Publicité
Publicité
Format du document : text/plain
Prévisualisation
RogueKiller V8.8.5 [Feb 3 2014] par Tigzy
mail : tigzyRKgmailcom
Remontees : hxxp://forum.adlice.com
Site Web : http://www.sur-la-toile.com/RogueKiller/
Blog : http://www.adlice.com
Systeme d'exploitation : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Demarrage : Mode normal
Utilisateur : YASSEM [Droits d'admin]
Mode : Recherche -- Date : 02/06/2014 10:49:35
| ARK || FAK || MBR |
¤¤¤ Processus malicieux : 4 ¤¤¤
[Root.Zekos][SIG] SuperCopier2.exe -- C:\Program Files\SuperCopier2\SuperCopier2.exe [-] -> TUÉ [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Documents and Settings\YASSEM\Local Settings\Application Data\TBHostSupport\TBHostSupport.dll [7] -> rundll32.exe TUÉ [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Documents and Settings\YASSEM\Local Settings\Application Data\Conduit\APISupport\APISupport.dll [7] -> rundll32.exe TUÉ [TermProc]
[SUSP PATH] TBMessagingHost.exe -- C:\Documents and Settings\YASSEM\Local Settings\Application Data\NativeMessaging\CT3307695\1_0_0_10\TBMessagingHost.exe [7] -> TUÉ [TermProc]
¤¤¤ Entrees de registre : 17 ¤¤¤
[RUN][Root.Zekos] HKCU\[...]\Run : SuperCopier2.exe (C:\Program Files\SuperCopier2\SuperCopier2.exe [-]) -> TROUVÉ
[RUN][SUSP PATH] HKCU\[...]\Run : TBHostSupport ("C:\WINDOWS\system32\Rundll32.exe" "C:\Documents and Settings\YASSEM\Local Settings\Application Data\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin [7][7][x]) -> TROUVÉ
[RUN][SUSP PATH] HKCU\[...]\Run : iLivid ("C:\Documents and Settings\YASSEM\Local Settings\Application Data\iLivid\iLivid.exe" -autorun [x]) -> TROUVÉ
[RUN][SUSP PATH] HKCU\[...]\Run : hCbnTNLj (wscript.exe //B "C:\DOCUME~1\YASSEM\LOCALS~1\Temp\hCbnTNLj.vbs" [x][-]) -> TROUVÉ
[RUN][SUSP PATH] HKCU\[...]\Run : AVG-Secure-Search-Update_0214c (C:\Documents and Settings\YASSEM\Application Data\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=83ef938c632647d3b6aed15038c84540-fe15dc9c2ecd4f8b8aedfc32e01bbd11e392d4ab /CMPID=0214c [x][x]) -> TROUVÉ
[RUN][SUSP PATH] HKCU\[...]\Run : APISupport ("C:\WINDOWS\system32\Rundll32.exe" "C:\Documents and Settings\YASSEM\Local Settings\Application Data\Conduit\APISupport\APISupport.dll",DLLRunAPISupport [7][7][x]) -> TROUVÉ
[RUN][SUSP PATH] HKLM\[...]\Run : hCbnTNLj (wscript.exe //B "C:\DOCUME~1\YASSEM\LOCALS~1\Temp\hCbnTNLj.vbs" [x][-]) -> TROUVÉ
[RUN][Root.Zekos] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : SuperCopier2.exe (C:\Program Files\SuperCopier2\SuperCopier2.exe [-]) -> TROUVÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : TBHostSupport ("C:\WINDOWS\system32\Rundll32.exe" "C:\Documents and Settings\YASSEM\Local Settings\Application Data\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin [7][7][x]) -> TROUVÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : iLivid ("C:\Documents and Settings\YASSEM\Local Settings\Application Data\iLivid\iLivid.exe" -autorun [x]) -> TROUVÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : hCbnTNLj (wscript.exe //B "C:\DOCUME~1\YASSEM\LOCALS~1\Temp\hCbnTNLj.vbs" [x][-]) -> TROUVÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : AVG-Secure-Search-Update_0214c (C:\Documents and Settings\YASSEM\Application Data\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=83ef938c632647d3b6aed15038c84540-fe15dc9c2ecd4f8b8aedfc32e01bbd11e392d4ab /CMPID=0214c [x][x]) -> TROUVÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : APISupport ("C:\WINDOWS\system32\Rundll32.exe" "C:\Documents and Settings\YASSEM\Local Settings\Application Data\Conduit\APISupport\APISupport.dll",DLLRunAPISupport [7][7][x]) -> TROUVÉ
