cjoint

Publicité


Publicité

Format du document : text/plain

Prévisualisation

~ Report of ZHPDiag v2014.1.25.26 - Nicolas Coolman (25/01/2014)
~ Launched by ali omar (06/02/2014 04:47:51 ص)
~ Web site address : http://nicolascoolman.webs.com
~ Free support forums for disinfection : http://nicolascoolman.webs.com/apps/links/
~ Translated by
~ Version State :
~ White List : Activate by program
~ Elevation of privilege : OK
~ User Account Control : Not Found


---\\ Internet browsers
MSIE: Internet Explorer v6.0.2900.2180 (Defaut)
MFIE: Mozilla Firefox 26.0
GCIE: Google Chrome v32.0.1700.107

---\\ Windows product information
~ Langage: Anglais
Microsoft Windows XP, 32-bit Service Pack 2 (Build 2600)
Windows Automatic Updates : OK
Windows Genuine Advantage : KO

---\\ System protection software

---\\ System optimization software

---\\ Sharing software PeerToPeer

---\\ Surveillance software
Adobe Flash Player 12 Plugin

---\\ Information on the system
~ Processor: x86 Family 15 Model 4 Stepping 9, GenuineIntel
~ Operating System: 32 Bits
Boot mode: Normal (Normal boot)
Total RAM: 1789.0 MB (69% free)
System Restore: Activé (Enable)
System drive C: has 44 GB (89%) free of 49 GB

---\\ Connection to the system mode
~ Computer Name: ALI-D5A441C4386
~ User Name: ali omar
~ All Users Names: SUPPORT_388945a0, HelpAssistant, Guest, ali omar, Administrator,
~ Unselected Option: O45,O61
Logged in as Administrator

---\\ Environment variables
~ System Unit : C:\
~ %AppZHP% : C:\Documents and Settings\ali omar\Application Data\ZHP\
~ %AppData% : C:\Documents and Settings\ali omar\Application Data\
~ %Desktop% : C:\Documents and Settings\ali omar\سطح المكتب\
~ %Favorites% : C:\Documents and Settings\ali omar\Favorites\
~ %LocalAppData% : C:\Documents and Settings\ali omar\Local Settings\Application Data\
~ %StartMenu% : C:\Documents and Settings\ali omar\قائمة ابدأ\
~ %Windir% : C:\WINDOWS\
~ %System% : C:\WINDOWS\system32\

---\\ Enumeration of the disk units
C: Hard drive, Flash drive, Thumb drive (Free 44 Go of 49 Go)
D: Hard drive, Flash drive, Thumb drive (Free 64 Go of 68 Go)
E: Hard drive, Flash drive, Thumb drive (Free 68 Go of 69 Go)
F: CD-ROM drive (Free 0 Go of 1 Go)



---\\ State of the Windows Security Center
~ Security Center: 41 Legitimates Filtered in :0mn صs



