narca
-
Compteur de contenus
66 -
Inscription
-
Dernière visite
Type de contenu
Profils
Forums
Blogs
Tout ce qui a été posté par narca
-
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonjour falkra ok merci faudra juste m'aider a remettre un peu d'ordre car plein de log dont bitdefender ne sont plus utilisable. a bientot -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonsoir falkra rien de neuf pour moi? les rapport ne sont pas bien fait? bonne soirée -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
voici la suite pour gmer pas de rapport il dit qu'il n'a rien trouvé point j'avais coché files registry process et services pour rootrepeal (process)voici le rapport ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/23 21:03 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Processes ------------------- Path: System PID: 4 Status: - Path: C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe PID: 248 Status: - Path: C:\WINDOWS\system32\spoolsv.exe PID: 376 Status: - Path: C:\WINDOWS\system32\wdfmgr.exe PID: 424 Status: - Path: C:\WINDOWS\system32\smss.exe PID: 960 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 988 Status: - Path: C:\WINDOWS\system32\gearsec.exe PID: 1036 Status: - Path: C:\Program Files\Java\jre6\bin\jqs.exe PID: 1044 Status: - Path: C:\WINDOWS\system32\csrss.exe PID: 1060 Status: - Path: C:\WINDOWS\system32\winlogon.exe PID: 1084 Status: - Path: C:\WINDOWS\system32\services.exe PID: 1128 Status: - Path: C:\WINDOWS\system32\lsass.exe PID: 1140 Status: - Path: C:\Program Files\Norton Ghost\Agent\VProSvc.exe PID: 1196 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1300 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1376 Status: - Path: C:\WINDOWS\system32\alg.exe PID: 1480 Status: - Path: C:\Program Files\Fichiers communs\BitDefender\BitDefender Update Service\livesrv.exe PID: 1488 Status: - Path: C:\WINDOWS\system32\nvsvc32.exe PID: 1500 Status: - Path: C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe PID: 1516 Status: - Path: C:\WINDOWS\system32\HPZipm12.exe PID: 1560 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1608 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1720 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1880 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1920 Status: - Path: C:\rootrepeal\RootRepeal.exe PID: 1932 Status: - Path: C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe PID: 2016 Status: - Path: C:\WINDOWS\explorer.exe PID: 2672 Status: - Path: C:\WINDOWS\system32\wscntfy.exe PID: 2724 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 3836 Status: - de nouveau a suivre -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonsoir voici le 1er rapport de mbr rootkit detector de gmer Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK je passe a l'etape suivante msconfig etc... -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonjour ok pour le rapport mais pas avant vendredi soir ce soir je ne suis pas chez moi bonne journée -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
re ok merci je parle de formater mais c'est en dernier recours a plus -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonsoir pour rootrepeal pas de soucis par contre pour gmer je n'ai pas acces a la fonction copy meme en deplaçant la fenetre avec le clavier sinon voici le rapport de rootrepeal ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/20 21:46 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Processes ------------------- Path: System PID: 4 Status: - Path: C:\WINDOWS\system32\smss.exe PID: 128 Status: - Path: C:\WINDOWS\system32\csrss.exe PID: 176 Status: - Path: C:\WINDOWS\system32\winlogon.exe PID: 200 Status: - Path: C:\WINDOWS\system32\services.exe PID: 244 Status: - Path: C:\WINDOWS\system32\lsass.exe PID: 256 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 404 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 468 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 512 Status: - Path: C:\WINDOWS\explorer.exe PID: 800 Status: - Path: C:\rootrepeal\RootRepeal.exe PID: 1208 Status: - on continue au pire je vais devoir formater -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonsoir voici les nouveaux rapport rootrepeal ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/19 21:08 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Processes ------------------- Path: System PID: 4 Status: - Path: C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe PID: 172 Status: - Path: C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe PID: 276 Status: - Path: C:\WINDOWS\system32\ctfmon.exe PID: 288 Status: - Path: C:\WINDOWS\system32\spoolsv.exe PID: 396 Status: - Path: C:\WINDOWS\system32\alg.exe PID: 660 Status: - Path: C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe PID: 844 Status: - Path: C:\WINDOWS\system32\msfeedssync.exe PID: 904 Status: - Path: C:\WINDOWS\system32\smss.exe PID: 964 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1008 Status: - Path: C:\WINDOWS\system32\gearsec.exe PID: 1060 Status: - Path: C:\WINDOWS\system32\csrss.exe PID: 1064 Status: - Path: C:\Program Files\Java\jre6\bin\jqs.exe PID: 1068 Status: - Path: C:\WINDOWS\system32\winlogon.exe PID: 1088 Status: - Path: C:\WINDOWS\system32\services.exe PID: 1132 Status: - Path: C:\WINDOWS\system32\lsass.exe PID: 1144 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1268 Status: - Path: C:\Program Files\Norton Ghost\Agent\VProSvc.exe PID: 1272 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1312 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1380 Status: - Path: C:\Program Files\Internet Explorer\iexplore.exe PID: 1448 Status: Hidden from the Windows API! Path: C:\Program Files\Fichiers communs\BitDefender\BitDefender Update Service\livesrv.exe PID: 1504 Status: - Path: C:\WINDOWS\system32\nvsvc32.exe PID: 1536 Status: - Path: C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe PID: 1552 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1640 Status: - Path: C:\WINDOWS\system32\wdfmgr.exe PID: 1736 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1744 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 2000 Status: - Path: C:\Program Files\Java\jre6\bin\jusched.exe PID: 2104 Status: - Path: C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe PID: 2168 Status: - Path: C:\Program Files\DynDNS Updater\DynDNS.exe PID: 2300 Status: - Path: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe PID: 2456 Status: - Path: C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe PID: 2968 Status: - Path: C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe PID: 2992 Status: - Path: C:\WINDOWS\system32\wuauclt.exe PID: 3108 Status: - Path: C:\WINDOWS\explorer.exe PID: 3348 Status: - Path: C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe PID: 3440 Status: - Path: C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe PID: 3696 Status: - Path: C:\rootrepeal\RootRepeal.exe PID: 3804 Status: - Path: C:\WINDOWS\system32\rundll32.exe PID: 3848 Status: - Path: C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe PID: 3856 Status: - Path: C:\Program Files\Norton Ghost\Agent\GhostTray.exe PID: 3864 Status: - Path: C:\Program Files\Macrogaming\SweetIM\SweetIM.exe PID: 3872 Status: - Path: C:\Program Files\e-Carte Bleue\LA BANQUE POSTALE\CVD ADESIO\ECB.exe PID: 3976 Status: - Path: C:\Program Files\HP\HP Software Update\hpwuSchd2.exe PID: 4024 Status: - Path: C:\Program Files\mFaraj DB viewer4.0.0\dbvstart.bat PID: 4068 Status: - et ensuite gmer GMER 1.0.15.15125 - http://www.gmer.net Rootkit scan 2009-10-19 21:11:34 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\narca\LOCALS~1\Temp\pgliqaow.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xB96AAD7E] SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xB96AABF4] SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateThread [0xB96AAEC4] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft) AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft) AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 1448 ---- EOF - GMER 1.0.15 ---- voila je les ai lancé dans cet ordre et juste apres le chargement de xp a suivre -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
salut je veux bien mais au lancement de la machine il y'a plein de programme qui ce lance au demmarage comme bitdefender ou norton ghost hp advisor etc... est ce que je lance le truc en mode sans echec? bonne journée -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
voila le rapport de gmer GMER 1.0.15.15125 - http://www.gmer.net Rootkit scan 2009-10-16 00:24:59 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\narca\LOCALS~1\Temp\pgliqaow.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xB8F93C90] SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xB8F93D7E] SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xB8F93BF4] SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateThread [0xB8F93EC4] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft) AttachedDevice \FileSystem\Ntfs \Ntfs trufos.sys (Trufos Kernel Module/BitDefender S.R.L.) AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 trufos.sys (Trufos Kernel Module/BitDefender S.R.L.) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 trufos.sys (Trufos Kernel Module/BitDefender S.R.L.) AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat trufos.sys (Trufos Kernel Module/BitDefender S.R.L.) ---- Processes - GMER 1.0.15 ---- Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (*** hidden *** ) 2260 ---- EOF - GMER 1.0.15 ---- a la fin du scan il me met warning presence d'un rootkit ou quelque chose comme ça bon et bien bonne nuit et a demain -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonsoir je ne m'affole pas car ce n'est que la vielle becanne pour mes filles elle ne sert pas souvent voici dans un 1er temps le rapport security check Results of screen317's Security Check version 0.99.0 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: BitDefender Total Security 2010 `````````````````````````````` Anti-malware/Other Utilities Check: Norton Ghost 10.0 Java 6 Update 15 Java SE Runtime Environment 6 Update 1 Java 6 Update 3 Java 6 Update 5 Java 6 Update 7 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 9.1 - Français `````````````````````````````` Process Check: objlist.exe by Laurent BitDefender BitDefender 2010 bdagent.exe BitDefender BitDefender 2010 seccenter.exe BitDefender BitDefender 2010 vsserv.exe Fichiers communs BitDefender BitDefender Update Service livesrv.exe `````````````````````````````` DNS Vulnerability Check: Unknown. This method cannot test your vulnerability to DNS cache poisoning. `````````End of Log``````````` maintenant je vais refaire gmer a tout a l'heure -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonjour comme d'habitude je verrai ça ce soir car la je suis au taff ce qui est etrange c'est que bitdefender 2009 ne voyait rien c'est au changement passage a bitdefender 2010 que ce rootkit est apparu. sinon j'ai ouvert un compte chez dyndns et j'utilise leur log dyndns updater pour maintenir a jour mon adresse et l'ip. donc avec un port d'ouvert le 12000 en tcp et udp (je n'ai ouvert aucun autre port) meme si emule ou pando installé sur ma machine cela date d'il y'a 3 ou 4 ans et ma livebox date de cette été(faudrais d'ailleurs que je les desinstalle) est ce que cela peut venir de la? encore merci -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
re oui c'est IE que j'utilise par defaut sans probleme sauf peut etre depuis que j'ai mis IE8 un peu lent mais faut dire que ce pc est ancien amd 2700 et 512 mo de ram ce n'est plus mon pc principale disons que il est utilisé par mes filles et par moi pour mes demo sat donc IE fonctionne tres bien mais long a ouvrir les pages surtout au demarrage hors ma page de demarrage est google donc tres simple a ouvrir a+ -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonsoir voici le nouveau rapport ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/14 21:41 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! c'est incroyable tous le temps que tu passe pour moi tu es vraiment passioné merci pour tous -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
