¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Pre_Scan | g3n-h@ckm@n | Saachaa | 3.0606 ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ ~ ¤¤¤¤¤ XP | Vista | 7 | 8 - 32/64 bits ¤¤¤¤¤ - Start 20:06:55 ~ Update on 06/06/2013 | 08.50 by g3n-h@ckm@n ~ Evolution : http://www.security-helpzone.com/forum/Forum-Mises-%C3%A0-jour-Pre-Scan | http://sosvirus.org/viewforum.php?f=229 ~ Pre_Script Infos : http://sosvirus.org/viewtopic.php?f=228&t=312 | http://www.security-helpzone.com/forum/Thread-Les-Switches ~ Pre_scan Feedbacks : http://sosvirus.org/viewforum.php?f=233 | http://www.security-helpzone.com/forum/Forum-Feedbacks-Pre-Scan ~ [abderrahime (Administrator)] - [UNICORNI-FBFFBF] ~ SID = S-1-5-21-1409082233-1801674531-682003330-1003 ~ System : Microsoft Windows XP (32 bits) Service Pack 2 ~ ProcessorNameString : Intel(R) Pentium(R) 4 CPU 3.00GHz ~ Identifier : x86 Family 15 Model 4 Stepping 3 ~ Mémory RAM = Total (KB) : 1039720 | Free (KB) : 752950 ~ Pagefile = Total (KB) : 2501220 | Free (KB) : 2319390 ~ Virtual = Total (KB) : 2097020 | Free (KB) : 2022440 ¤¤¤¤¤¤¤¤¤¤ | Boot's scripts ¤¤¤¤¤¤¤¤¤¤ | Drives c:\ -> [Fixed] | [Disque local] | Total : 20000 Mo | Free : 1960 Mo -> NTFS d:\ -> [Fixed] | [] | Total : 18150 Mo | Free : 15270 Mo -> NTFS ¤¤¤¤¤¤¤¤¤¤ | Windows Updates No windows updates detected !!! ~ Service Pack 3 not installed !!! ¤¤¤¤¤¤¤¤¤¤ | Sessions ~ C:\WINDOWS\system32\config\systemprofile ~ C:\Documents and Settings\LocalService.AUTORITE NT ~ C:\Documents and Settings\NetworkService.AUTORITE NT ~ C:\Documents and Settings\abderrahime New restorepoint created Standby deleted ! ¤¤¤¤¤¤¤¤¤¤ | stopped Processes (1748) -- spoolsv.exe (2036) -- explorer.exe (748) -- alg.exe (768) -- wscntfy.exe (1376) -- RTHDCPL.EXE (1384) -- igfxtray.exe (1392) -- hkcmd.exe (1404) -- igfxpers.exe (1420) -- IDMan.exe (1348) -- ctfmon.exe (1504) -- msmsgs.exe (2896) -- svchost .exe (3076) -- wscript.exe (2940) -- ConnectManager.exe (4068) -- chrome.exe (3620) -- chrome.exe (3736) -- chrome.exe (260) -- chrome.exe (132) -- chrome.exe (2124) -- chrome.exe (2196) -- chrome.exe (2764) -- chrome.exe ¤¤¤¤¤¤¤¤¤¤ | Running processes Boot : Normal ¤¤¤¤¤¤¤¤¤¤ | Winlogon User : OK ! ¤¤¤¤¤¤¤¤¤¤ | Winlogon Machine Repaired : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]|[PowerDownAfterShutdown] : 0 -> 1 Changed : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]|[AutoRestartShell] : 1 -> 0 ¤¤¤¤¤¤¤¤¤¤ | Associations Repaired : [HKCR\InternetShortcut\shell\open\command] : rundll32.exe shdocvw.dll,OpenURL %l -> "C:\WINDOWS\System32\rundll32.exe" "C:\WINDOWS\System32\ieframe.dll",OpenURL %l Repaired : [HKCR\Application.Manifest\shell\open\command] : -> rundll32.exe dfshim.dll,ShOpenVerbApplication %1 Repaired : [HKCR\Application.Reference\shell\open\command] : -> rundll32.exe dfshim.dll,ShOpenVerbShortcut %1|%2 Repaired : [HKCR\Folder\shell\open\command] : %SystemRoot%\Explorer.exe /idlist,%I,%L -> C:\WINDOWS\Explorer.exe ¤ Navigators settings associations are OK ! ¤¤¤¤¤¤¤¤¤¤ | Registry Repaired : [HKLM\software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]|[{20D04FE0-3AEA-1069-A2D8-08002B30309D}] : 1 -> 0 Repaired : [HKLM\software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]|[{208D2C60-3AEA-1069-A2D7-08002B30309D}] : 1 -> 0 Repaired : [HKLM\software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]|[{871C5380-42A0-1069-A2EA-08002B30309D}] : 1 -> 0 Repaired : [HKU\S-1-5-21-1409082233-1801674531-682003330-1003\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]|[Hidden] : 2 -> 0 ¤¤¤¤¤¤¤¤¤¤ | SafeBoot | Control | Repair Safeboot Keys are O.K Alternate shell is OK ! ¤ Repaired : [HKLM | Minimal\vds] : -> Service Repaired : [HKLM | Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] : -> Volume shadow copy ¤ Safeboot Network Subkeys : O.K ! ¤¤¤¤¤¤¤¤¤¤ | IFEO Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\apitrap.