---\\ Search Generic System Files
[MD5.932F97B77F2625F7FF7DFC97552548F8] - (.Microsoft Corporation - Windows Explorer.) (.04/08/2004 - 12:56:12 ص.) -- C:\WINDOWS\Explorer.exe [1029632]
[MD5.1E1CEF80A11BDAB92B2A83F885D214D5] - (.Microsoft Corporation - Internet Extensions for Win32.) (.04/08/2004 - 12:55:58 ص.) -- C:\WINDOWS\system32\wininet.dll [654848]
[MD5.BA4E08425B62BE257AE4557DA058F1AA] - (.Microsoft Corporation - Windows NT Logon Application.) (.04/08/2004 - 12:56:36 ص.) -- C:\WINDOWS\system32\Winlogon.exe [501248]
[MD5.5AC495F4CB807B2B98AD2AD591E6D92E] - (.Microsoft Corporation - Ancillary Function Driver for WinSock.) (.03/08/2004 - 11:14:16 م.) -- C:\WINDOWS\system32\Drivers\AFD.sys [138496]
[MD5.CDFE4411A69C224BD1D11B2DA92DAC51] - (.Microsoft Corporation - IDE/ATAPI Port Driver.) (.03/08/2004 - 10:59:44 م.) -- C:\WINDOWS\system32\Drivers\atapi.sys [95360]
[MD5.CD7D5152DF32B47F4E36F710B35AAE02] - (.Microsoft Corporation - CD-ROM File System Driver.) (.03/08/2004 - 11:14:12 م.) -- C:\WINDOWS\system32\Drivers\Cdfs.sys [63744]
[MD5.AF9C19B3100FE010496B1A27181FBF72] - (.Microsoft Corporation - SCSI CD-ROM Driver.) (.03/08/2004 - 10:59:54 م.) -- C:\WINDOWS\system32\Drivers\Cdrom.sys [49536]
[MD5.4577159386E774EBF0BA4536190AC1B6] - (.Microsoft Corporation - FIPS Crypto Driver.) (.19/09/2001 - 02:00:00 م.) -- C:\WINDOWS\system32\Drivers\Fips.sys [35072]
[MD5.3FCC124B6E08EE0E9351F717DD136939] - (.Windows (R) Server 2003 DDK provider - High Definition Audio Bus Driver v1.0a.) (.07/01/2005 - 12:07:18 م.) -- C:\WINDOWS\system32\Drivers\HDAudBus.sys [138752]
[MD5.C6706763D4AD964CB59B958641F38B7E] - (.Microsoft Corporation - i8042 Port Driver.) (.04/08/2004 - 12:41:48 ص.) -- C:\WINDOWS\system32\Drivers\i8042prt.sys [51968]
[MD5.F8AA320C6A0409C0380E5D8A99D76EC6] - (.Microsoft Corporation - IMAPI Kernel Driver.) (.03/08/2004 - 11:00:16 م.) -- C:\WINDOWS\system32\Drivers\Imapi.sys [41856]
[MD5.B5A8E215AC29D24D60B4D1250EF05ACE] - (.Microsoft Corporation - IP Network Address Translator.) (.03/08/2004 - 11:04:52 م.) -- C:\WINDOWS\system32\Drivers\IpNat.sys [134912]
[MD5.64537AA5C003A6AFEEE1DF819062D0D1] - (.Microsoft Corporation - IPSec Driver.) (.03/08/2004 - 11:14:30 م.) -- C:\WINDOWS\system32\Drivers\IPSec.sys [74752]
[MD5.1FD607FC67F7F7C633C3DA65BFC53D18] - (.Microsoft Corporation - Windows NT SMB Minirdr.) (.03/08/2004 - 11:15:18 م.) -- C:\WINDOWS\system32\Drivers\MRxSmb.sys [451456]
[MD5.0C80E410CD2F47134407EE7DD19CC86B] - (.Microsoft Corporation - MBT Transport driver.) (.03/08/2004 - 11:14:38 م.) -- C:\WINDOWS\system32\Drivers\netBT.sys [162816]
[MD5.B78BE402C3F63DD55521F73876951CDD] - (.Microsoft Corporation - NT File System Driver.) (.03/08/2004 - 11:15:10 م.) -- C:\WINDOWS\system32\Drivers\ntfs.sys [574592]
[MD5.4DD077E7709ECE7C6BAFF48AA61FC563] - (.Microsoft Corporation - Parallel Port Driver.) (.04/08/2004 - 01:08:00 ص.) -- C:\WINDOWS\system32\Drivers\Parport.sys [79872]
[MD5.98FAEB4A4DCF812BA1C6FCA4AA3E115C] - (.Microsoft Corporation - RAS L2TP mini-port/call-manager driver.) (.03/08/2004 - 11:14:24 م.) -- C:\WINDOWS\system32\Drivers\Rasl2tp.sys [51328]
[MD5.A2CAE2C60BC37E0751EF9DDA7CEAF4AD] - (.Microsoft Corporation - Microsoft RDP Device redirector.) (.03/08/2004 - 11:01:16 م.) -- C:\WINDOWS\system32\Drivers\rdpdr.sys [196864]
[MD5.AA04770965ECB7D745245FA19CB6AB45] - (.Microsoft Corporation - Redbook Audio Filter Driver.) (.04/08/2004 - 03:41:18 ص.) -- C:\WINDOWS\system32\Drivers\redbook.sys [57216]
[MD5.B36CBE03939E5FE0D60D5205271341CC] - (.Microsoft Corporation - Volume Shadow Copy Driver.) (.04/08/2004 - 12:45:00 ص.) -- C:\WINDOWS\system32\Drivers\volsnap.sys [52352]
~ Generic Processes: Scanned in :0mn صs



---\\ Hidden files state (Hidden/Total)
~ Mes images (My Pictures) : 1/2
~ Mes musiques (My Musics) : 1/2
~ Mes Videos (My Videos) : 0/0
~ Mes Favoris (My Favorites) : 1/8
~ Mes Documents (My Documents) : 1/6
~ Mon Bureau (My Desktop) : 0/6
~ Menu demarrer (Programs) : 1/27
~ Hidden Files: Scanned in :0mn صs



