Publicité
Publicité
Format du document : text/plain
Prévisualisation
��������������� Pre_Script | 3.0123 ���������������
chouchou : Windows Vista (TM) Home Premium (32 bits)
Switchs : http://gen-hackman.forum-pro.fr/t89-les-switchs
New restorepoint created
Script : 12:03:44
�������������������������������
���������� | Stopped Processes
(1100) -- Ati2evxx.exe
(1364) -- SLsvc.exe
(1584) -- Ati2evxx.exe
(1928) -- explorer.exe
(2028) -- spoolsv.exe
(188) -- taskeng.exe
(504) -- taskeng.exe
(2216) -- ACService.exe
(2236) -- CLMSServer.exe
(2244) -- RtHDVCpl.exe
(2268) -- MemCheck.exe
(2288) -- rundll32.exe
(2344) -- jusched.exe
(2420) -- qttask.exe
(2432) -- SweetIM.exe
(2520) -- SweetPacksUpdateManager.exe
(2540) -- 9props.exe
(2548) -- CCleaner.exe
(2556) -- ehtray.exe
(2576) -- wmpnscfg.exe
(2640) -- PrintScreen.exe
(2652) -- Magic-i.exe
(2684) -- ehmsas.exe
(2940) -- eDSService.exe
(3024) -- ijplmsvc.exe
(3048) -- LSSrvc.exe
(3120) -- uMgiSvr.exe
(3244) -- RichVideo.exe
(3388) -- TeamViewer_Service.exe
(3472) -- WLIDSVC.EXE
(3696) -- SearchIndexer.exe
(3796) -- WLIDSVCM.EXE
(3828) -- WUDFHost.exe
(4068) -- TeamViewer.exe
(3908) -- eRecoveryService.exe
(2800) -- wmpnetwk.exe
(3808) -- mobsync.exe
(1468) -- wmplayer.exe
(1868) -- tv_w32.exe
(5940) -- iexplore.exe
(5488) -- GoogleToolbarUser_32.exe
(5656) -- iexplore.exe
(1464) -- SearchProtocolHost.exe
(5396) -- iexplore.exe
(5404) -- taskeng.exe
(6128) -- ctfmon.exe
(4324) -- wuauclt.exe
(5700) -- SearchFilterHost.exe
(5620) -- taskmgr.exe
���������� | RegRead :
���������� | Deletion | Drivers | Services
Service : MPKSL55D5FBDC Not actif
Service : MPKSLB0BE3CF9 Not actif
Service : MPKSLBA05564C Not actif
Service : MPKSLC508DF0E Not actif
Service : MPKSLEFC1BE61 Not actif
Service : SYMDNS Not actif
Service : SYMEVENT Not actif
Service : SYMFW Not actif
Service : SYMIDS Not actif
Service : SYMNDISV Not actif
Service : SYMREDRV Not actif
Service : SYMTDI Not actif
�
���������� | Registry Deletions
Value Deleted : [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]:Acer Tour
Value Deleted : [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]:eRecoveryService
Value Deleted : [HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]:
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Reader Speed Launcher
Key not found : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\swg
Key Deleted : HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}
Key not found : HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Key not found : HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Key not found : HKU\S-1-5-21-2465643848-3244870746-783416107-1000\Software\eojet
Key Deleted : HKLM\Software\BrowserChoice
Value Deleted : [HKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\Parameters\FirewallPolicy\FirewallRules]:{7CEA1F8C-ADD2-4BB2-8F4C-4CD51CD41CDC}
No value : [ HKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\Parameters\FirewallPolicy\FirewallRules]:{E77063CC-E985-434D-A7DE-0593C4CB7DFA}
Key not found : HKLM\Software\Microsoft\windows\CurrentVersion\Uninstall\eoJet_is1
Key Deleted : HKLM\Software\Microsoft\windows\CurrentVersion\Uninstall\Optimizer Pro_is1
Key Deleted : HKCR\AppId\SoftwareUpdate.exe
�
File Moved to quarantine successfully : |RA| - C:\Windows\Installer\{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}\NewShortcut6.txt
Folder Moved to quarantine successfully : |D| - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro
Folder Moved to quarantine successfully : |D| - C:\Users\chouchou\AppData\Roaming\Ad-Aware Antivirus
Folder Moved to quarantine successfully : |D| - C:\ProgramData\Spybot - Search & Destroy
Impossible to move Folder : |D| - C:\Program Files\*.tmp
File Moved to quarantine successfully : |A| - C:\Windows\Tasks\PC Performer_DEFAULT.job
File Moved to quarantine successfully : |A| - C:\Windows\System32\Tasks\BrowserProtect
File Moved to quarantine successfully : |A| - C:\Windows\System32\Tasks\CreateChoiceProcessTask
C:\Program Files\Optimizer Pro : Not Found !