et enfin pour l'onglet process ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/14 17:34 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Processes ------------------- Path: System PID: 4 Status: - Path: C:\Program Files\HP\HP Software Update\hpwuSchd2.exe PID: 244 Status: - Path: C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe PID: 272 Status: - Path: C:\WINDOWS\system32\spoolsv.exe PID: 396 Status: - Path: C:\WINDOWS\system32\msfeedssync.exe PID: 436 Status: - Path: C:\Program Files\mFaraj DB viewer4.0.0\dbvstart.bat PID: 464 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 544 Status: - Path: C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe PID: 676 Status: - Path: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe PID: 724 Status: - Path: C:\Program Files\Java\jre6\bin\jusched.exe PID: 744 Status: - Path: C:\Program Files\DynDNS Updater\DynDNS.exe PID: 788 Status: - Path: C:\WINDOWS\system32\ctfmon.exe PID: 816 Status: - Path: C:\WINDOWS\system32\nvsvc32.exe PID: 880 Status: - Path: C:\WINDOWS\explorer.exe PID: 952 Status: - Path: C:\WINDOWS\system32\smss.exe PID: 960 Status: - Path: C:\WINDOWS\system32\csrss.exe PID: 1060 Status: - Path: C:\WINDOWS\system32\winlogon.exe PID: 1084 Status: - Path: C:\WINDOWS\system32\services.exe PID: 1128 Status: - Path: C:\WINDOWS\system32\lsass.exe PID: 1140 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1268 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1300 Status: - Path: C:\WINDOWS\system32\wdfmgr.exe PID: 1312 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1380 Status: - Path: C:\Program Files\Fichiers communs\BitDefender\BitDefender Update Service\livesrv.exe PID: 1504 Status: - Path: C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe PID: 1548 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1636 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1776 Status: - Path: C:\WINDOWS\system32\gearsec.exe PID: 1800 Status: - Path: C:\Program Files\Java\jre6\bin\jqs.exe PID: 1832 Status: - Path: C:\WINDOWS\system32\rundll32.exe PID: 1876 Status: - Path: C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe PID: 1884 Status: - Path: C:\Program Files\Norton Ghost\Agent\GhostTray.exe PID: 1892 Status: - Path: C:\Program Files\Macrogaming\SweetIM\SweetIM.exe PID: 1900 Status: - Path: C:\Program Files\Norton Ghost\Agent\VProSvc.exe PID: 1920 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1996 Status: - Path: C:\Program Files\e-Carte Bleue\LA BANQUE POSTALE\CVD ADESIO\ECB.exe PID: 2028 Status: - Path: C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe PID: 2044 Status: - Path: C:\Program Files\Internet Explorer\iexplore.exe PID: 2260 Status: Hidden from the Windows API! Path: C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe PID: 2444 Status: - Path: C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe PID: 2468 Status: - Path: C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe PID: 3076 Status: - Path: C:\WINDOWS\system32\alg.exe PID: 3124 Status: - Path: C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe PID: 3528 Status: - Path: C:\WINDOWS\system32\HPZipm12.exe PID: 3632 Status: - Path: C:\rootrepeal\RootRepeal.exe PID: 3968 Status: - en esperant que c'est un faux rootkit comme tu le pense -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
re voici ce que j'obtiens avec rootrepeal pour l'onglet drivers ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/14 17:33 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: ACPI.sys Image Path: ACPI.sys Address: 0xF84E6000 Size: 188672 File Visible: - Signed: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x804D7000 Size: 2191104 File Visible: - Signed: - Status: - Name: afd.sys Image Path: C:\WINDOWS\System32\drivers\afd.sys Address: 0xF61D5000 Size: 138496 File Visible: - Signed: - Status: - Name: amdk7.sys Image Path: C:\WINDOWS\system32\DRIVERS\amdk7.sys Address: 0xF7AB4000 Size: 41856 File Visible: - Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0xF849E000 Size: 96512 File Visible: - Signed: - Status: - Name: ATMFD.DLL Image Path: C:\WINDOWS\System32\ATMFD.DLL Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: - Status: - Name: audstub.sys Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys Address: 0xF8B20000 Size: 3072 File Visible: - Signed: - Status: - Name: bdfm.sys Image Path: C:\WINDOWS\system32\drivers\bdfm.sys Address: 0xB8D02000 Size: 145664 File Visible: - Signed: - Status: - Name: bdfndisf.sys Image Path: C:\WINDOWS\system32\DRIVERS\bdfndisf.sys Address: 0xF7582000 Size: 104192 File Visible: - Signed: - Status: - Name: bdfsfltr.sys Image Path: bdfsfltr.sys Address: 0xF8427000 Size: 279040 File Visible: - Signed: - Status: - Name: bdftdif.sys Image Path: C:\Program Files\Fichiers communs\BitDefender\BitDefender Firewall\bdftdif.sys Address: 0xF621F000 Size: 111872 File Visible: - Signed: - Status: - Name: BDHV.SYS Image Path: C:\WINDOWS\system32\drivers\BDHV.SYS Address: 0xB8CE9000 Size: 102400 File Visible: - Signed: - Status: - Name: bdselfpr.sys Image Path: C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys Address: 0xB8F93000 Size: 8832 File Visible: - Signed: - Status: - Name: bdvedisk.sys Image Path: C:\Program Files\BitDefender\BitDefender 2010\bdvedisk.sys Address: 0xB9675000 Size: 76032 File Visible: - Signed: - Status: - Name: Beep.SYS Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xF8A66000 Size: 4224 File Visible: - Signed: - Status: - Name: BOOTVID.dll Image Path: C:\WINDOWS\system32\BOOTVID.dll Address: 0xF8946000 Size: 12288 File Visible: - Signed: - Status: - Name: Cdfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS Address: 0xF8786000 Size: 63744 File Visible: - Signed: - Status: - Name: cdrom.sys Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys Address: 0xF85D6000 Size: 62976 File Visible: - Signed: - Status: - Name: CLASSPNP.SYS Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS Address: 0xF8576000 Size: 53248 File Visible: - Signed: - Status: - Name: disk.sys Image Path: disk.sys Address: 0xF8566000 Size: 36352 File Visible: - Signed: - Status: - Name: drmk.sys Image Path: C:\WINDOWS\system32\drivers\drmk.sys Address: 0xF8686000 Size: 61440 File Visible: - Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF6070000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8A8A000 Size: 8192 File Visible: No Signed: - Status: - Name: Dxapi.sys Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xF61A9000 Size: 12288 File Visible: - Signed: - Status: - Name: dxg.sys Image Path: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF000000 Size: 73728 File Visible: - Signed: - Status: - Name: dxgthk.sys Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xF8B04000 Size: 4096 File Visible: - Signed: - Status: - Name: EIO.sys Image Path: C:\WINDOWS\system32\drivers\EIO.sys Address: 0xF8A3C000 Size: 7648 File Visible: - Signed: - Status: - Name: Fastfat.SYS Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS Address: 0xB8DC6000 Size: 143744 File Visible: - Signed: - Status: - Name: fdc.sys Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys Address: 0xF889E000 Size: 27392 File Visible: - Signed: - Status: - Name: Fips.SYS Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS Address: 0xF86D6000 Size: 44672 File Visible: - Signed: - Status: - Name: flpydisk.sys Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys Address: 0xF88DE000 Size: 20480 File Visible: - Signed: - Status: - Name: fltmgr.sys Image Path: fltmgr.sys Address: 0xF847E000 Size: 129792 File Visible: - Signed: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xF8A64000 Size: 7936 File Visible: - Signed: - Status: - Name: ftdisk.sys Image Path: ftdisk.sys Address: 0xF84B6000 Size: 126080 File Visible: - Signed: - Status: - Name: GearAspiWDM.SYS Image Path: C:\WINDOWS\System32\Drivers\GearAspiWDM.SYS Address: 0xF8896000 Size: 28672 File Visible: - Signed: - Status: - Name: hal.dll Image Path: C:\WINDOWS\system32\hal.dll Address: 0x806EE000 Size: 131840 File Visible: - Signed: - Status: - Name: HPZid412.sys Image Path: C:\WINDOWS\system32\DRIVERS\HPZid412.sys Address: 0xB9073000 Size: 50848 File Visible: - Signed: - Status: - Name: HPZipr12.sys Image Path: C:\WINDOWS\system32\DRIVERS\HPZipr12.sys Address: 0xB8D62000 Size: 16224 File Visible: - Signed: - Status: - Name: HPZius12.sys Image Path: C:\WINDOWS\system32\DRIVERS\HPZius12.sys Address: 0xF8806000 Size: 21472 File Visible: - Signed: - Status: - Name: HTTP.sys Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys Address: 0xB8F2A000 Size: 264832 File Visible: - Signed: - Status: - Name: i8042prt.sys Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys Address: 0xF85F6000 Size: 54144 File Visible: - Signed: - Status: - Name: imapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys Address: 0xF85C6000 Size: 42112 File Visible: - Signed: - Status: - Name: ioperm.sys Image Path: C:\cygwin\bin\ioperm.sys Address: 0xB9984000 Size: 16384 File Visible: - Signed: - Status: - Name: ipnat.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys Address: 0xF60B0000 Size: 152832 File Visible: - Signed: - Status: - Name: ipsec.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys Address: 0xF6294000 Size: 75264 File Visible: - Signed: - Status: - Name: isapnp.sys Image Path: isapnp.sys Address: 0xF8536000 Size: 37632 File Visible: - Signed: - Status: - Name: ISODrive.sys Image Path: C:\Program Files\UltraISO\drivers\ISODrive.sys Address: 0xF60D6000 Size: 81920 File Visible: - Signed: - Status: - Name: kbdclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys Address: 0xF88AE000 Size: 25216 File Visible: - Signed: - Status: - Name: KDCOM.DLL Image Path: C:\WINDOWS\system32\KDCOM.DLL Address: 0xF8A36000 Size: 8192 File Visible: - Signed: - Status: - Name: kmixer.sys Image Path: C:\WINDOWS\system32\drivers\kmixer.sys Address: 0xB8BF6000 Size: 172416 File Visible: - Signed: - Status: - Name: ks.sys Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys Address: 0xF7A01000 Size: 143360 File Visible: - Signed: - Status: - Name: KSecDD.sys Image Path: KSecDD.sys Address: 0xF83FA000 Size: 92928 File Visible: - Signed: - Status: - Name: mnmdd.SYS Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS Address: 0xF8A68000 Size: 4224 File Visible: - Signed: - Status: - Name: mouclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys Address: 0xF88A6000 Size: 23680 File Visible: - Signed: - Status: - Name: MountMgr.sys Image Path: MountMgr.sys Address: 0xF8546000 Size: 42368 File Visible: - Signed: - Status: - Name: mrxdav.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys Address: 0xB96B0000 Size: 180608 File Visible: - Signed: - Status: - Name: mrxsmb.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Address: 0xF60EA000 Size: 455296 File Visible: - Signed: - Status: - Name: Msfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xF88F6000 Size: 19072 File Visible: - Signed: - Status: - Name: msgpc.sys Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys Address: 0xF8636000 Size: 35072 File Visible: - Signed: - Status: - Name: mssmbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys Address: 0xF82A1000 Size: 15488 File Visible: - Signed: - Status: - Name: Mup.sys Image Path: Mup.sys Address: 0xF8326000 Size: 105344 File Visible: - Signed: - Status: - Name: NDIS.sys Image Path: NDIS.sys Address: 0xF8340000 Size: 182656 File Visible: - Signed: - Status: - Name: ndistapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys Address: 0xF82B1000 Size: 10112 File Visible: - Signed: - Status: - Name: ndisuio.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys Address: 0xBA5C8000 Size: 14592 File Visible: - Signed: - Status: - Name: ndiswan.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys Address: 0xF75AD000 Size: 91520 File Visible: - Signed: - Status: - Name: NDProxy.SYS Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xF8666000 Size: 40576 File Visible: - Signed: - Status: - Name: netbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys Address: 0xF86B6000 Size: 34688 File Visible: - Signed: - Status: - Name: netbt.