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\AVSTE.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\cqw32.exe] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\divxdec.ax] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\DRMINST.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\EncodeDivXExt.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\front.exe] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\GBROWSER.DLL] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\htmlmarq.ocx] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\install.exe] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\ISSTE.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\jvm.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\main123w.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\msci_uno.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\mscorsvr.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\msjava.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\NAVOPTRF.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\NPMLIC.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\photohse.EXE] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\ppw32hlp.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\prwin8.EXE] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\psdmt.exe] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\qpw.EXE] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\setup.exe] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\sevinst.exe] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\tcore_ebook.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\ua80.EXE] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\ums.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\vbe6.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\xlmlEN.dll] : () Deleted : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution Options\Your Image File Name Here without a path] : ntsd -d ¤¤¤¤¤¤¤¤¤¤ | Mountpoints2 Deleted : [HKU\S-1-5-21-1409082233-1801674531-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2\{48e5e1a6-be3d-11e2-a8f7-001635751565} | AutoRun\command] : C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL WScRiPt.EXe /e:VBScRIpt.eNcOdE Microsoft.exe ¤¤¤¤¤¤¤¤¤¤ | Windows [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\Boot]|[Shell] : SYS:Microsoft\Windows NT\CurrentVersion\Winlogon Winsrv : OK ! [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]|[AppInit_DLLS] : [HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]|[Programs] : com exe bat pif cmd ¤¤¤¤¤¤¤¤¤¤ | Security Center : OK ! [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ¤¤¤¤¤¤¤¤¤¤ | Services Corrections Repaired : [HKLM | Services\Browser] : 2 -> 3 Repaired : [HKLM | Services\Bits] : 3 -> 2 ¤¤¤¤¤¤¤¤¤¤ | Internet Explorer Repaired : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main]|[Search Bar] : http://www.google.fr -> http://www.google.com/ Repaired : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main]|[Search Bar] : http://www.google.fr -> http://www.google.com/ Repaired : [HKU\S-1-5-21-1409082233-1801674531-682003330-1003\Software\Microsoft\Internet Explorer\Main]|[Search Bar] : http://www.google.fr -> http://www.google.com/ Repaired : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main]|[Search Bar] : http://www.google.fr -> http://www.google.com/ Repaired : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main]|[Start Page] : http://www.files-ftp.com/~unicorni/phpBB2/index.php -> http://www.google.com/ Repaired : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main]|[Start Page] : http://www.files-ftp.com/~unicorni/phpBB2/index.php -> http://www.google.com/ Repaired : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main]|[Start