DiagHelp version v1.4 -
http://www.malekal.comexcute le 24/02/2008 à 0:27:30,68
Liste des derniers fichies modifies/crees dans windir\system32 et prefetch
D:\WINDOWS\prefetch\CHCP.COM-18156052.pf -->24/02/2008 00:27:24
D:\WINDOWS\prefetch\CMD.EXE-087B4001.pf -->24/02/2008 00:27:19
D:\WINDOWS\prefetch\WINRAR.EXE-39C6DAD9.pf -->24/02/2008 00:26:02
D:\WINDOWS\prefetch\NOTEPAD.EXE-336351A9.pf -->24/02/2008 00:24:14
D:\WINDOWS\prefetch\NAVICAT.EXE-15352036.pf -->24/02/2008 00:23:33
D:\WINDOWS\prefetch\UPDCLIENT.EXE-215FC96B.pf -->24/02/2008 00:11:56
D:\WINDOWS\prefetch\VUNDOFIX[1].EXE-153F17C4.pf -->24/02/2008 00:08:05
D:\WINDOWS\prefetch\IEXPLORE.EXE-27122324.pf -->24/02/2008 00:02:02
D:\WINDOWS\prefetch\WMIPRVSE.EXE-28F301A9.pf -->24/02/2008 00:00:41
D:\WINDOWS\prefetch\HIJACKTHIS.EXE-13CAA4E1.pf -->24/02/2008 00:00:38
D:\WINDOWS\System32\drivers\nod32drv.sys -->23/02/2008 23:46:50
D:\WINDOWS\System32\drivers\amon.sys -->23/02/2008 23:46:50
D:\WINDOWS\System32\drivers\fidbox2.idx -->02/10/2007 17:36:13
D:\WINDOWS\System32\drivers\fidbox2.dat -->02/10/2007 17:36:13
D:\WINDOWS\System32\drivers\fidbox.idx -->02/10/2007 17:36:13
D:\WINDOWS\System32\drivers\fidbox.dat -->02/10/2007 17:36:13
D:\WINDOWS\System32\drivers\klin.dat -->02/10/2007 17:34:16
D:\WINDOWS\System32\vsconfig.xml -->23/02/2008 23:55:37
D:\WINDOWS\System32\imon.dll -->23/02/2008 23:46:51
D:\WINDOWS\System32\wpa.dbl -->23/02/2008 23:21:43
D:\WINDOWS\System32\CONFIG.NT -->23/02/2008 23:18:36
D:\WINDOWS\System32\perfh00C.dat -->19/02/2008 20:26:29
D:\WINDOWS\System32\PerfStringBackup.INI -->19/02/2008 20:26:28
D:\WINDOWS\System32\perfh009.dat -->19/02/2008 20:26:28
D:\WINDOWS\System32\perfc00C.dat -->19/02/2008 20:26:28
D:\WINDOWS\System32\perfc009.dat -->19/02/2008 20:26:28
D:\WINDOWS\System32\spupdwxp.log -->19/02/2008 20:19:59
D:\WINDOWS\System32\FNTCACHE.DAT -->19/02/2008 20:18:57
D:\WINDOWS\System32\ssldivx.dll -->29/11/2007 23:30:16
D:\WINDOWS\System32\libdivx.dll -->29/11/2007 23:30:16
D:\WINDOWS\System32\frapsvid.dll -->21/11/2007 19:23:54
D:\WINDOWS\System32\BASSMOD.dll -->16/11/2007 22:02:50
D:\WINDOWS\System32\jupdate-1.6.0_03-b05.log -->31/10/2007 14:57:24
D:\WINDOWS\System32\RunOnce3.tmp -->21/10/2007 21:28:22
D:\WINDOWS\System32\RunOnce3.t__ -->19/10/2007 14:30:27
D:\WINDOWS\System32\nscompat.tlb -->13/10/2007 13:05:45
D:\WINDOWS\System32\amcompat.tlb -->13/10/2007 13:05:45
D:\WINDOWS\System32\xpdx.sys -->08/10/2007 16:43:52
D:\WINDOWS\System32\Rey_SubClasser.dll -->03/10/2007 12:42:17
D:\WINDOWS\System32\ReyXp.ocx -->03/10/2007 12:42:17
D:\WINDOWS\System32\dialogg.ocx -->03/10/2007 12:42:17
D:\WINDOWS\System32\msinet.ocx -->03/10/2007 12:30:12
D:\WINDOWS\KBPK080223.LOG -->24/02/2008 00:07:28
D:\WINDOWS\WindowsUpdate.log -->24/02/2008 00:02:07
D:\WINDOWS\0.log -->23/02/2008 23:56:56
D:\WINDOWS\wiadebug.log -->23/02/2008 23:55:58
D:\WINDOWS\wiaservc.log -->23/02/2008 23:55:50
D:\WINDOWS\bootstat.dat -->23/02/2008 23:55:32
D:\WINDOWS\SchedLgU.Txt -->23/02/2008 23:20:10
D:\WINDOWS\PhotoSnapViewer.INI -->23/02/2008 13:08:36
D:\WINDOWS\QTFont.qfn -->23/02/2008 02:55:30
D:\WINDOWS\NeroDigital.ini -->21/02/2008 20:18:39