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> TROUVÉ
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> TROUVÉ
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> TROUVÉ
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> TROUVÉ
¤¤¤ Tâches planifiées : 1 ¤¤¤
[V1][SUSP PATH] EPUpdater.job : C:\DOCUME~1\YASSEM\APPLIC~1\BABSOL~1\Shared\BabMaint.exe [7] -> TROUVÉ
¤¤¤ Entrées Startup : 0 ¤¤¤
¤¤¤ Navigateurs web : 0 ¤¤¤
¤¤¤ Addons navigateur : 0 ¤¤¤
¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
¤¤¤ Driver : [CHARGE] ¤¤¤
¤¤¤ Ruches Externes: ¤¤¤
¤¤¤ Infection : Root.Zekos ¤¤¤
¤¤¤ Fichier HOSTS: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
127.0.0.1 localhost
127.0.0.1 mpa.one.microsoft.com
¤¤¤ MBR Verif: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) FUJITSU MHW2120BH +++++
--- User ---
[MBR] e8162d4d8f38f6f544f3989a7c91321a
[BSP] f6d1cd0c2cf63dfe804e15fd5db5418e : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 39997 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 81915435 | Size: 74465 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) TOSHIBA TransMemory USB Device +++++
--- User ---
[MBR] e8387db9f3ff6e5f7e21c927e3a55478
[BSP] cc8206b09b86fac6bcf56004a6fe5f42 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7399 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] Cette demande n'est pas prise en charge. )
+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) Sony Storage Media USB Device +++++
--- User ---
[MBR] ae46273e2e22c4d11d5d10aa704eb6eb
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 959 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] Cette demande n'est pas prise en charge. )
Termine : << RKreport[0]_S_02062014_104935.txt >>
mail : tigzyRK
Remontees : hxxp://forum.adlice.com
Site Web : http://www.sur-la-toile.com/RogueKiller/
Blog : http://www.adlice.com
Systeme d'exploitation : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Demarrage : Mode normal
Utilisateur : YASSEM [Droits d'admin]
Mode : Recherche -- Date : 02/06/2014 10:49:35
| ARK || FAK || MBR |
¤¤¤ Processus malicieux : 4 ¤¤¤
[Root.Zekos][SIG] SuperCopier2.exe -- C:\Program Files\SuperCopier2\SuperCopier2.exe [-] -> TUÉ [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Documents and Settings\YASSEM\Local Settings\Application Data\TBHostSupport\TBHostSupport.dll [7] -> rundll32.exe TUÉ [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Documents and Settings\YASSEM\Local Settings\Application Data\Conduit\APISupport\APISupport.dll [7] -> rundll32.exe TUÉ [TermProc]
[SUSP PATH] TBMessagingHost.exe -- C:\Documents and Settings\YASSEM\Local Settings\Application Data\NativeMessaging\CT3307695\1_0_0_10\TBMessagingHost.exe [7] -> TUÉ [TermProc]
¤¤¤ Entrees de registre : 17 ¤¤¤
[RUN][Root.Zekos] HKCU\[...]\Run : SuperCopier2.exe (C:\Program Files\SuperCopier2\SuperCopier2.exe [-]) -> TROUVÉ
[RUN][SUSP PATH] HKCU\[...]\Run : TBHostSupport ("C:\WINDOWS\system32\Rundll32.exe" "C:\Documents and Settings\YASSEM\Local Settings\Application Data\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin [7][7][x]) -> TROUVÉ
[RUN][SUSP PATH] HKCU\[...]\Run : iLivid ("C:\Documents and Settings\YASSEM\Local Settings\Application Data\iLivid\iLivid.exe" -autorun [x]) -> TROUVÉ
[RUN][SUSP PATH] HKCU\[...]\Run : hCbnTNLj (wscript.exe //B "C:\DOCUME~1\YASSEM\LOCALS~1\Temp\hCbnTNLj.vbs" [x][-]) -> TROUVÉ