---\\ Process running
[MD5.74BC945EB2584E90619A56EF5028AB0F] - (.RealNetworks, Inc. - RealNetworks Scheduler.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe [185896] [PID.1844]
[MD5.226BC10720D7BBC33F93191DFF7C59E4] - (.Intel Corporation - igfxTray Module.) -- C:\WINDOWS\system32\igfxtray.exe [134656] [PID.1852]
[MD5.7E3B696687DAB553D0A2F542F3BFF786] - (.Intel Corporation - hkcmd Module.) -- C:\WINDOWS\system32\hkcmd.exe [166912] [PID.1860]
[MD5.B13330DC5A32C3BBD09DFE6C58E97B18] - (.Intel Corporation - persistence Module.) -- C:\WINDOWS\system32\igfxpers.exe [136192] [PID.1868]
[MD5.DE6932AEA01BA27E8A20A2803549E16C] - (.Intel Corporation - igfxsrvc Module.) -- C:\WINDOWS\system32\igfxsrvc.exe [244224] [PID.1916]
[MD5.8C82C3D577977A27F83400CF6E698FF5] - (...) -- C:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe [566608] [PID.532]
[MD5.EA20680364C170F286D4B958D302F8B3] - (.Ashampoo GmbH & Co K.G. - AV GuardGui.) -- C:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe [669008] [PID.1436]
[MD5.67BF0E50657DE1243D40FE58BB2C54D3] - (.FreeDownloadManager.ORG - Free Download Manager.) -- C:\Program Files\Free Download Manager\fdm.exe [6950400] [PID.4040]
[MD5.78B7545F9199679C78DF32C3F0C2A1C4] - (.Google Inc. - Google Chrome.) -- C:\Documents and Settings\ali omar\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [1247256] [PID.4032]
[MD5.83B0FFB5E518F8B916FBAA805403D681] - (.Microsoft Corporation - Windows® installer.) -- C:\WINDOWS\system32\msiexec.exe [77312] [PID.2196]
[MD5.CA25CAEEBDBE25D85565877219F684F8] - (.Nicolas Coolman - ZHPDiag.) -- C:\Program Files\ZHPDiag\ZHPDiag.exe [8339968] [PID.2188]
[MD5.4DAF32AF29C8BC25DC9BB2C70519C1FC] - (.QIP - QIP 2012.) -- C:\Documents and Settings\ali omar\Local Settings\Temp\windows\winsys.exe [631296] [PID.2876]
~ Processes Running: Scanned in :0mn صs



---\\ Google Chrome, Start,Search,Extensions (G0,G1,G2)
C:\Documents and Settings\ali omar\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
~ Google Browser: 6 Legitimates Filtered in :2mn صs



---\\ Mozilla Firefox,Plugins,Start,Search,Extensions (P2,M0,M1,M2,M3)
M2 - MFEP: prefs.js [ali omar - 2djvwv1y.default\{635abd67-4fe9-1b23-4f01-e679fa7484c1}] [yahoo.ytff] Yahoo! Toolbar v3.1.0.20130813024103 (..)
~ Firefox Browser: 8 Legitimates Filtered in :0mn صs



---\\ Internet Explorer, Proxy Management (R5)
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = no key
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyEnable = 0
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,MigrateProxy = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,EnableHttp1_1 = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyHttp1.1 = 0
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigProxy = wininet.dll
~ Proxy management: Scanned in :0mn صs



---\\ Line Analysis F0, F1, F2, F3 - IniFiles, Auto loading programs
F2 - REG:system.ini: USERINIT=C:\WINDOWS\system32\userinit.exe,
F2 - REG:system.ini: Shell=C:\WINDOWS\explorer.exe
F2 - REG:system.ini: VMApplet=rundll32 shell32,Control_RunDLL "sysdm.cpl"
~ Keys: Scanned in :0mn صs



---\\ Hosts file redirection (O1)
~ Le fichier hosts est sain (The hosts file is clean).
~ Hosts File: Scanned in :0mn صs
~ Nombre de lignes (Lines number): 19



---\\ Internet Explorer toolbars (O3)
O3 - Toolbar: Yahoo! Toolbar - [HKLM]{EF99BD32-C1FB-11D2-892F-0090271D4F88} . (.Yahoo! Inc. - Yahoo! Toolbar.) -- C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar\WebBrowser: (no name) - [HKCU]{01E04581-4EEE-11D0-BFE9-00AA005B4383} Orphan key
O3 - Toolbar\WebBrowser: (no name) - [HKCU]{0E5CBF21-D15F-11D0-8301-00AA005B4383} Orphan key
~ Toolbar: Scanned in :0mn صs



