Publicité
Publicité
Format du document : text/plain
Prévisualisation
RogueKiller V8.7.5 [Oct 22 2013] par Tigzy
mail : tigzyRKgmailcom
Remontees : http://www.adlice.com/forum/
Site Web : http://www.sur-la-toile.com/RogueKiller/
Blog : http://tigzyrk.blogspot.com/
Systeme d'exploitation : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Demarrage : Mode normal
Utilisateur : user [Droits d'admin]
Mode : Suppression -- Date : 10/26/2013 11:28:02
| ARK || FAK || MBR |
¤¤¤ Processus malicieux : 2 ¤¤¤
[SUSP PATH] ouc.exe -- C:\ProgramData\Modem HDM EC156\OnlineUpdate\ouc.exe [7] -> TUÉ [TermProc]
[SERVICE] IBUpdaterService -- C:\Windows\system32\dmwu.exe [x] -> STOPPÉ
¤¤¤ Entrees de registre : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : aljazeera-sport+2 (wscript.exe //B "C:\Users\user\AppData\Local\Temp\aljazeera-sport+2.vbs" [x][-]) -> SUPPRIMÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-1243204835-3674121785-2205346301-1000\[...]\Run : aljazeera-sport+2 (wscript.exe //B "C:\Users\user\AppData\Local\Temp\aljazeera-sport+2.vbs" [x][-]) -> [0x2] Le fichier spécifié est introuvable.
[SERVICE][BLVALUE] HKLM\[...]\CCSet\[...]\Services : IBUpdaterService (C:\Windows\system32\dmwu.exe [x]) -> SUPPRIMÉ
[SERVICE][BLVALUE] HKLM\[...]\CS001\[...]\Services : IBUpdaterService (C:\Windows\system32\dmwu.exe [x]) -> [0x3] Le chemin d??�accès spécifié est introuvable.
[SERVICE][BLVALUE] HKLM\[...]\CS002\[...]\Services : IBUpdaterService (C:\Windows\system32\dmwu.exe [x]) -> SUPPRIMÉ
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REMPLACÉ (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REMPLACÉ (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REMPLACÉ (0)
¤¤¤ Tâches planifiées : 4 ¤¤¤
[V1][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_HP_rmv.job : C:\Windows\TEMP\{CB96D8B6-DA35-47E5-836F-A7AE8803174D}.exe - --uninstall=1 [x] -> SUPPRIMÉ
[V1][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\Windows\TEMP\{07923414-854E-4533-A805-D7F7DDFDE83B}.exe - --uninstall=1 [x] -> SUPPRIMÉ
[V2][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_HP_rmv : C:\Windows\TEMP\{CB96D8B6-DA35-47E5-836F-A7AE8803174D}.exe - --uninstall=1 [x] -> SUPPRIMÉ
[V2][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv : C:\Windows\TEMP\{07923414-854E-4533-A805-D7F7DDFDE83B}.exe - --uninstall=1 [x] -> ERROR DELETING TASK
¤¤¤ Entrées Startup : 0 ¤¤¤
¤¤¤ Navigateurs web : 0 ¤¤¤
¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
¤¤¤ Driver : [CHARGE] ¤¤¤
[Address] SSDT[84] : NtCreateSection @ 0x8366A13D -> HOOKED (Unknown @ 0x9A411206)
[Address] SSDT[299] : NtRequestWaitReplyPort @ 0x83684B22 -> HOOKED (Unknown @ 0x9A411210)
[Address] SSDT[316] : NtSetContextThread @ 0x8372484F -> HOOKED (Unknown @ 0x9A41120B)
[Address] SSDT[347] : NtSetSecurityObject @ 0x83648805 -> HOOKED (Unknown @ 0x9A411215)
[Address] SSDT[368] : NtSystemDebugControl @ 0x836CC802 -> HOOKED (Unknown @ 0x9A41121A)
[Address] SSDT[370] : NtTerminateProcess @ 0x836A1D9A -> HOOKED (Unknown @ 0x9A4111A7)
[Address] Shadow SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x9A41122E)
[Address] Shadow SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x9A411233)
¤¤¤ Ruches Externes: ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ Fichier HOSTS: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
¤¤¤ MBR Verif: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS543232A7A384 +++++
--- User ---
[MBR] 9f981b17651f0f6ac819cca6105dc122
[BSP] de42e484367190f55a7e95a25a270c7e : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 179900 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 368642048 | Size: 125243 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) JetFlash Transcend 16GB USB Device +++++
--- User ---
[MBR] 0650f32913d347dea63bc90058d77416
[BSP] db6650c1c7fbc227c06ba42eb1691682 : MBR Code unknown
Partition table:
0 - [XXXXXX] BOOTUS (0x45) [VISIBLE] Offset (sectors): 1936286752 | Size: 2092206 Mo
1 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1853169786 | Size: 913028 Mo
2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1701978226 | Size: 798128 Mo
3 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 2885681152 | Size: 25 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Termine : << RKreport[0]_D_10262013_112802.txt >>
RKreport[0]_S_10262013_110736.txt
mail : tigzyRK
Remontees : http://www.adlice.com/forum/
Site Web : http://www.sur-la-toile.com/RogueKiller/
Blog : http://tigzyrk.blogspot.com/
Systeme d'exploitation : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Demarrage : Mode normal
Utilisateur : user [Droits d'admin]
Mode : Suppression -- Date : 10/26/2013 11:28:02
| ARK || FAK || MBR |
¤¤¤ Processus malicieux : 2 ¤¤¤
[SUSP PATH] ouc.exe -- C:\ProgramData\Modem HDM EC156\OnlineUpdate\ouc.exe [7] -> TUÉ [TermProc]
[SERVICE] IBUpdaterService -- C:\Windows\system32\dmwu.exe [x] -> STOPPÉ
¤¤¤ Entrees de registre : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : aljazeera-sport+2 (wscript.exe //B "C:\Users\user\AppData\Local\Temp\aljazeera-sport+2.vbs" [x][-]) -> SUPPRIMÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-1243204835-3674121785-2205346301-1000\[...]\Run : aljazeera-sport+2 (wscript.exe //B "C:\Users\user\AppData\Local\Temp\aljazeera-sport+2.vbs" [x][-]) -> [0x2] Le fichier spécifié est introuvable.