[RUN][SUSP PATH] HKCU\[...]\Run : AVG-Secure-Search-Update_0214c (C:\Documents and Settings\YASSEM\Application Data\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=83ef938c632647d3b6aed15038c84540-fe15dc9c2ecd4f8b8aedfc32e01bbd11e392d4ab /CMPID=0214c [x][x]) -> TROUVÉ
[RUN][SUSP PATH] HKCU\[...]\Run : APISupport ("C:\WINDOWS\system32\Rundll32.exe" "C:\Documents and Settings\YASSEM\Local Settings\Application Data\Conduit\APISupport\APISupport.dll",DLLRunAPISupport [7][7][x]) -> TROUVÉ
[RUN][SUSP PATH] HKLM\[...]\Run : hCbnTNLj (wscript.exe //B "C:\DOCUME~1\YASSEM\LOCALS~1\Temp\hCbnTNLj.vbs" [x][-]) -> TROUVÉ
[RUN][Root.Zekos] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : SuperCopier2.exe (C:\Program Files\SuperCopier2\SuperCopier2.exe [-]) -> TROUVÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : TBHostSupport ("C:\WINDOWS\system32\Rundll32.exe" "C:\Documents and Settings\YASSEM\Local Settings\Application Data\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin [7][7][x]) -> TROUVÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : iLivid ("C:\Documents and Settings\YASSEM\Local Settings\Application Data\iLivid\iLivid.exe" -autorun [x]) -> TROUVÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : hCbnTNLj (wscript.exe //B "C:\DOCUME~1\YASSEM\LOCALS~1\Temp\hCbnTNLj.vbs" [x][-]) -> TROUVÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : AVG-Secure-Search-Update_0214c (C:\Documents and Settings\YASSEM\Application Data\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=83ef938c632647d3b6aed15038c84540-fe15dc9c2ecd4f8b8aedfc32e01bbd11e392d4ab /CMPID=0214c [x][x]) -> TROUVÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-1060284298-776561741-1417001333-1003\[...]\Run : APISupport ("C:\WINDOWS\system32\Rundll32.exe" "C:\Documents and Settings\YASSEM\Local Settings\Application Data\Conduit\APISupport\APISupport.dll",DLLRunAPISupport [7][7][x]) -> TROUVÉ
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> TROUVÉ
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> TROUVÉ
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> TROUVÉ
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> TROUVÉ
¤¤¤ Tâches planifiées : 1 ¤¤¤
[V1][SUSP PATH] EPUpdater.job : C:\DOCUME~1\YASSEM\APPLIC~1\BABSOL~1\Shared\BabMaint.exe [7] -> TROUVÉ
¤¤¤ Entrées Startup : 0 ¤¤¤
¤¤¤ Navigateurs web : 0 ¤¤¤
¤¤¤ Addons navigateur : 0 ¤¤¤
¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
¤¤¤ Driver : [CHARGE] ¤¤¤
¤¤¤ Ruches Externes: ¤¤¤
¤¤¤ Infection : Root.Zekos ¤¤¤
¤¤¤ Fichier HOSTS: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
127.0.0.1 localhost
127.0.0.1 mpa.one.microsoft.com
¤¤¤ MBR Verif: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) FUJITSU MHW2120BH +++++
--- User ---
[MBR] e8162d4d8f38f6f544f3989a7c91321a
[BSP] f6d1cd0c2cf63dfe804e15fd5db5418e : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 39997 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 81915435 | Size: 74465 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) TOSHIBA TransMemory USB Device +++++
--- User ---
[MBR] e8387db9f3ff6e5f7e21c927e3a55478
[BSP] cc8206b09b86fac6bcf56004a6fe5f42 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7399 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] Cette demande n'est pas prise en charge. )
+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) Sony Storage Media USB Device +++++
--- User ---
[MBR] ae46273e2e22c4d11d5d10aa704eb6eb
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 959 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] Cette demande n'est pas prise en charge. )
Termine : << RKreport[0]_S_02062014_104935.txt >>