---\\ Auto loading programs from Registry and folders (O4)
O4 - HKLM\..\Run: [TkBellExe] . (.RealNetworks, Inc. - RealNetworks Scheduler.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe =>.RealNetworks, Inc
O4 - HKLM\..\Run: [IgfxTray] . (.Intel Corporation - igfxTray Module.) -- C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] . (.Intel Corporation - hkcmd Module.) -- C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] . (.Intel Corporation - persistence Module.) -- C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [CTFMON.EXE] . (.Microsoft Corporation - CTF Loader.) -- C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Screen Saver Pro 3.1] C:\Documents and Settings\ali omar\Application Data\screenSaverPro.scr (.not file.)
O4 - HKCU\..\Run: [Adobe System Incorporated] . (...) -- C:\Documents and Settings\ali omar\Local Settings\Temp\Adobe\Reader_sl.exe
O4 - HKCU\..\Run: [1ne331] . (.Skype - Skype 2013.) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-10967196\1ne331.exe
O4 - HKCU\..\Run: [s2361a121] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455986\s2361a1.exe
O4 - HKCU\..\Run: [xetcwow] . (.BlueStack Systems, Inc. - BlueStacks Agent.) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-897fewj\xetcwow.exe
O4 - HKCU\..\Run: [12331901] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-12313896\1341901.exe
O4 - HKCU\..\Run: [antaw4r19] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5681\atnxwa1.exe
O4 - HKCU\..\Run: [antaw4r3] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-56813\atnxwa3.exe
O4 - HKCU\..\Run: [antaw4r4] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-56814\atnxwa4.exe
O4 - HKCU\..\Run: [antaw4r5] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-568145\atnxwa5.exe
O4 - HKCU\..\Run: [antaw4r6] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-568146\atnxwa6.exe
O4 - HKCU\..\Run: [antaw4r7] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5681477\atnxwa7.exe
O4 - HKCU\..\Run: [bja90] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1189897646\bja90.exe
O4 - HKCU\..\Run: [bja1190] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1189896\bj1a190.exe
O4 - HKCU\..\Run: [asaba3tsh] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-839714475\asaba3tsh.exe
O4 - HKCU\..\Run: [antaw411r9] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5618147819\atnxw11a9.exe
O4 - HKCU\..\Run: [eproa112] . (.Chernomaziy - Chernomaziy 2010.) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-12653311\eproa121.exe
O4 - HKCU\..\Run: [Windows Security Firewall Manager] . (.Synei - Speed up slow computer..) -- C:\RECYCLER\mscinet.exe
O4 - HKCU\..\Run: [Windows Update Service] . (.QIP - QIP 2012.) -- C:\Documents and Settings\ali omar\Local Settings\Temp\windows\winsys.exe
O4 - HKCU\..\Run: [iLivid] . (.Bandoo Media Inc. - iLivid Download Manager.) -- C:\Documents and Settings\ali omar\Local Settings\Application Data\iLivid\iLivid.exe =>Adware.Bandoo
O4 - HKCU\..\Run: [Google Update] . (.Google Inc. - مثبِّت Google.) -- C:\Documents and Settings\ali omar\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
O4 - HKLM\..\policies\Explorer\Run: [33976] . (.Synei - Speed up slow computer..) -- C:\Documents and Settings\All Users\mszuiog.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] . (.Microsoft Corporation - CTF Loader.) -- C:\WINDOWS\system32\CTFMON.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] . (.Microsoft Corporation - CTF Loader.) -- C:\WINDOWS\system32\CTFMON.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] . (.Microsoft Corporation - CTF Loader.) -- C:\WINDOWS\system32\CTFMON.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] . (.Microsoft Corporation - CTF Loader.) -- C:\WINDOWS\system32\CTFMON.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [CTFMON.EXE] . (.Microsoft Corporation - CTF Loader.) -- C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [Screen Saver Pro 3.1] C:\Documents and Settings\ali omar\Application Data\screenSaverPro.scr (.not file.)
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [Adobe System Incorporated] . (...) -- C:\Documents and Settings\ali omar\Local Settings\Temp\Adobe\Reader_sl.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [1ne331] . (.Skype - Skype 2013.) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-10967196\1ne331.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [s2361a121] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455986\s2361a1.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [xetcwow] . (.BlueStack Systems, Inc. - BlueStacks Agent.) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-897fewj\xetcwow.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [12331901] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-12313896\1341901.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [antaw4r19] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5681\atnxwa1.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [antaw4r3] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-56813\atnxwa3.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [antaw4r4] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-56814\atnxwa4.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [antaw4r5] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-568145\atnxwa5.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [antaw4r6] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-568146\atnxwa6.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [antaw4r7] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5681477\atnxwa7.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [bja90] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1189897646\bja90.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [bja1190] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1189896\bj1a190.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [asaba3tsh] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-839714475\asaba3tsh.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [antaw411r9] . (...) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5618147819\atnxw11a9.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [eproa112] . (.Chernomaziy - Chernomaziy 2010.) -- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-12653311\eproa121.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [Windows Security Firewall Manager] . (.Synei - Speed up slow computer..) -- C:\RECYCLER\mscinet.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [Windows Update Service] . (.QIP - QIP 2012.) -- C:\Documents and Settings\ali omar\Local Settings\Temp\windows\winsys.exe
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [iLivid] . (.Bandoo Media Inc. - iLivid Download Manager.) -- C:\Documents and Settings\ali omar\Local Settings\Application Data\iLivid\iLivid.exe =>Adware.Bandoo
O4 - HKUS\S-1-5-21-1292428093-152049171-1801674531-1003\..\Run: [Google Update] . (.Google Inc. - مثبِّت Google.) -- C:\Documents and Settings\ali omar\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
~ Application: Scanned in :0mn صs