D:\WINDOWS\QTFont.for -->21/02/2008 14:20:59
D:\WINDOWS\wmsetup.log -->21/02/2008 00:28:10
D:\WINDOWS\wmsetup10.log -->21/02/2008 00:28:09
D:\WINDOWS\spupdsvc.log -->19/02/2008 20:21:11
D:\WINDOWS\DtcInstall.log -->19/02/2008 20:20:55
winlogon.exe
Verified: Signed
svchost.exe
Verified: Signed
ws2_32.dll
Verified: Signed
user32.dll
Verified: Signed
tcpip.sys
Verified: Signed
ndis.sys
Verified: Signed
null.sys
Verified: Signed
ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals -
http://www.sysinternals.com------------------------------------------------------------------------------
explorer.exe pid: 460
Command line: D:\WINDOWS\Explorer.EXE
Base Size Version Path
0x771b0000 0xce000 7.00.5730.0013 D:\WINDOWS\system32\WININET.dll
0x00400000 0x9000 6.00.5441.0000 D:\WINDOWS\system32\Normaliz.dll
0x5dca0000 0x45000 7.00.5730.0013 D:\WINDOWS\system32\iertutil.dll
0x76f80000 0x7f000 2001.12.4414.0258 D:\WINDOWS\system32\CLBCATQ.DLL
0x77000000 0xd4000 2001.12.4414.0258 D:\WINDOWS\system32\COMRes.dll
0x61410000 0x124000 7.00.5730.0013 D:\WINDOWS\System32\urlmon.dll
0x7e1e0000 0x5c9000 7.00.5730.0013 D:\WINDOWS\system32\ieframe.dll
0x76ac0000 0x11000 3.05.2284.0000 D:\WINDOWS\system32\ATL.DLL
0x74b30000 0x3b000 7.00.5730.0013 D:\WINDOWS\System32\webcheck.dll
0x10000000 0x5000 D:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\MouseHook2.dll
0x73ce0000 0x27000 4.00.1183.0001 D:\WINDOWS\system32\CRTDLL.dll
0x01900000 0xe000 3.63.0004.0000 D:\Program Files\MessengerPlus! 3\MsgPlusLoader.dll
0x01e60000 0x2c6000 3.01.4000.2435 D:\WINDOWS\system32\msi.dll
0x01d00000 0xe000 1.09.0000.0000 D:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.dll
0x00bc0000 0xf000 1.03.0000.0000 D:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.dll
0x01580000 0x10000 8.00.0000.0456 D:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
0x78130000 0x9b000 8.00.50727.0163 D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCR80.dll
0x74730000 0x3d000 3.525.1117.0000 D:\WINDOWS\system32\ODBC32.dll
0x033f0000 0x18000 3.525.1117.0000 D:\WINDOWS\system32\odbcint.dll
0x325c0000 0x12000 11.00.5510.0000 F:\Office03\OFFICE11\msohev.dll
0x03780000 0x4c000 8.00.0000.0000 D:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.FRA
0x03710000 0x5b000 8.01.0000.0000 D:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.dll
0x52200000 0xb000 7.00.0362.0000 D:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll
0x01470000 0x4000 5.03.0017.0000 D:\Program Files\Zone Labs\ZoneAlarm\zlavscan_Loc040c.dll
0x02130000 0x2d000 D:\Program Files\WinRAR\rarext.dll
0x02160000 0xf000 0.01.0000.0000 D:\Program Files\Notepad++\nppshellext.dll
0x7c3a0000 0x7b000 7.10.3077.0000 D:\WINDOWS\system32\MSVCP71.dll
0x7c340000 0x56000 7.10.3052.0004 D:\WINDOWS\system32\MSVCR71.dll
0x02180000 0x10000 D:\Program Files\Eset\nodshex.dll
0x36f10000 0xc000 11.00.5510.0000 D:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXEV.DLL
ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals -
http://www.sysinternals.com------------------------------------------------------------------------------
winlogon.exe pid: 796
Command line: winlogon.exe