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys Address: 0xF61F7000 Size: 162816 File Visible: - Signed: - Status: - Name: Npfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xF88FE000 Size: 30848 File Visible: - Signed: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xF836D000 Size: 574976 File Visible: - Signed: - Status: - Name: ntoskrnl.exe Image Path: C:\WINDOWS\system32\ntoskrnl.exe Address: 0x804D7000 Size: 2191104 File Visible: - Signed: - Status: - Name: Null.SYS Image Path: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xF8BC7000 Size: 2944 File Visible: - Signed: - Status: - Name: nv4_disp.dll Image Path: C:\WINDOWS\System32\nv4_disp.dll Address: 0xBF012000 Size: 4530176 File Visible: - Signed: - Status: - Name: nv4_mini.sys Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys Address: 0xF75FD000 Size: 3994624 File Visible: - Signed: - Status: - Name: nv_agp.sys Image Path: nv_agp.sys Address: 0xF87C6000 Size: 18688 File Visible: - Signed: - Status: - Name: nvapu.sys Image Path: C:\WINDOWS\system32\drivers\nvapu.sys Address: 0xF74D7000 Size: 311936 File Visible: - Signed: - Status: - Name: nvarm.sys Image Path: C:\WINDOWS\system32\drivers\nvarm.sys Address: 0xF73EF000 Size: 69632 File Visible: - Signed: - Status: - Name: nvax.sys Image Path: C:\WINDOWS\system32\drivers\nvax.sys Address: 0xF7AA4000 Size: 38784 File Visible: - Signed: - Status: - Name: NVENET.sys Image Path: C:\WINDOWS\system32\DRIVERS\NVENET.sys Address: 0xF7A24000 Size: 80896 File Visible: - Signed: - Status: - Name: nvmcp.sys Image Path: C:\WINDOWS\system32\drivers\nvmcp.sys Address: 0xF7400000 Size: 733184 File Visible: - Signed: - Status: - Name: parport.sys Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys Address: 0xF75C4000 Size: 80384 File Visible: - Signed: - Status: - Name: PartMgr.sys Image Path: PartMgr.sys Address: 0xF87BE000 Size: 19712 File Visible: - Signed: - Status: - Name: ParVdm.SYS Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS Address: 0xF8A3A000 Size: 6912 File Visible: - Signed: - Status: - Name: pci.sys Image Path: pci.sys Address: 0xF84D5000 Size: 68608 File Visible: - Signed: - Status: - Name: pciide.sys Image Path: pciide.sys Address: 0xF8AFE000 Size: 3328 File Visible: - Signed: - Status: - Name: PCIIDEX.SYS Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Address: 0xF87B6000 Size: 28672 File Visible: - Signed: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x804D7000 Size: 2191104 File Visible: - Signed: - Status: - Name: portcls.sys Image Path: C:\WINDOWS\system32\drivers\portcls.sys Address: 0xF74B3000 Size: 147456 File Visible: - Signed: - Status: - Name: psched.sys Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys Address: 0xF759C000 Size: 69120 File Visible: - Signed: - Status: - Name: ptilink.sys Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys Address: 0xF88BE000 Size: 17792 File Visible: - Signed: - Status: - Name: PxHelp20.sys Image Path: PxHelp20.sys Address: 0xF8586000 Size: 35712 File Visible: - Signed: - Status: - Name: rasacd.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys Address: 0xF7A60000 Size: 8832 File Visible: - Signed: - Status: - Name: rasl2tp.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys Address: 0xF8606000 Size: 51328 File Visible: - Signed: - Status: - Name: raspppoe.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys Address: 0xF8616000 Size: 41472 File Visible: - Signed: - Status: - Name: raspptp.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys Address: 0xF8626000 Size: 48384 File Visible: - Signed: - Status: - Name: raspti.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys Address: 0xF88C6000 Size: 16512 File Visible: - Signed: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x804D7000 Size: 2191104 File Visible: - Signed: - Status: - Name: rdbss.sys Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys Address: 0xF615A000 Size: 175744 File Visible: - Signed: - Status: - Name: RDPCDD.sys Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xF8A6A000 Size: 4224 File Visible: - Signed: - Status: - Name: redbook.sys Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys Address: 0xF85E6000 Size: 58752 File Visible: - Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB936B000 Size: 49152 File Visible: No Signed: - Status: - Name: rspndr.sys Image Path: C:\WINDOWS\system32\DRIVERS\rspndr.sys Address: 0xBA518000 Size: 62336 File Visible: - Signed: - Status: - Name: serenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys Address: 0xF82B5000 Size: 15744 File Visible: - Signed: - Status: - Name: serial.sys Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys Address: 0xF75D8000 Size: 66048 File Visible: - Signed: - Status: - Name: sr.sys Image Path: sr.sys Address: 0xF846C000 Size: 73600 File Visible: - Signed: - Status: - Name: srv.sys Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys Address: 0xB955B000 Size: 333952 File Visible: - Signed: - Status: - Name: swenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys Address: 0xF8A60000 Size: 4352 File Visible: - Signed: - Status: - Name: symlcbrd.sys Image Path: C:\WINDOWS\system32\drivers\symlcbrd.sys Address: 0xF886E000 Size: 24576 File Visible: - Signed: - Status: - Name: SymSnap.sys Image Path: SymSnap.sys Address: 0xF8411000 Size: 87136 File Visible: - Signed: - Status: - Name: sysaudio.sys Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys Address: 0xB9AC0000 Size: 60800 File Visible: - Signed: - Status: - Name: tcpip.sys Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys Address: 0xF623B000 Size: 361600 File Visible: - Signed: - Status: - Name: TDI.SYS Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS Address: 0xF88B6000 Size: 20480 File Visible: - Signed: - Status: - Name: termdd.sys Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys Address: 0xF8656000 Size: 40704 File Visible: - Signed: - Status: - Name: update.sys Image Path: C:\WINDOWS\system32\DRIVERS\update.sys Address: 0xF7524000 Size: 384768 File Visible: - Signed: - Status: - Name: usbccgp.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys Address: 0xF888E000 Size: 32128 File Visible: - Signed: - Status: - Name: USBD.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS Address: 0xF8A62000 Size: 8192 File Visible: - Signed: - Status: - Name: usbehci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys Address: 0xF8886000 Size: 30208 File Visible: - Signed: - Status: - Name: usbhub.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys Address: 0xF8676000 Size: 59520 File Visible: - Signed: - Status: - Name: usbohci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys Address: 0xF887E000 Size: 17152 File Visible: - Signed: - Status: - Name: USBPORT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS Address: 0xF7A38000 Size: 147456 File Visible: - Signed: - Status: - Name: usbprint.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys Address: 0xF893E000 Size: 25856 File Visible: - Signed: - Status: - Name: usbscan.