RogueKiller V8.8.5 [Feb 3 2014] par Tigzy mail : tigzyRKgmailcom Remontees : hxxp://forum.adlice.com Site Web : http://www.sur-la-toile.com/RogueKiller/ Blog : http://www.adlice.com Systeme d'exploitation : Windows XP (5.1.2600 Service Pack 3) 32 bits version Demarrage : Mode normal Utilisateur : YASSEM [Droits d'admin] Mode : Recherche -- Date : 02/06/2014 10:49:35 | ARK || FAK || MBR | ¤¤¤ Processus malicieux : 4 ¤¤¤ [Root.Zekos][SIG] SuperCopier2.exe -- C:\Program Files\SuperCopier2\SuperCopier2.exe [-] -> TUÉ [TermProc] [SUSP PATH][DLL] rundll32.exe -- C:\Documents and Settings\YASSEM\Local Settings\Application Data\TBHostSupport\TBHostSupport.dll [7] -> rundll32.exe TUÉ [TermProc] [SUSP PATH][DLL] rundll32.exe -- C:\Documents and Settings\YASSEM\Local Settings\Application Data\Conduit\APISupport\APISupport.dll [7] -> rundll32.exe TUÉ [TermProc] [SUSP PATH] TBMessagingHost.exe -- C:\Documents and Settings\YASSEM\Local Settings\Application Data\NativeMessaging\CT3307695\1_0_0_10\TBMessagingHost.exe [7] -> TUÉ [TermProc] ¤¤¤ Entrees de registre : 17 ¤¤¤ [RUN][Root.Zekos] HKCU\[...]\Run : SuperCopier2.exe (C:\Program Files\SuperCopier2\SuperCopier2.exe [-]) -> TROUVÉ [RUN][SUSP PATH] HKCU\[...]\Run : TBHostSupport ("C:\WINDOWS\system32\Rundll32.exe" "C:\Documents and Settings\YASSEM\Local Settings\Application Data\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin [7][7][x]) -> TROUVÉ [RUN][SUSP PATH] HKCU\[...]\Run : iLivid ("C:\Documents and Settings\YASSEM\Local Settings\Application Data\iLivid\iLivid.exe" -autorun [x]) -> TROUVÉ [RUN][SUSP PATH] HKCU\[...]\Run : hCbnTNLj (wscript.exe //B "C:\DOCUME~1\YASSEM\LOCALS~1\Temp\hCbnTNLj.vbs" [x][-]) -> TROUVÉ [RUN][SUSP PATH] HKCU\[...]\Run : AVG-Secure-Search-Update_0214c (C:\Documents and Settings\YASSEM\Application Data\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=83ef938c632647d3b6aed15038c84540-fe15dc9c2ecd4f8b8aedfc32e01bbd11e392d4ab /CMPID=0214c [x][x]) -> TROUVÉ [RUN][SUSP PATH] HKCU\[...]\Run : APISupport ("C:\WINDOWS\system32\Rundll32.exe" "C:\Documents and Settings\YASSEM\Local Settings\Application Data\Conduit\APISupport\APISupport.dll",DLLRunAPISupport [7][7][x]) -> TROUVÉ [RUN][SUSP PATH] HKLM\[...]\Run : hCbnTNLj (wscript.exe //B "C:\DOCUME~1\YASSEM\LOCALS~1\Temp\hCbnTNLj.vbs" [x][-]) -> TROUVÉ [RUN][Root.Zekos] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : SuperCopier2.exe (C:\Program Files\SuperCopier2\SuperCopier2.exe [-]) -> TROUVÉ [RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : TBHostSupport ("C:\WINDOWS\system32\Rundll32.exe" "C:\Documents and Settings\YASSEM\Local Settings\Application Data\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin [7][7][x]) -> TROUVÉ [RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : iLivid ("C:\Documents and Settings\YASSEM\Local Settings\Application Data\iLivid\iLivid.exe" -autorun [x]) -> TROUVÉ [RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : hCbnTNLj (wscript.exe //B "C:\DOCUME~1\YASSEM\LOCALS~1\Temp\hCbnTNLj.vbs" [x][-]) -> TROUVÉ [RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : AVG-Secure-Search-Update_0214c (C:\Documents and Settings\YASSEM\Application Data\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=83ef938c632647d3b6aed15038c84540-fe15dc9c2ecd4f8b8aedfc32e01bbd11e392d4ab /CMPID=0214c [x][x]) -> TROUVÉ [RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : APISupport ("C:\WINDOWS\system32\Rundll32.exe" "C:\Documents and Settings\YASSEM\Local Settings\Application Data\Conduit\APISupport\APISupport.dll",DLLRunAPISupport [7][7][x]) -> TROUVÉ [HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> TROUVÉ [HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> TROUVÉ [HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> TROUVÉ [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> TROUVÉ ¤¤¤ Tâches planifiées : 1 ¤¤¤ [V1][SUSP PATH] EPUpdater.job : C:\DOCUME~1\YASSEM\APPLIC~1\BABSOL~1\Shared\BabMaint.exe [7] -> TROUVÉ ¤¤¤ Entrées Startup : 0 ¤¤¤ ¤¤¤ Navigateurs web : 0 ¤¤¤ ¤¤¤ Addons navigateur : 0 ¤¤¤ ¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤ ¤¤¤ Driver : [CHARGE] ¤¤¤ ¤¤¤ Ruches Externes: ¤¤¤ ¤¤¤ Infection : Root.Zekos ¤¤¤ ¤¤¤ Fichier HOSTS: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost 127.0.0.1 mpa.one.microsoft.com ¤¤¤ MBR Verif: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) FUJITSU MHW2120BH +++++ --- User --- [MBR] e8162d4d8f38f6f544f3989a7c91321a [BSP] f6d1cd0c2cf63dfe804e15fd5db5418e : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 39997 Mo 1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 81915435 | Size: 74465 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) TOSHIBA TransMemory USB Device +++++ --- User --- [MBR] e8387db9f3ff6e5f7e21c927e3a55478 [BSP] cc8206b09b86fac6bcf56004a6fe5f42 : MBR Code unknown Partition table: 0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7399 Mo User = LL1 ... OK! Error reading LL2 MBR! ([0x32] Cette demande n'est pas prise en charge. ) +++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) Sony Storage Media USB Device +++++ --- User --- [MBR] ae46273e2e22c4d11d5d10aa704eb6eb [BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code Partition table: 0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 959 Mo User = LL1 ... OK! Error reading LL2 MBR! ([0x32] Cette demande n'est pas prise en charge. ) Termine : << RKreport[0]_S_02062014_104935.txt >>