---\\ Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu (O9)
O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} . (.Microsoft Corporation - Windows Messenger.) -- C:\Program Files\Messenger\msmsgs.exe
~ IE Extra Buttons: Scanned in :0mn صs



---\\ Reset Web Settings' hijack (O14)
O14 - IERESET.INF: SAFESITE_VALUE=SAFESITE_VALUE="ie.search.msn.com"
~ IE Paramètres WEB: Scanned in :0mn صs



---\\ Lop.com/Domain Hijackers (O17)
O17 - HKLM\System\CCS\Services\Tcpip\..\{12316E87-208D-403E-BA9E-78AF43955027}: DhcpNameServer = 192.168.1.1 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{12316E87-208D-403E-BA9E-78AF43955027}: DhcpNameServer = 192.168.1.1 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{12316E87-208D-403E-BA9E-78AF43955027}: DhcpNameServer = 192.168.1.1 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
~ Domain: Scanned in :0mn صs



---\\ Extra protocols (O18)
O18 - Handler: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} . (.Microsoft Corporation - WIA Scripting Layer.) -- C:\WINDOWS\system32\wiascr.dll
O18 - Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} . (.Microsoft Corporation - Windows Shell Common Dll.) -- C:\WINDOWS\system32\SHELL32.dll
~ Protocole Additionnel: Scanned in :0mn صs



---\\ AppInit_DLLs Registry value Autorun (O20)
O20 - Winlogon Notify: crypt32chain . (.Microsoft Corporation - Crypto API32.) -- C:\WINDOWS\system32\crypt32.dll
O20 - Winlogon Notify: cryptnet . (.Microsoft Corporation - Crypto Network Related API.) -- C:\WINDOWS\system32\cryptnet.dll
O20 - Winlogon Notify: cscdll . (.Microsoft Corporation - Offline Network Agent.) -- C:\WINDOWS\system32\cscdll.dll
O20 - Winlogon Notify: igfxcui . (.Intel Corporation - igfxdev Module.) -- C:\WINDOWS\system32\igfxdev.dll
O20 - Winlogon Notify: ScCertProp . (.Microsoft Corporation - Common DLL to receive Winlogon notification.) -- C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: Schedule . (.Microsoft Corporation - Common DLL to receive Winlogon notification.) -- C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: sclgntfy . (.Microsoft Corporation - Secondary Logon Service Notification DLL.) -- C:\WINDOWS\system32\sclgntfy.dll
O20 - Winlogon Notify: SensLogn . (.Microsoft Corporation - Common DLL to receive Winlogon notification.) -- C:\WINDOWS\system32\WlNotify.dll
O20 - Winlogon Notify: termsrv . (.Microsoft Corporation - Common DLL to receive Winlogon notification.) -- C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: wlballoon . (.Microsoft Corporation - Common DLL to receive Winlogon notification.) -- C:\WINDOWS\system32\wlnotify.dll
~ Winlogon: Scanned in :0mn صs



---\\ SharedTaskScheduler (O22)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} . (.Microsoft Corporation - Shell Browser UI Library.) -- C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Browseui preloader - {8C7461EF-2B13-11d2-BE35-3078302C2030} . (.Microsoft Corporation - Shell Browser UI Library.) -- C:\WINDOWS\system32\browseui.dll
~ STS/SSO: Scanned in :0mn صs



---\\ Non Microsoft non disabled Windows XP/NT/2000 Services (O23)
O23 - Service: avGuard Service (avGuard) . (...) - C:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe
~ Services: 1 Legitimates Filtered in :0mn صs



---\\ Windows Active Desktop & MHTML Editor (O24)
O24 - Desktop Component 0: الصفحة الرئيسية الحالية - file:About:Home
O24 - Desktop General: BackupWallPaper - .(...) - C:\WINDOWS\web\wallpaper\Bliss.bmp
O24 - Desktop General: WallPaper - .(...) - C:\WINDOWS\web\wallpaper\Bliss.bmp
~ Desktop Component: 4 Legitimates Filtered in :0mn صs