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbscan.sys Address: 0xB8DAE000 Size: 15104 File Visible: - Signed: - Status: - Name: V2IMount.SYS Image Path: C:\WINDOWS\System32\Drivers\V2IMount.SYS Address: 0xF86C6000 Size: 39456 File Visible: - Signed: - Status: - Name: vga.sys Image Path: C:\WINDOWS\System32\drivers\vga.sys Address: 0xF88EE000 Size: 20992 File Visible: - Signed: - Status: - Name: VIDEOPRT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS Address: 0xF75E9000 Size: 81920 File Visible: - Signed: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xF8556000 Size: 53376 File Visible: - Signed: - Status: - Name: wanarp.sys Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys Address: 0xF86E6000 Size: 34560 File Visible: - Signed: - Status: - Name: watchdog.sys Image Path: C:\WINDOWS\System32\watchdog.sys Address: 0xF8926000 Size: 20480 File Visible: - Signed: - Status: - Name: wdmaud.sys Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys Address: 0xB98C3000 Size: 83072 File Visible: - Signed: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: win32k.sys Image Path: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: WMILIB.SYS Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS Address: 0xF8A38000 Size: 8192 File Visible: - Signed: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x804D7000 Size: 2191104 File Visible: - Signed: - Status: - -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonjour desolé si j'ai fais une erreure dans le copier coller pour la suite je reprens ça ce soir merci et bonne journée -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonsoir a priori rien n'est resolu puisque bitdefender apres analyse me retrouve le rootkit caché dur dur ce rootkit -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonsoir voici la suite a noter que j'ai eu un soucis avec otm j'ai lancé la procedure a la fin une fenetre c'est affiché pour savoir si je voulais voir le fix.log j'ai cliqué ok mais ensuite je n'avais plus d'icone sur le bureau et plus d'acces a rien menu demarrer etc.... j'ai fait ctrl alt sup et redemarrer l'ordi voila sinon le fichier texte crée: ========== PROCESSES ========== Process explorer.exe killed successfully! ========== FILES ========== File/Folder c:\docume~1\narca\LOCALS~1\Temp\cdrmkaun.sys not found. ========== SERVICES/DRIVERS ========== Service\Driver cdrmkaun deleted successfully. ========== COMMANDS ========== OTM by OldTimer - Version 3.0.0.6 log created on 10122009_221504 j'espere que cette fois ci se sera bon a bientot -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonjour desolé je n'etais pas chez moi dimanche je suis sous xp sp3 pas de soucis pour les log j'eviterai de faire des betises je poursuis tous ça ce soir bonne journée -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonsoir tout d'abord il ne m'a pas demander de redemarreret il y'a un programme que je n'ai pu fermer norton ghost avant de lancer l'analyse sinon voici la suite ComboFix 09-10-08.04 - narca 10/10/2009 18:49.1.1 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.511.284 [GMT 2:00] Lancé depuis: c:\documents and settings\narca\Bureau\ComboFix.exe AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB} FW: BitDefender Pare-feu *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242} . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\narca\Application Data\addons.dat c:\windows\Installer\2b516.msi c:\windows\Installer\31212.msi c:\windows\system32\Ijl11.dll . ((((((((((((((((((((((((((((( Fichiers créés du 2009-09-10 au 2009-10-10 )))))))))))))))))))))))))))))))))))) . 2009-10-08 17:49 . 2009-10-08 17:49 -------- d-----w- c:\documents and settings\narca\Application Data\Malwarebytes 2009-10-08 17:49 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-08 17:48 . 2009-10-08 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-08 17:48 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-08 17:48 . 2009-10-08 17:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-07 21:48 . 2009-10-07 21:48 -------- d-----w- c:\program files\trend micro 2009-10-07 21:48 . 2009-10-07 21:48 -------- d-----w- C:\rsit 2009-10-03 09:04 . 2009-10-03 09:04 0 ----a-w- c:\windows\system32\wsbl.dat 2009-10-03 09:04 . 2009-10-03 09:04 0 ----a-w- c:\windows\system32\ph_white.dat 2009-10-03 09:04 . 2009-10-03 09:04 0 ----a-w- c:\windows\system32\ph_summ.dat 2009-10-03 09:04 . 2009-10-03 09:04 0 ----a-w- c:\windows\system32\ph_black.dat 2009-10-03 09:04 . 2009-10-03 09:04 0 ----a-w- c:\windows\system32\pcwords2.dat 2009-10-03 09:04 . 2009-10-03 09:04 0 ----a-w- c:\windows\system32\pcwords.dat 2009-10-03 07:50 . 2009-10-03 07:50 4 ----a-w- c:\windows\system32\aspdict-en.dat 2009-10-03 07:50 . 2009-10-03 07:50 16 ----a-w- c:\windows\system32\asdict.dat 2009-10-02 19:16 . 2009-10-03 08:31 132 ----a-w- c:\windows\system32\rezumatenoi.dat 2009-10-02 19:03 . 2009-10-02 19:03 -------- d-----w- c:\documents and settings\narca\Application Data\BitDefender 2009-10-02 19:02 . 2009-10-02 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender 2009-10-02 19:02 . 2009-10-02 19:03 -------- d-----w- c:\program files\BitDefender 2009-10-02 19:01 . 2009-10-02 19:03 -------- d-----w- c:\program files\Fichiers communs\BitDefender 2009-10-02 18:51 . 2009-10-02 18:53 192806 ----a-w- C:\BdUninstallTool2009.10.02-08.51.20.reg 2009-10-02 15:27 . 2009-10-02 15:27 -------- d-----w- c:\program files\FreeTime 2009-09-28 20:54 . 2009-09-28 20:54 -------- d-----w- c:\documents and settings\narca\Local Settings\Application Data\Downloaded Installations 2009-09-28 20:33 . 2003-01-29 07:29 8703 ------r- c:\windows\system32\drivers\EIO.sys . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-10 16:32 . 2009-07-23 12:08 -------- d--h--w- c:\program files\php moderator 2009-10-09 22:03 . 2007-06-13 15:12 -------- d-----w- c:\program files\DynDNS Updater 2009-10-09 16:54 . 2009-06-29 12:12 152328 ----a-w- c:\windows\system32\drivers\bdfm.sys 2009-10-03 09:10 . 2007-05-16 19:33 -------- d-----w- c:\program files\Java 2009-10-02 19:16 . 2009-06-29 12:12 105736 ----a-w- c:\windows\system32\drivers\bdhv.sys 2009-10-02 19:14 . 2009-08-06 14:34 110856 ----a-w- c:\windows\system32\drivers\bdfndisf.sys 2009-10-02 18:51 . 2007-12-11 20:09 81984 ----a-w- c:\windows\system32\bdod.bin 2009-10-02 15:34 . 2009-07-24 18:11 -------- d-----w- c:\documents and settings\narca\Application Data\vlc 2009-09-23 21:11 . 