[SERVICE][BLVALUE] HKLM\[...]\CCSet\[...]\Services : IBUpdaterService (C:\Windows\system32\dmwu.exe [x]) -> SUPPRIMÉ
[SERVICE][BLVALUE] HKLM\[...]\CS001\[...]\Services : IBUpdaterService (C:\Windows\system32\dmwu.exe [x]) -> [0x3] Le chemin d??�accès spécifié est introuvable.
[SERVICE][BLVALUE] HKLM\[...]\CS002\[...]\Services : IBUpdaterService (C:\Windows\system32\dmwu.exe [x]) -> SUPPRIMÉ
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REMPLACÉ (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REMPLACÉ (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REMPLACÉ (0)
¤¤¤ Tâches planifiées : 4 ¤¤¤
[V1][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_HP_rmv.job : C:\Windows\TEMP\{CB96D8B6-DA35-47E5-836F-A7AE8803174D}.exe - --uninstall=1 [x] -> SUPPRIMÉ
[V1][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\Windows\TEMP\{07923414-854E-4533-A805-D7F7DDFDE83B}.exe - --uninstall=1 [x] -> SUPPRIMÉ
[V2][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_HP_rmv : C:\Windows\TEMP\{CB96D8B6-DA35-47E5-836F-A7AE8803174D}.exe - --uninstall=1 [x] -> SUPPRIMÉ
[V2][SUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv : C:\Windows\TEMP\{07923414-854E-4533-A805-D7F7DDFDE83B}.exe - --uninstall=1 [x] -> ERROR DELETING TASK
¤¤¤ Entrées Startup : 0 ¤¤¤
¤¤¤ Navigateurs web : 0 ¤¤¤
¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
¤¤¤ Driver : [CHARGE] ¤¤¤
[Address] SSDT[84] : NtCreateSection @ 0x8366A13D -> HOOKED (Unknown @ 0x9A411206)
[Address] SSDT[299] : NtRequestWaitReplyPort @ 0x83684B22 -> HOOKED (Unknown @ 0x9A411210)
[Address] SSDT[316] : NtSetContextThread @ 0x8372484F -> HOOKED (Unknown @ 0x9A41120B)
[Address] SSDT[347] : NtSetSecurityObject @ 0x83648805 -> HOOKED (Unknown @ 0x9A411215)
[Address] SSDT[368] : NtSystemDebugControl @ 0x836CC802 -> HOOKED (Unknown @ 0x9A41121A)
[Address] SSDT[370] : NtTerminateProcess @ 0x836A1D9A -> HOOKED (Unknown @ 0x9A4111A7)
[Address] Shadow SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x9A41122E)
[Address] Shadow SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x9A411233)
¤¤¤ Ruches Externes: ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ Fichier HOSTS: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
¤¤¤ MBR Verif: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS543232A7A384 +++++
--- User ---
[MBR] 9f981b17651f0f6ac819cca6105dc122
[BSP] de42e484367190f55a7e95a25a270c7e : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 179900 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 368642048 | Size: 125243 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) JetFlash Transcend 16GB USB Device +++++
--- User ---
[MBR] 0650f32913d347dea63bc90058d77416
[BSP] db6650c1c7fbc227c06ba42eb1691682 : MBR Code unknown
Partition table:
0 - [XXXXXX] BOOTUS (0x45) [VISIBLE] Offset (sectors): 1936286752 | Size: 2092206 Mo
1 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1853169786 | Size: 913028 Mo
2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1701978226 | Size: 798128 Mo
3 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 2885681152 | Size: 25 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Termine : << RKreport[0]_D_10262013_112802.txt >>
RKreport[0]_S_10262013_110736.txt