---\\ Software installed (O42)
O42 - Logiciel: Yahoo! Toolbar - (.Yahoo! Inc..) [HKLM] -- Yahoo! Companion
O42 - Logiciel: iLivid - (.Bandoo Media Inc.) [HKCU] -- iLivid =>Adware.Bandoo
~ Logic: 15 Legitimates Filtered in :0mn صs



---\\ HKCU & HKLM Software Keys
[HKCU\Software\ilivid] =>Adware.Bandoo
~ Key Software: 91 Legitimates Filtered in :0mn صs



---\\ Contents of the Common Files folders (O43)
O43 - CFD: 05/02/2014 - 11:42:43 م - [153.892] ----D C:\Documents and Settings\ali omar\Local Settings\Application Data\iLivid =>Adware.Bandoo
O43 - CFD: 11/10/2011 - 07:21:44 م - [0.014] R---D C:\Documents and Settings\ali omar\قائمة ابدأ\البرامج\البرامج الملحقة
O43 - CFD: 11/10/2011 - 09:59:31 م - [0.000] R---D C:\Documents and Settings\ali omar\قائمة ابدأ\البرامج\بدء التشغيل
~ Program Folder: 56 Legitimates Filtered in :0mn صs



---\\ Last modified or created files under Windows and System32 (O44)
O44 - LFC:[MD5.D41D8CD98F00B204E9800998ECF8427E] - 05/02/2014 - 10:19:53 م ---A- . (...) -- C:\log.tmp [0]
O44 - LFC:[MD5.42AB57EA9A89B6C75255B377E3650335] - 05/02/2014 - 10:21:56 م ---A- . (...) -- C:\WINDOWS\wmsetup.log [1380]
~ Files: 13 Legitimates Filtered in :0mn صs



---\\ Operations and functions at Windows Explorer startup (O46)
O46 - SEH:ShellExecuteHooks - ربط تنفيذ محدد موقع المعلومات (URL) - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
~ ShellExecuteHooks: Scanned in :0mn صs



---\\ Export authorized application key (O47)
O47 - AAKE:Key Export SP - "C:\Documents and Settings\ali omar\Local Settings\Application Data\iLivid\iLivid.exe" [Enabled] .(.Bandoo Media Inc..) -- C:\Documents and Settings\ali omar\Local Settings\Application Data\iLivid\iLivid.exe =>Adware.Bandoo
O47 - AAKE:Key Export DP - "C:\Documents and Settings\ali omar\Local Settings\Application Data\iLivid\iLivid.exe" [Enabled] .(.Bandoo Media Inc..) -- C:\Documents and Settings\ali omar\Local Settings\Application Data\iLivid\iLivid.exe =>Adware.Bandoo
~ Keys Export: 4 Legitimates Filtered in :0mn صs



---\\ Image File Execution Options (IFEO) (O50)
O50 - IFEO:Image File Execution Options - Your Image File Name Here without a path - ntsd -d
~ IFEO: Scanned in :0mn صs



---\\ Microsoft Windows Policies System (MWPS) (O55)
O55 - MWPS:[HKLM\...\Policies\System] - "EnableLUA"=0
~ MWPS: 6 Legitimates Filtered in :0mn صs



---\\ Microsoft Windows Policies Explorer (MWPE) (O56)
O56 - MWPE:[HKCU\...\policies\Explorer] - "TaskbarNoNotification"=1
O56 - MWPE:[HKCU\...\policies\Explorer] - "HideSCAHealth"=1
O56 - MWPE:[HKLM\...\policies\Explorer] - "TaskbarNoNotification"=1
O56 - MWPE:[HKLM\...\policies\Explorer] - "HideSCAHealth"=1
~ MWPE Keys: 5 Legitimates Filtered in :0mn صs