2009-09-07 20:16 -------- d-----w- c:\documents and settings\narca\Application Data\dvdcss 2009-09-07 21:09 . 2009-09-07 21:09 -------- d-----w- c:\program files\SIW 2009-08-21 17:36 . 2009-08-21 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2009-08-19 15:33 . 2007-05-15 21:06 47224 ----a-w- c:\documents and settings\narca\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-19 15:31 . 2009-08-19 15:31 -------- d-----w- c:\program files\Adult Online TV Player 2009 2009-08-11 15:42 . 2006-03-02 12:00 84956 ----a-w- c:\windows\system32\perfc00C.dat 2009-08-11 15:42 . 2006-03-02 12:00 509872 ----a-w- c:\windows\system32\perfh00C.dat 2009-08-06 17:24 . 2007-05-15 20:09 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-06 17:24 . 2007-05-15 20:09 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-06 17:24 . 2007-05-15 20:09 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-06 17:24 . 2005-05-26 02:16 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-06 17:24 . 2007-05-15 20:09 53472 ----a-w- c:\windows\system32\wuauclt.exe 2009-08-06 17:24 . 2006-03-02 12:00 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-06 17:23 . 2007-05-15 20:09 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-06 17:23 . 2007-05-15 20:09 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-05 09:00 . 2006-03-02 12:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-25 03:23 . 2009-07-23 10:33 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-07-24 10:26 . 2009-07-24 10:26 285704 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys 2009-07-23 12:18 . 2009-07-23 12:18 18944 ----a-w- C:\ZoneAlarm updater.exe 2009-07-17 19:03 . 2006-03-02 12:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-13 08:08 . 2006-03-02 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll 2006-05-03 10:06 . 2009-08-01 18:38 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 11:47 . 2009-08-01 18:38 31232 --sh--r- c:\windows\system32\msfDX.dll 2008-03-16 13:30 . 2009-08-01 18:38 216064 --sh--r- c:\windows\system32\nbDX.dll . ((((((((((((((((((((((((((((((((( Points de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DynDNS Updater"="c:\program files\DynDNS Updater\DynDNS.exe" [2006-09-17 1352704] "SweetIM"="c:\program files\Macrogaming\SweetIM\SweetIM.exe" [2007-07-25 102512] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="c:\program files\Fichiers communs\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "ccApp"="c:\program files\Fichiers communs\Symantec Shared\ccApp.exe" [2005-01-20 58992] "Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-09-09 1537648] "SweetIM"="c:\program files\Macrogaming\SweetIM\SweetIM.exe" [2007-07-25 102512] "eCarteBleue-LP-P1"="c:\program files\e-Carte Bleue\LA BANQUE POSTALE\CVD ADESIO\ECB.exe" [2005-12-13 200704] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "dbvstart"="c:\program files\mFaraj DB viewer4.0.0\dbvstart.bat" [2009-01-13 24576] "BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-02 71152] "BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2009-10-02 1114536] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016] "NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-10-22 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624] web root scanner.exe [2009-7-23 96239] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Gbox Share Control\\GboxSC.exe"= "c:\\Program Files\\MSN Gaming Zone\\Windows\\shvlzm.exe"= "c:\\Documents and Settings\\narca\\Bureau\\mon gbox\\webinterface\\bin\\apache\\mapache.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Documents and Settings\\narca\\Bureau\\mon gbox\\gboxx86.exe"= "c:\\Program Files\\Pando Networks\\Pando\\pando.exe"= "c:\\Documents and Settings\\narca\\Bureau\\gbox 1.9j avec gbox 2.25\\webinterface\\bin\\apache\\mapache.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5810:UDP"= 5810:UDP:gbox "8000:TCP"= 8000:TCP:gbox R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [01/04/2009 11:25 82696] R2 ioperm;ioperm support for Cygwin driver;c:\cygwin\bin\ioperm.sys [10/03/2008 22:19 12800] R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [29/06/2009 14:12 152328] R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [06/08/2009 16:34 110856] S3 Arrakis3;BitDefender Serveur Arrakis;c:\program files\Fichiers communs\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [25/06/2009 16:04 183880] S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\narca\LOCALS~1\Temp\cdrmkaun.sys --> c:\docume~1\narca\LOCALS~1\Temp\cdrmkaun.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bdx REG_MULTI_SZ scan [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contenu du dossier 'Tâches planifiées' 2009-10-10 c:\windows\Tasks\User_Feed_Synchronization-{16477AC8-5A5F-41ED-889E-CDCD61E330F0}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 02:31] . . ------- Examen supplémentaire ------- . uStart Page = hxxp://www.google.fr/ IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 TCP: {4BC27F76-2905-45D6-895B-343414F12E9D} = 192.168.1.1 . - - - - ORPHELINS SUPPRIMES - - - - HKCU-Run-MsnMsgr - ~c:\program files\MSN Messenger\MsnMsgr.Exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-10 18:56 Windows 5.1.2600 Service Pack 3 NTFS Recherche de processus cachés ... c:\program files\Internet Explorer\iexplore.exe [2172] 0x819E1020 Recherche d'éléments en démarrage automatique cachés ... Recherche de fichiers cachés ... Scan terminé avec succès Fichiers cachés: 0 ************************************************************************** . --------------------- CLES DE REGISTRE BLOQUEES --------------------- [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Heure de fin: 2009-10-10 18:58 ComboFix-quarantined-files.txt 2009-10-10 16:58 Avant-CF: 276 491 087 872 octets libres Après-CF: 276 722 249 728 octets libres WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /noexecute=optin /fastdetect 189 --- E O F --- 2009-09-14 20:06 j'ai bien compris que pour combofix ne jamais l'utilisé seul mais pour les autres? malwarebytes et rsit est ce que je peut les garder?. encore merci pour tout le temps que tu consacre a mon probleme a bientot -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonjour gmer m'ayant toujours trouvé ce