-16 04:23 243200 F00B000A4DE779200648CE95B7C23CD0 c:\windows\system32\es.dll

[-] 2007-03-16 04:22 19968 4180813BB96982D3AAFE7FF737533727 c:\windows\system32\linkinfo.dll

[-] 2007-03-16 04:26 135168 BFBC797D12150C3ADC33E3721D8E1BA3 c:\windows\system32\shsvcs.dll

[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\system32\drivers\aec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))) ))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Win dows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Google Update"="c:\documents and settings\Administrator.MADA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-21 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ndows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-29 32768]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-08-07 331288]
"IgfxTray"="c:\windows\system32\igfxtray .exe" [2007-09-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd .exe" [2007-09-05 166424]
"Persistence"="c:\windows\system32\igfxp ers.exe" [2007-09-05 137752]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-15 198160]
"OutpostMonitor"="d:\a11a~1\op_mon.e xe" [2009-04-28 2374464]
"OutpostFeedBack"="d:\الجدار اناري\feedback.exe" [2009-04-28 428032]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-12-12 16859136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\W indows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"TSClientMSIUninstaller"="c:\windows\Ins taller\TSClientMsiTrans\tscuinst.vbs" [2007-03-16 12451]
"tscuninstall"="c:\windows\system32\tscu pgrd.exe" [2004-08-03 44544]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\wi ndows nt\currentversion\windows]
"AppInit_DLLs"=d:\a11a~1\wl_hook.dll

[HKLM\~\services\sharedaccess\parameters\ firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroad cast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\ firewallpolicy\standardprofile\Authorize dApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\dr ivers\epfwtdir.sys [3/13/2008 4:52 م 33800]
R1 SandBox;SandBox;c:\windows\system32\driv ers\SandBox.sys [6/29/2009 1:11 م 704384]
R2 acssrv;Agnitum Client Security Service;d:\a11a~1\acs.exe [6/29/2009 1:10 م 1195008]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 4:49 م 472320]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [1/31/2009 10:31 ص 540184]
R2 Vcs;Vcs support;c:\windows\system32\drivers\Vcs. sys [3/18/2009 3:51 ص 6852]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.s ys [6/29/2009 1:10 م 31128]
R3 afwcore;afwcore;c:\windows\system32\driv ers\afwcore.sys [6/29/2009 1:11 م 257432]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hss drv.sys [2/15/2009 11:01 ص 33256]
S2 gupdate1ca240f9f4f7718;خدمة تحديث Google (gupdate1ca240f9f4f7718);c:\program files\Google\Update\GoogleUpdate.exe [8/23/2009 7:34 م 133104]
S2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe --> c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [?]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [9/19/2001 6:00 م 3584]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [8/4/2009 2:11 ص 66056]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.EXE --> c:\program files\Hotspot Shield\bin\HssTrayService.EXE [?]

[HKEY_LOCAL_MACHINE\software\microsoft\ac tive setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",Brand IEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\GoogleUpdateTaskMachine Core.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-23 16:34]

2009-09-01 c:\windows\Tasks\GoogleUpdateTaskMachine UA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-23 16:34]

2009-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1844237615-839522115-500Core.job
- c:\documents and settings\Administrator.MADA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-21 14:55]

2009-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1844237615-839522115-500UA.job
- c:\documents and settings\Administrator.MADA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-21 14:55]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Messenger (Yahoo!) - e:\program files\Yahoo!\Messenger\YahooMessenger.ex e
HKLM-Run-WinampAgent - d:\مشغل الصوت\Winamp\winampa.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.sa/
uInternet Settings,ProxyOverride = *.local
IE: &تصدير إلى Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************** **********************************