---\\ System Drivers List (SDL) (O58)
O58 - SDL:[MD5.254498A7917E923CC9213EB755A33D56] - 12/03/2008 - 03:38:00 م ---A- . (.Windows (R) Codename Longhorn DDK provider - Ashampoo Antivirus Guard.) -- C:\WINDOWS\system32\Drivers\AshAvScan.sys [9344]
O58 - SDL:[MD5.97BB1CF49F49B0A471FCC7E62682AD2D] - 19/09/2001 - 02:00:00 م ---A- . (.RAVISENT Technologies Inc. - CineMaster C 1.2 WDM Main Driver.) -- C:\WINDOWS\system32\Drivers\cinemst2.sys [262528]
O58 - SDL:[MD5.3FCC124B6E08EE0E9351F717DD136939] - 07/01/2005 - 12:07:18 م ---A- . (.Windows (R) Server 2003 DDK provider - High Definition Audio Bus Driver v1.0a.) -- C:\WINDOWS\system32\Drivers\hdaudbus.sys [138752]
O58 - SDL:[MD5.80D317BD1C3DBC5D4FE7B1678C60CADD] - 19/09/2001 - 02:00:00 م ---A- . (.Parallel Technologies, Inc. - Parallel Technologies DirectParallel IO Library.) -- C:\WINDOWS\system32\Drivers\ptilink.sys [17792]
O58 - SDL:[MD5.D26E26EA516450AF9D072635C60387F4] - 17/07/2004 - 11:36:38 ص ---A- . (...) -- C:\WINDOWS\system32\Drivers\secdrv.sys [27440]
O58 - SDL:[MD5.55E01061C74A8CEFFF58DC36114A8D3F] - 19/09/2001 - 02:00:00 م ---A- . (.RAVISENT Technologies Inc. - CineMaster C WDM DVD Minidriver.) -- C:\WINDOWS\system32\Drivers\vdmindvd.sys [58112]
O58 - SDL:[MD5.8AAD333C876590293F72B315E162BCC7] - 19/09/2001 - 02:00:00 م ---A- . (...) -- C:\WINDOWS\system32\ansi.sys [9029]
O58 - SDL:[MD5.0FE9F16075C9ACB941C957B7C649176E] - 19/09/2001 - 02:00:00 م ---A- . (...) -- C:\WINDOWS\system32\country.sys [27097]
O58 - SDL:[MD5.E6BC0F98FECEF245A0010D350C1A0B9B] - 19/09/2001 - 02:00:00 م ---A- . (...) -- C:\WINDOWS\system32\himem.sys [4768]
O58 - SDL:[MD5.582BCDD47CF4B68B5CB528F18E3CB808] - 19/09/2001 - 02:00:00 م ---A- . (...) -- C:\WINDOWS\system32\key01.sys [42809]
O58 - SDL:[MD5.FBBCFEC1379C5C02D88A361993EDF1B8] - 03/08/2004 - 10:46:56 م ---A- . (...) -- C:\WINDOWS\system32\keyboard.sys [42537]
O58 - SDL:[MD5.FFFF296A08DBF2AC0126C62E3778AC0D] - 19/09/2001 - 02:00:00 م ---A- . (...) -- C:\WINDOWS\system32\ntdos.sys [27866]
O58 - SDL:[MD5.CF9ED169FF86D935E47999E82359E898] - 19/09/2001 - 02:00:00 م ---A- . (...) -- C:\WINDOWS\system32\ntdos404.sys [29146]
O58 - SDL:[MD5.03B945AC0481CD8BB161C3569D8ED1C3] - 19/09/2001 - 02:00:00 م ---A- . (...) -- C:\WINDOWS\system32\ntdos411.sys [29370]
O58 - SDL:[MD5.BBC957DC18C17CC027EB80B7C77F2AEA] - 19/09/2001 - 02:00:00 م ---A- . (...) -- C:\WINDOWS\system32\ntdos412.sys [29274]
O58 - SDL:[MD5.3CFFAEFFF23B0D208214A6D3061A5B1B] - 19/09/2001 - 02:00:00 م ---A- . (...) -- C:\WINDOWS\system32\ntdos804.sys [29146]
O58 - SDL:[MD5.4FE09F868CE65B334B42862C372C69CC] - 03/08/2004 - 10:45:10 م ---A- . (...) -- C:\WINDOWS\system32\ntio.sys [33840]
O58 - SDL:[MD5.6F73F50162DEF60C84B725C18CD9140F] - 03/08/2004 - 10:45:16 م ---A- . (...) -- C:\WINDOWS\system32\ntio404.sys [34560]
O58 - SDL:[MD5.0FDD5E69C1FF3B58043D44F2CC743D45] - 03/08/2004 - 10:45:12 م ---A- . (...) -- C:\WINDOWS\system32\ntio411.sys [35648]
O58 - SDL:[MD5.8842837C4D8311BF8E72BEE8CCC42217] - 03/08/2004 - 10:45:16 م ---A- . (...) -- C:\WINDOWS\system32\ntio412.sys [35424]
O58 - SDL:[MD5.6B56CEB3C6F9D5CD7293DBD9FE23B311] - 03/08/2004 - 10:45:14 م ---A- . (...) -- C:\WINDOWS\system32\ntio804.sys [34560]
~ Drivers: 6 Legitimates Filtered in :0mn صs



---\\ List all tools cleaner (LATC) (O63)
O63 - Logiciel: ZHPDiag 2014 - (.Nicolas Coolman.) [HKLM] -- ZHPDiag_is1 =>.Nicolas Coolman
~ ADS: Scanned in :0mn صs