Page] : http://www.files-ftp.com/~unicorni/phpBB2/index.php -> http://www.google.com/ Repaired : [HKLM\Software\Microsoft\Internet Explorer\Search]|[SearchAssistant] : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> http://www.google.com/ie Repaired : [HKLM\Software\Microsoft\Internet Explorer\Main]|[Start Page] : http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> http://go.microsoft.com/fwlink/?LinkId=69157 Repaired : [HKLM\Software\Microsoft\Internet Explorer\Main]|[Local Page] : %SystemRoot%\system32\blank.htm -> C:\WINDOWS\system32\blank.htm Repaired : [HKLM\Software\Microsoft\Internet Explorer\Main]|[Default_Search_URL] : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> http://go.microsoft.com/fwlink/?LinkId=54896 Repaired : [HKLM\Software\Microsoft\Internet Explorer\Main]|[Default_Page_URL] : http://www.files-ftp.com/~unicorni/phpBB2/index.php -> http://go.microsoft.com/fwlink/?LinkId=69157 Repaired : [HKLM\Software\Microsoft\Internet Explorer\Main]|[Search Page] : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> http://go.microsoft.com/fwlink/?LinkId=54896 ¤ Repaired : [HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet settings]|[MigrateProxy] : 0 -> 1 Repaired : [HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet settings]|[MigrateProxy] : 0 -> 1 Repaired : [HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet settings]|[MigrateProxy] : 0 -> 1 ¤¤¤¤¤¤¤¤¤¤ | Hosts C:\WINDOWS\System32\Drivers\etc\hosts : Cleaned ¤¤¤¤¤¤¤¤¤¤ | Files | Folders | Registry Moved to quarantine successfully : C:\Recycler\S-1-5-21-1844237615-562591055-725345543-1003\desktop.ini Moved to quarantine successfully : C:\Recycler\S-1-5-21-1844237615-562591055-725345543-1003\INFO2 Moved to quarantine successfully : C:\Recycler\S-1-5-21-1409082233-1801674531-682003330-1003\desktop.ini Moved to quarantine successfully : C:\Recycler\S-1-5-21-1409082233-1801674531-682003330-1003\INFO2 Deleted : [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]|[Updates] : "C:\WINDOWS\svchost .exe" /e:VBScript.Encode "C:\Documents and Settings\abderrahime\Application Data\Microsoft\SYSTEM\cste" Moved to quarantine successfully : C:\WINDOWS\svchost .exe Moved to quarantine successfully : C:\Documents and Settings\abderrahime\Menu Démarrer\Programmes\Démarrage\Windows Media Player.vbe Moved to quarantine successfully : C:\WINDOWS\assembly\tmp\ Moved to quarantine successfully : C:\Documents and Settings\abderrahime\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0 Moved to quarantine successfully : C:\Documents and Settings\abderrahime\Local Settings\Application Data\Sun\Java\Deployment\cache\security Prefetch -> Emptied Suspect : C:\Documents and Settings\abderrahime\Application Data\LG Connection Manager\SMS001 Suspect : C:\Documents and Settings\abderrahime\Application Data\LG Connection Manager\PB001 Suspect : C:\Documents and Settings\abderrahime\Application Data\LG Connection Manager\ST001 Suspect : C:\WINDOWS\MEMORY.DMP ¤¤¤¤¤¤¤¤¤¤ | Hidden files ~ [Drive D:] : Hidden : 1 | Restored : 1 ~ [Program Files] : Hidden : 2 | Restored : 2 ~ [Users] : Hidden : 4 | Restored : 4 ~ [Desktop] : Hidden : 1 | Restored : 1 ~ [Windows] : Hidden : 146 | Restored : 146 ¤¤¤¤¤¤¤¤¤¤ | Listing Partition(s) Disk: 0 Size= 38G Pos MBRndx Type/Name Size Active Hide Start Sector Sectors --- ------ ---------- ---- ------ ---- ------------ ------------ 0 0 07-NTFS 20G Yes No 63 40,965,687 1 1 0F-EXTEND 18G No No 40,965,750 37,174,410 ¤¤¤¤¤¤¤¤¤¤ [HKLM | Winlogon] | AutoRestartShell : 0 -> 1 End : 20:21:39 Pre_Scan_Protect.exe Stopped successfully ! Standby Restored ! ¤¤¤¤¤¤¤¤¤¤ | Attempt to restart stopped 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe 20:03:29 : chrome.exe ~ Thx to C_XX , Slyk for their help for the evolution of the tool ¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤ - 296