cjoint

Publicité


Publicité

Format du document : text/x-log

Prévisualisation

RogueKiller V9.0.3.0 [Jun 17 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.surlatoile.org/RogueKiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : utilisatuor [Admin rights]
Mode : Scan -- Date : 06/19/2014 08:46:30

¤¤¤ Bad processes : 3 ¤¤¤
[Suspicious.Path] DrvUpdater.exe -- C:\Users\utilisatuor\AppData\Roaming\DRPSu\DrvUpdater.exe[7] -> KILLED [TermProc]
[Suspicious.Path] Foxit Reader Updater.exe -- C:\Users\UTILIS~1\AppData\Local\Temp\Foxit Reader Updater.exe[7] -> KILLED [TermProc]
[Suspicious.Path] (SVC) tvnserver -- "C:\Windows\securitysvc.exe" -service[7] -> STOPPED

¤¤¤ Registry Entries : 41 ¤¤¤
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | PD-Proxy : C:\Users\utilisatuor\AppData\Local\Temp\Rar$EX00.681\PD-Proxy_2.2.0\PD-Launcher.exe -> FOUND
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Update Agent : "C:\Windows\update-manager.exe" -> FOUND
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | tvncontrol : "C:\Windows\securitysvc.exe" -controlservice -slave -> FOUND
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Run | tukboqmyqazu : C:\Users\utilisatuor\tukboqmyqazu.exe -> FOUND
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Run | rihobtomocte : C:\Users\utilisatuor\rihobtomocte.exe -> FOUND
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Run | DrvUpdater : C:\Users\utilisatuor\AppData\Roaming\DRPSu\DrvUpdater.exe /hide -> FOUND
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Run | tukboqmyqazu : C:\Users\utilisatuor\tukboqmyqazu.exe -> FOUND
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Run | rihobtomocte : C:\Users\utilisatuor\rihobtomocte.exe -> FOUND
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Run | DrvUpdater : C:\Users\utilisatuor\AppData\Roaming\DRPSu\DrvUpdater.exe /hide -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tvnserver -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tvnserver -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tvnserver -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : hidedoor.com:80 -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : hidedoor.com:80 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 8.8.8.8 8.8.4.4 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2E2220C-8188-4493-A075-A0FA41371C74} | NameServer : 8.8.8.8 0.0.0.0 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2E2220C-8188-4493-A075-A0FA41371C74} | DhcpNameServer : 8.8.8.8 0.0.0.0 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EEFE5B00-049A-40E1-AB4F-90EA495902AA} | NameServer : 8.8.8.8 0.0.0.0 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F0C33FF1-01FE-4474-AFEC-C98DE74AEA59} | DhcpNameServer : 192.168.0.1 192.168.0.1 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1263DC4A-56AD-47A2-BACC-C7EBA8E175E6} | DhcpNameServer : 8.8.8.8 8.8.4.4 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{91E1EB68-7ED3-4991-B8D0-15683EC176F8} | DhcpNameServer : 8.8.8.8 8.8.4.4 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{B2E2220C-8188-4493-A075-A0FA41371C74} | NameServer : 8.8.8.8 0.0.0.0 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{B2E2220C-8188-4493-A075-A0FA41371C74} | DhcpNameServer : 8.8.8.8 0.0.0.0 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{EEFE5B00-049A-40E1-AB4F-90EA495902AA} | NameServer : 8.8.8.8 0.0.0.0 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F0C33FF1-01FE-4474-AFEC-C98DE74AEA59} | DhcpNameServer : 192.168.0.1 192.168.0.1 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{B2E2220C-8188-4493-A075-A0FA41371C74} | NameServer : 8.8.8.8 193.251.169.165 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{B2E2220C-8188-4493-A075-A0FA41371C74} | DhcpNameServer : 8.8.8.8 193.251.169.165 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{EEFE5B00-049A-40E1-AB4F-90EA495902AA} | NameServer : 8.8.8.8 193.251.169.165 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{F0C33FF1-01FE-4474-AFEC-C98DE74AEA59} | DhcpNameServer : 192.168.0.1 192.168.0.1 -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskmgr : 0 -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskmgr : 0 -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-2428861949-2753005426-2889067651-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[Suspicious.Path] \\{127B5EC1-1114-4894-A265-AB541C07C0E7} -- C:\Users\utilisatuor\Desktop\Super Hyper QCM + de 25000 QCM for DOC-DZ NADJI 85.EXE -> FOUND
[Suspicious.Path] \\{BF12D639-8FA0-4B8C-9B53-EE682B4D4992} -- C:\Users\utilisatuor\Desktop\Super Hyper QCM + de 25000 QCM for DOC-DZ NADJI 85.EXE -> FOUND

¤¤¤ Files : 1 ¤¤¤
[Suspicious.Path][File] FCB Fan Alert.lnk -- C:\Users\utilisatuor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCB Fan Alert.lnk [LNK@] C:\Users\UTILIS~1\AppData\Local\DESKTO~1\303\Ver1\FCBFAN~1.EXE /RunPush -> FOUND

¤¤¤ HOSTS File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.Proxy][FIREFX:Config] yipu3v5n.default-1356641818636 : user_pref("network.proxy.http", "199.167.133.151"); -> FOUND
[PUM.Proxy][FIREFX:Config] yipu3v5n.default-1356641818636 : user_pref("network.proxy.http_port", 80); -> FOUND

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000BPVT-60HXZT3 +++++
--- User ---
[MBR] ba2059a3ce2eaee0ed6e41a9f3015127
[BSP] 0bc5d8708019a4ad668384545a22a2bd : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 462555 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 947722240 | Size: 14081 MB
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 976560128 | Size: 103 MB
User = LL1 ... OK
User = LL2 ... OK


Publicité


Signaler le contenu de ce document

Publicité