���������� | MBR
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: Phoenix Technologies, LTD
System Manufacturer: Acer
System Product Name: Aspire M1100
Logical Drives Mask: 0x000003dc
Analysis of file "C:\Pre_Scan\MBR.bin":
Unknown MBR code
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST3320820AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
1 ntkrnlpa!IofCallDriver[0x82E8C936] -> \Device\Harddisk0\DR0[0x857D8620]
3 CLASSPNP[0x885BF8B3] -> ntkrnlpa!IofCallDriver[0x82E8C936] -> [0x85727020]
5 acpi[0x87E156BC] -> ntkrnlpa!IofCallDriver[0x82E8C936] -> \Device\Ide\IdeDeviceP0T0L0-0[0x857115E0]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
user & kernel MBR OK
�
���������� | Disk cleaning
Disk cleaned
�
End : 12:09:38
���������� ( EOF ) ����������
chouchou : Windows Vista (TM) Home Premium (32 bits)
Switchs : http://gen-hackman.forum-pro.fr/t89-les-switchs
New restorepoint created
Script : 12:03:44
�������������������������������
���������� | Stopped Processes
(1100) -- Ati2evxx.exe
(1364) -- SLsvc.exe
(1584) -- Ati2evxx.exe
(1928) -- explorer.exe
(2028) -- spoolsv.exe
(188) -- taskeng.exe
(504) -- taskeng.exe
(2216) -- ACService.exe
(2236) -- CLMSServer.exe
(2244) -- RtHDVCpl.exe
(2268) -- MemCheck.exe
(2288) -- rundll32.exe
(2344) -- jusched.exe
(2420) -- qttask.exe
(2432) -- SweetIM.exe
(2520) -- SweetPacksUpdateManager.exe
(2540) -- 9props.exe
(2548) -- CCleaner.exe
(2556) -- ehtray.exe
(2576) -- wmpnscfg.exe
(2640) -- PrintScreen.exe
(2652) -- Magic-i.exe
(2684) -- ehmsas.exe
(2940) -- eDSService.exe
(3024) -- ijplmsvc.exe
(3048) -- LSSrvc.exe
(3120) -- uMgiSvr.exe
(3244) -- RichVideo.exe
(3388) -- TeamViewer_Service.exe
(3472) -- WLIDSVC.EXE
(3696) -- SearchIndexer.exe
(3796) -- WLIDSVCM.EXE
(3828) -- WUDFHost.exe
(4068) -- TeamViewer.exe
(3908) -- eRecoveryService.exe
(2800) -- wmpnetwk.exe
(3808) -- mobsync.exe
(1468) -- wmplayer.exe
(1868) -- tv_w32.exe
(5940) -- iexplore.exe
(5488) -- GoogleToolbarUser_32.exe
(5656) -- iexplore.exe
(1464) -- SearchProtocolHost.exe
(5396) -- iexplore.exe
(5404) -- taskeng.exe
(6128) -- ctfmon.exe
(4324) -- wuauclt.exe
(5700) -- SearchFilterHost.exe
(5620) -- taskmgr.exe
���������� | RegRead :
���������� | Deletion | Drivers | Services
Service : MPKSL55D5FBDC Not actif
Service : MPKSLB0BE3CF9 Not actif
Service : MPKSLBA05564C Not actif
Service : MPKSLC508DF0E Not actif
Service : MPKSLEFC1BE61 Not actif
Service : SYMDNS Not actif
Service : SYMEVENT Not actif
Service : SYMFW Not actif
Service : SYMIDS Not actif
Service : SYMNDISV Not actif
Service : SYMREDRV Not actif
Service : SYMTDI Not actif
�
���������� | Registry Deletions
Value Deleted : [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]:Acer Tour
Value Deleted : [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]:eRecoveryService
Value Deleted : [HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]:
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Reader Speed Launcher
Key not found : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\swg
Key Deleted : HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}
Key not found : HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Key not found : HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Key not found : HKU\S-1-5-21-2465643848-3244870746-783416107-1000\Software\eojet
Key Deleted : HKLM\Software\BrowserChoice
Value Deleted : [HKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\Parameters\FirewallPolicy\FirewallRules]:{7CEA1F8C-ADD2-4BB2-8F4C-4CD51CD41CDC}
No value : [ HKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\Parameters\FirewallPolicy\FirewallRules]:{E77063CC-E985-434D-A7DE-0593C4CB7DFA}
Key not found : HKLM\Software\Microsoft\windows\CurrentVersion\Uninstall\eoJet_is1
Key Deleted : HKLM\Software\Microsoft\windows\CurrentVersion\Uninstall\Optimizer Pro_is1
Key Deleted : HKCR\AppId\SoftwareUpdate.exe
�
File Moved to quarantine successfully : |RA| - C:\Windows\Installer\{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}\NewShortcut6.txt
Folder Moved to quarantine successfully : |D| - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro
Folder Moved to quarantine successfully : |D| - C:\Users\chouchou\AppData\Roaming\Ad-Aware Antivirus
Folder Moved to quarantine successfully : |D| - C:\ProgramData\Spybot - Search & Destroy
Impossible to move Folder : |D| - C:\Program Files\*.tmp
File Moved to quarantine successfully : |A| - C:\Windows\Tasks\PC Performer_DEFAULT.job
File Moved to quarantine successfully : |A| - C:\Windows\System32\Tasks\BrowserProtect
File Moved to quarantine successfully : |A| - C:\Windows\System32\Tasks\CreateChoiceProcessTask
C:\Program Files\Optimizer Pro : Not Found !
���������� | MBR
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: Phoenix Technologies, LTD
System Manufacturer: Acer
System Product Name: Aspire M1100
Logical Drives Mask: 0x000003dc
Analysis of file "C:\Pre_Scan\MBR.bin":
Unknown MBR code
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST3320820AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
1 ntkrnlpa!IofCallDriver[0x82E8C936] -> \Device\Harddisk0\DR0[0x857D8620]
3 CLASSPNP[0x885BF8B3] -> ntkrnlpa!IofCallDriver[0x82E8C936] -> [0x85727020]
5 acpi[0x87E156BC] -> ntkrnlpa!IofCallDriver[0x82E8C936] -> \Device\Ide\IdeDeviceP0T0L0-0[0x857115E0]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
user & kernel MBR OK
�
���������� | Disk cleaning
Disk cleaned
�
End : 12:09:38
���������� ( EOF ) ����������