---\\ List all legacy services(LALS) (O64)
O64 - Services: CurCS - 12/03/2008 - C:\WINDOWS\system32\DRIVERS\AshAvScan.sys (AshAvScan) .(.Windows (R) Codename Longhorn DDK provider - Ashampoo Antivirus Guard.) - LEGACY_ASHAVSCAN
O64 - Services: CurCS - 10/03/2008 - C:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe (avGuard) .(...) - LEGACY_AVGUARD
~ Legacy: 96 Legitimates Filtered in :0mn صs



---\\ Start Menu Internet (SMI) (O68)
O68 - StartMenuInternet: [HKLM\..\Shell\open\Command] (.Mozilla Corporation - Firefox.) -- C:\Program Files\Mozilla Firefox\firefox.exe
O68 - StartMenuInternet: [HKLM\..\Shell\open\Command] (.Google Inc. - Google Chrome.) -- C:\Documents and Settings\ali omar\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
O68 - StartMenuInternet: [HKLM\..\Shell\open\Command] (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files\Internet Explorer\iexplore.exe
~ Keys: Scanned in :0mn صs



---\\ Search Particular Root Folder (SPRF) (O84)
[MD5.B149BB849A26A99C7C2D9699ED1F3822] [SPRF][05/02/2014] (...) -- C:\Documents and Settings\ali omar\Application Data\1.exe [207161]
[MD5.D34CF5C06868D7D255D34C0D7B7C1D71] [SPRF][06/02/2014] (...) -- C:\Documents and Settings\ali omar\Application Data\120.exe [207161]
[MD5.EC1E5B198CDAB3FC43EC6234B3FCA99E] [SPRF][11/10/2011] (...) -- C:\Documents and Settings\ali omar\Application Data\29.exe [203065]
[MD5.13923D5627D95896E0F20FF5142B60AE] [SPRF][04/02/2014] (...) -- C:\Documents and Settings\ali omar\Application Data\3A.exe [146389]
[MD5.13923D5627D95896E0F20FF5142B60AE] [SPRF][04/02/2014] (...) -- C:\Documents and Settings\ali omar\Application Data\67.exe [146389]
~ Files: 17 Legitimates Filtered in :0mn صs



---\\ General States of Services not Microsoft (EGS) (SR=Running, SS=Stopped)
SS - | Demand 05/02/2014 257928 | (AdobeFlashPlayerUpdateSvc) . (.Adobe Systems Incorporated.) - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
SS - | Demand 04/08/2004 224768 | (dmadmin) . (.Microsoft Corp., Veritas Software.) - C:\WINDOWS\system32\dmadmin.exe
SS - | Demand 04/02/2014 119408 | (MozillaMaintenance) . (.Mozilla Foundation.) - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

SR - | Auto 10/03/2008 566608 | (avGuard) . (...) - C:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe

~ Services: Scanned in :0mn صs



---\\ Search Master Boot Record Infection (MBR)(O80)
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Run by ali omar at 06/02/2014 04:49:36 ص

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys
1 nt!IofCallDriver[0x804E19BC] >> \Device\Harddisk0\DR0[0x89643AB8]
kernel: MBR read successfully
user & kernel MBR OK

~ MBR: 13 Legitimates Filtered in :0mn صs



---\\ Search Master Boot Record Infection (MBRCheck)(O80)
Written by ad13, http://ad13.geekstog
Run by ali omar at 06/02/2014 04:49:38 ص

********* Dump file Name *********
C:\PhysicalDisk0_MBR.bin

~ MBR: Scanned in :0mn صs



---\\ Scan Additionnel (O88)
Database Version : 13030 - (25/01/2014)
Clés trouvées (Keys found) : 7
Valeurs trouvées (Values found) : 2
Dossiers trouvés (Folders found) : 1
Fichiers trouvés (Files found) : 0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\iLivid] =>Adware.Bandoo^
[HKCU\Software\ilivid] =>Adware.Bandoo
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}] =>Toolbar.Yahoo
[HKLM\Software\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}] =>Toolbar.Yahoo
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}] =>Toolbar.Yahoo
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion] =>Toolbar.Yahoo
[HKLM\Software\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}] =>Toolbar.Yahoo
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]:iLivid =>Adware.Bandoo^
[HKLM\Software\Microsoft\Internet Explorer\Toolbar]:{EF99BD32-C1FB-11D2-892F-0090271D4F88} =>Toolbar.Yahoo
C:\Documents and Settings\ali omar\Local Settings\Application Data\iLivid =>Adware.Bandoo^
~ Additionnel Scan: 78853 Items scanned in :2mn صs



---\\ Summary of the detections found on your workstation
~ http://nicolascoolman.webs.com/apps/blog/show/26611092-adware-bandoo =>Adware.Bandoo
~ MSI: 1 link(s) detected in :2mn صs



~ 526 Legitimates filtered by white list
End of the scan (479 lines in :1mn صs)(0)

Publicité


Signaler le contenu de ce document

Publicité