Base Size Version Path
0x01000000 0x81000 \??\D:\WINDOWS\system32\winlogon.exe
0x74730000 0x3d000 3.525.1117.0000 D:\WINDOWS\system32\ODBC32.dll
0x20000000 0x18000 3.525.1117.0000 D:\WINDOWS\system32\odbcint.dll
0x10000000 0x18000 6.14.0010.4146 D:\WINDOWS\system32\Ati2evxx.dll
0x77000000 0xd4000 2001.12.4414.0258 D:\WINDOWS\system32\COMRes.dll
0x76f80000 0x7f000 2001.12.4414.0258 D:\WINDOWS\system32\CLBCATQ.DLL
Le volume dans le lecteur D n'a pas de nom.
Le numéro de série du volume est 1C6A-18E6
Répertoire de D:\WINDOWS\system32
19/08/2004 16:09 6 144 csrss.exe
1 fichier(s) 6 144 octets
0 Rép(s) 15 593 676 800 octets libres
Contenu de Downloaded Program Files
Le volume dans le lecteur D n'a pas de nom.
Le numéro de série du volume est 1C6A-18E6
Répertoire de D:\WINDOWS\Downloaded Program Files
02/11/2007 03:13 <REP> .
02/11/2007 03:13 <REP> ..
28/09/2007 18:53 65 desktop.ini
14/10/1997 17:52 697 DirectAnimation Java Classes.osd
26/07/2007 15:03 214 DivXPlugin.inf
23/03/2007 12:17 1 292 erma.inf
20/01/2000 14:25 1 162 Microsoft XML Parser for Java.osd
11/06/2007 11:21 5 021 swflash.inf
30/06/2003 21:41 1 689 WMV9VCM.inf
09/09/2005 17:45 1 516 wvc1dmo.inf
8 fichier(s) 11 656 octets
Total des fichiers listés :
8 fichier(s) 11 656 octets
2 Rép(s) 15 593 668 608 octets libres
Recherche de rootkit! (Merci S!Ri)
xpdx présent Possible infection Rustock, l'utilisation d'un scanneur rootkit est recommandé
Recherche d'infections connues
Export des clefs sensibles..
Liste des fichiers en exception sur le pare-feu XP SP2
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"F:\\uTorrent\\utorrent.exe"="F:\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"F:\\Skype\\Skype.exe"="F:\\Skype\\Skype.exe:*:Enabled:Skype"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
Export de la clef SharedTaskScheduler
[SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"
exports des policies
REGEDIT4
[system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
Export des clefs sensibles..
Rechercher adresses sensibles dans le fichier HOSTS...
catchme 0.3.1319 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-02-24 00:28:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpdx]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\D:\WINDOWS\System32\xpdx.sys"
"DisplayName"="xpdx system driver"
"Group"="Base"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpdx\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xpdx]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\D:\WINDOWS\System32\xpdx.sys"
"DisplayName"="xpdx system driver"
"Group"="Base"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xpdx\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\xpdx]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\D:\WINDOWS\System32\xpdx.sys"
"DisplayName"="xpdx system driver"
"Group"="Base"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\xpdx\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
scanning hidden registry entries ...
scanning hidden files ...
D:\WINDOWS\system32:win33.exe 1326080 bytes executable
scan completed successfully
hidden services: 0
hidden files: 1