¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Pre_Script | 3.0123 ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ chouchou : Windows Vista (TM) Home Premium (32 bits) Switchs : http://gen-hackman.forum-pro.fr/t89-les-switchs New restorepoint created Script : 12:03:44 ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ ¤¤¤¤¤¤¤¤¤¤ | Stopped Processes (1100) -- Ati2evxx.exe (1364) -- SLsvc.exe (1584) -- Ati2evxx.exe (1928) -- explorer.exe (2028) -- spoolsv.exe (188) -- taskeng.exe (504) -- taskeng.exe (2216) -- ACService.exe (2236) -- CLMSServer.exe (2244) -- RtHDVCpl.exe (2268) -- MemCheck.exe (2288) -- rundll32.exe (2344) -- jusched.exe (2420) -- qttask.exe (2432) -- SweetIM.exe (2520) -- SweetPacksUpdateManager.exe (2540) -- 9props.exe (2548) -- CCleaner.exe (2556) -- ehtray.exe (2576) -- wmpnscfg.exe (2640) -- PrintScreen.exe (2652) -- Magic-i.exe (2684) -- ehmsas.exe (2940) -- eDSService.exe (3024) -- ijplmsvc.exe (3048) -- LSSrvc.exe (3120) -- uMgiSvr.exe (3244) -- RichVideo.exe (3388) -- TeamViewer_Service.exe (3472) -- WLIDSVC.EXE (3696) -- SearchIndexer.exe (3796) -- WLIDSVCM.EXE (3828) -- WUDFHost.exe (4068) -- TeamViewer.exe (3908) -- eRecoveryService.exe (2800) -- wmpnetwk.exe (3808) -- mobsync.exe (1468) -- wmplayer.exe (1868) -- tv_w32.exe (5940) -- iexplore.exe (5488) -- GoogleToolbarUser_32.exe (5656) -- iexplore.exe (1464) -- SearchProtocolHost.exe (5396) -- iexplore.exe (5404) -- taskeng.exe (6128) -- ctfmon.exe (4324) -- wuauclt.exe (5700) -- SearchFilterHost.exe (5620) -- taskmgr.exe ¤¤¤¤¤¤¤¤¤¤ | RegRead : ¤¤¤¤¤¤¤¤¤¤ | Deletion | Drivers | Services Service : MPKSL55D5FBDC Not actif Service : MPKSLB0BE3CF9 Not actif Service : MPKSLBA05564C Not actif Service : MPKSLC508DF0E Not actif Service : MPKSLEFC1BE61 Not actif Service : SYMDNS Not actif Service : SYMEVENT Not actif Service : SYMFW Not actif Service : SYMIDS Not actif Service : SYMNDISV Not actif Service : SYMREDRV Not actif Service : SYMTDI Not actif ¤ ¤¤¤¤¤¤¤¤¤¤ | Registry Deletions Value Deleted : [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]:Acer Tour Value Deleted : [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]:eRecoveryService Value Deleted : [HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]: Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Reader Speed Launcher Key not found : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\swg Key Deleted : HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93} Key not found : HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} Key not found : HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Key not found : HKU\S-1-5-21-2465643848-3244870746-783416107-1000\Software\eojet Key Deleted : HKLM\Software\BrowserChoice Value Deleted : [HKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\Parameters\FirewallPolicy\FirewallRules]:{7CEA1F8C-ADD2-4BB2-8F4C-4CD51CD41CDC} No value : [ HKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\Parameters\FirewallPolicy\FirewallRules]:{E77063CC-E985-434D-A7DE-0593C4CB7DFA} Key not found : HKLM\Software\Microsoft\windows\CurrentVersion\Uninstall\eoJet_is1 Key Deleted : HKLM\Software\Microsoft\windows\CurrentVersion\Uninstall\Optimizer Pro_is1 Key Deleted : HKCR\AppId\SoftwareUpdate.exe ¤ File Moved to quarantine successfully : |RA| - C:\Windows\Installer\{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}\NewShortcut6.txt Folder Moved to quarantine successfully : |D| - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro Folder Moved to quarantine successfully : |D| - C:\Users\chouchou\AppData\Roaming\Ad-Aware Antivirus Folder Moved to quarantine successfully : |D| - C:\ProgramData\Spybot - Search & Destroy Impossible to move Folder : |D| - C:\Program Files\*.tmp File Moved to quarantine successfully : |A| - C:\Windows\Tasks\PC Performer_DEFAULT.job File Moved to quarantine successfully : |A| - C:\Windows\System32\Tasks\BrowserProtect File Moved to quarantine successfully : |A| - C:\Windows\System32\Tasks\CreateChoiceProcessTask C:\Program Files\Optimizer Pro : Not Found ! ¤¤¤¤¤¤¤¤¤¤ | MBR Windows Version: Windows Vista Home Premium Edition Windows Information: Service Pack 2 (build 6002), 32-bit Base Board Manufacturer: Acer BIOS Manufacturer: Phoenix Technologies, LTD System Manufacturer: Acer System Product Name: Aspire M1100 Logical Drives Mask: 0x000003dc Analysis of file "C:\Pre_Scan\MBR.bin": Unknown MBR code Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 6.0.6002 Disk: ST3320820AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 device: opened successfully user: MBR read successfully Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys 1 ntkrnlpa!IofCallDriver[0x82E8C936] -> \Device\Harddisk0\DR0[0x857D8620] 3 CLASSPNP[0x885BF8B3] -> ntkrnlpa!IofCallDriver[0x82E8C936] -> [0x85727020] 5 acpi[0x87E156BC] -> ntkrnlpa!IofCallDriver[0x82E8C936] -> \Device\Ide\IdeDeviceP0T0L0-0[0x857115E0] kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; } user & kernel MBR OK ¤ ¤¤¤¤¤¤¤¤¤¤ | Disk cleaning Disk cleaned ¤ End : 12:09:38 ¤¤¤¤¤¤¤¤¤¤ ( EOF ) ¤¤¤¤¤¤¤¤¤¤