catchme 01398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 18:39
Windows 52600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************** **********************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\ Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\.Def ault\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Ding.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\AppG PFault\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\CCSe lect\'(1'GJE0*#]
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Clos e\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Crit icalBatteryAlarm\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Battery Critical.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Devi ceConnect\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Hardware Insert.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Devi ceDisconnect\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Hardware Remove.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Devi ceFail\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Hardware Fail.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\LowB atteryAlarm\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Battery Low.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Mail Beep\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Notify.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Maxi mize\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Menu Command\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Menu Popup\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Mini mize\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Open \'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Prin tComplete\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Rest oreDown\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Rest oreUp\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Show Band\'(1'GJE0*#]
@="Windows XP Logon Sound.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Syst emAsterisk\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Error.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Syst emExclamation\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Exclamation.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Syst emExit\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Shutdown.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Syst emHand\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Critical Stop.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Syst emNotification\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Balloon.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Syst emQuestion\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Syst emStart\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Startup.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Wind owsLogoff\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Logoff Sound.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\.Default\Wind owsLogon\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Logon Sound.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\Explorer\Acti vatingDocument\'(1'GJE0*#]
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\Explorer\Bloc kedPopup\'(1'GJE0*#]
@="Windows Pop-up Blocked.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\Explorer\Empt yRecycleBin\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=expand:"%SystemRoot%\\media\\Windows XP Recycle.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\Explorer\Feed Discovered\'(1'GJE0*#]
@="Windows Feed Discovered.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\Explorer\Move MenuItem\'(1'GJE0*#]
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\Explorer\Navi gating\'(1'GJE0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="Windows Navigation Start.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\Explorer\Sear chProviderDiscovered\'(1'GJE0*#]
@=""

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\Explorer\Secu rityBand\'(1'GJE0*#]
@="Windows Information Bar.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Apps\WLXPhotoGalle ry\WindowsPhotoGalleryChangeMetadata\'( 1'GJE0*#]
@="c:\\Program Files\\Windows Live\\Photo Gallery\\ChangeMetadata.wav"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\AppEvents\Schemes\Names\'(1'GJ E0*#]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="ابراهيم"

[HKEY_USERS\S-1-5-21-436374069-1844237615-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,0 0,a7,cf,6f,b6,a9,ac,80,4d,80,05,19,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,0 0,a7,cf,6f,b6,a9,ac,80,4d,80,05,19,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222 A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,0 0,a7,cf,6f,b6,a9,ac,80,4d,80,05,19,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSI D\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system3 2\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSI D\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSI D\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flas h\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSI D\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSI D\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):87,8f,60,0d,31,92,16,5f, c6,35,89,9b,48,d5,f3,58,65,20,51,7d,b0,
3e,98,e0,6e,fb,e3,42,c3,e6,6e,85,43,7a,2 7,14,65,a1,32,36,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSI D\{62bbe550-de89-4f9a-95ce-8d266e0ed4a8}]
@Denied: (Full) (Everyone)
"Model"=dword:000000c4
"Therad"=dword:0000000d

[HKEY_LOCAL_MACHINE\software\Classes\Inte rface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Inte rface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Inte rface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1812)
c:\windows\system32\SETUPAPI.dll

- - - - - - - > 'lsass.exe'(1872)
c:\windows\system32\setupapi.dll

- - - - - - - > 'explorer.exe'(3832)
c:\windows\system32\SHDOCVW.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes. dll
c:\windows\system32\PortableDeviceApi.dl l
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\documents and settings\Administrator.MADA\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrash Handler.exe
.
**************************************** **********************************
.
Completion time: 2009-09-01 18:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-01 15:41

Pre-Run: 42,838,347,776 bytes free
Post-Run: 42,788,913,152 bytes free

407

أدوات الموضوع	إبحث في الموضوع
مشاهدة صفحة طباعة الموضوع أرسل هذا الموضوع إلى صديق	إبحث في الموضوع: البحث المتقدم
طرق مشاهدة الموضوع
الانتقال إلى العرض العادي الانتقال إلى العرض المتطور العرض الشجري

هذا تقرير ComboFix ونبي رئيكم فيه

لك عنوني مواضيع مكرره