rootkit caché j'ai poursuivi voici ce que j'ai maintenant Fichier iexplore.exe reçu le 2009.10.10 08:30:10 (UTC)Antivirus Version Dernière mise à jour Résultat a-squared 4.5.0.41 2009.10.10 - AhnLab-V3 5.0.0.2 2009.10.09 - AntiVir 7.9.1.35 2009.10.09 - Antiy-AVL 2.0.3.7 2009.10.10 - Authentium 5.1.2.4 2009.10.10 - Avast 4.8.1351.0 2009.10.09 - AVG 8.5.0.420 2009.10.04 - BitDefender 7.2 2009.10.10 - CAT-QuickHeal 10.00 2009.10.10 - ClamAV 0.94.1 2009.10.09 - Comodo 2554 2009.10.10 - DrWeb 5.0.0.12182 2009.10.10 - eSafe 7.0.17.0 2009.10.08 - eTrust-Vet 35.1.7060 2009.10.09 - F-Prot 4.5.1.85 2009.10.10 - F-Secure 8.0.14470.0 2009.10.10 - Fortinet 3.120.0.0 2009.10.10 - GData 19 2009.10.10 - Ikarus T3.1.1.72.0 2009.10.10 - Jiangmin 11.0.800 2009.10.08 - K7AntiVirus 7.10.866 2009.10.09 - Kaspersky 7.0.0.125 2009.10.10 - McAfee 5766 2009.10.09 - McAfee+Artemis 5766 2009.10.09 - McAfee-GW-Edition 6.8.5 2009.10.10 - Microsoft 1.5101 2009.10.10 - NOD32 4494 2009.10.09 - Norman 6.01.09 2009.10.09 - nProtect 2009.1.8.0 2009.10.10 - Panda 10.0.2.2 2009.10.09 - PCTools 4.4.2.0 2009.10.09 - Prevx 3.0 2009.10.10 - Rising 21.50.51.00 2009.10.10 - Sophos 4.45.0 2009.10.10 - Sunbelt 3.2.1858.2 2009.10.10 - Symantec 1.4.4.12 2009.10.10 - TheHacker 6.5.0.2.035 2009.10.10 - TrendMicro 8.950.0.1094 2009.10.10 - VBA32 3.12.10.11 2009.10.09 - ViRobot 2009.10.9.1978 2009.10.09 - VirusBuster 4.6.5.0 2009.10.09 - Information additionnelle File size: 638816 bytes MD5...: b60dddd2d63ce41cb8c487fcfbb6419e SHA1..: eadce51c88c8261852c1903399dde742fba2061b SHA256: b18a0d4beba606bf30f5010ba3c72abafac80d5f303a8bffb24d7f7b78b786e6 ssdeep: 12288:fX+pd167QhE0s7+jM+M6ugRfMMkIM7tX+pd167QhE0S7+oPd:fE6Ehg7mM<BR>+M6RkMkIM7tE6Ehm7Hd<BR> PEiD..: - PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1a25<BR>timedatestamp.....: 0x49b3ad2e (Sun Mar 08 11:34:06 2009)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 4 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x9e65 0xa000 5.82 6f4b4058b7d8a274f013151130b1fe63<BR>.data 0xb000 0x660 0x800 0.22 419d60dc6b239eaff0e14f76eacce1a5<BR>.rsrc 0xc000 0x8ee18 0x8f000 6.78 57661f31be42fec90a9312f710873968<BR>.reloc 0x9b000 0xb04 0xc00 6.23 a92eabd61b4ac11fdf667c8da4e34bf1<BR><BR>( 10 imports ) <BR>> ADVAPI32.dll: TraceEvent, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, UnregisterTraceGuids, RegisterTraceGuidsW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW<BR>> KERNEL32.dll: GetCommandLineW, LocalAlloc, ExpandEnvironmentStringsW, CreateProcessW, LocalFree, lstrlenW, InitializeCriticalSection, GetCurrentProcess, GetLastError, SetLastError, CloseHandle, SetErrorMode, ReleaseMutex, GetCurrentDirectoryW, VerSetConditionMask, VerifyVersionInfoW, GetModuleHandleW, GetProcAddress, GetVersionExW, GetModuleFileNameW, HeapSetInformation, DeleteCriticalSection, TerminateProcess, GetWindowsDirectoryW, CreateFileW, SetDllDirectoryW, GetFileTime, RaiseException, LoadLibraryA, CreateMutexW, WaitForSingleObject, WaitForSingleObjectEx, CreateEventW, GetSystemDefaultLCID, GetUserDefaultLCID, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, LoadLibraryW, SearchPathW, FindResourceW, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, UnmapViewOfFile, FreeLibrary, GetLocaleInfoW, CreateFileMappingW, MapViewOfFile, LoadLibraryExW, FindResourceExW, LoadResource, UnhandledExceptionFilter, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoW, InterlockedCompareExchange, Sleep, InterlockedExchange<BR>> USER32.dll: GetThreadDesktop, GetUserObjectInformationW, MessageBoxW, LoadStringW, AllowSetForegroundWindow, CharNextW<BR>> msvcrt.dll: _wcmdln, _initterm, _amsg_exit, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, memcpy, _terminate@@YAXXZ, _controlfp, _XcptFilter, _exit, _cexit, __wgetmainargs, wcsncmp, iswspace, memset, _vsnwprintf, _unlock, __dllonexit, _lock, _onexit, __2@YAPAXI@Z, __3@YAXPAX@Z, bsearch, _wcsnicmp, _wcsicmp, exit<BR>> ntdll.dll: RtlUnwind<BR>> SHLWAPI.dll: SHGetValueW, PathQuoteSpacesW, PathAppendW, PathRemoveFileSpecW, -, PathFindFileNameW, StrStrW, SHEnumValueW, UrlApplySchemeW, UrlCreateFromPathW, -, UrlCanonicalizeW, -, PathIsURLW, -, SHSetValueW, SHRegGetValueW, PathCombineW<BR>> SHELL32.dll: CommandLineToArgvW, -<BR>> ole32.dll: CoInitialize, CoUninitialize<BR>> iertutil.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -<BR>> urlmon.dll: -, -, -<BR><BR>( 0 exports ) <BR> RDS...: NSRL Reference Data Set<BR>- trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<BR>Win32 Executable Generic (14.7%)<BR>Win32 Dynamic Link Library (generic) (13.1%)<BR>Generic Win/DOS Executable (3.4%)<BR>DOS Executable Generic (3.4%) pdfid.: - ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=b60dddd2d63ce41cb8c487fcfbb6419e''>http://www.threatexpert.com/report.aspx?md5=b60dddd2d63ce41cb8c487fcfbb6419e' target='_blank'>http://www.threatexpert.com/report.aspx?md5=b60dddd2d63ce41cb8c487fcfbb6419e</a>'>http://www.threatexpert.com/report.aspx?md5=b60dddd2d63ce41cb8c487fcfbb6419e</a> sigcheck:<BR>publisher....: Microsoft Corporation<BR>copyright....: © Microsoft Corporation. All rights reserved.<BR>product......: Windows_ Internet Explorer<BR>description..: Internet Explorer<BR>original name: IEXPLORE.EXE<BR>internal name: iexplore<BR>file version.: 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)<BR>comments.....: n/a<BR>signers......: Microsoft Corporation<BR>Microsoft Code Signing PCA<BR>Microsoft Root Authority<BR>signing date.: 11:09 PM 3/8/2009<BR>verified.....: -<BR> Antivirus Version Dernière mise à jour Résultat a-squared 4.5.0.41 2009.10.10 - AhnLab-V3 5.0.0.2 2009.10.09 - AntiVir 7.9.1.35 2009.10.09 - Antiy-AVL 2.0.3.7 2009.10.10 - Authentium 5.1.2.4 2009.10.10 - Avast 4.8.1351.0 2009.10.09 - AVG 8.5.0.420 2009.10.04 - BitDefender 7.2 2009.10.10 - CAT-QuickHeal 10.00 2009.10.10 - ClamAV 0.94.1 2009.10.09 - Comodo 2554 2009.10.10 - DrWeb 5.0.0.12182 2009.10.10 - eSafe 7.0.17.0 2009.10.08 - eTrust-Vet 35.1.7060 2009.10.09 - F-Prot 4.5.1.85 2009.10.10 - F-Secure 8.0.14470.0 2009.10.10 - Fortinet 3.120.0.0 2009.10.10 - GData 19 2009.10.10 - Ikarus T3.1.1.72.0 2009.10.10 - Jiangmin 11.0.800 2009.10.08 - K7AntiVirus 7.10.866 2009.10.09 - Kaspersky 7.0.0.125 2009.10.10 - McAfee 5766 2009.10.09 - McAfee+Artemis 5766 2009.10.09 - McAfee-GW-Edition 6.8.5 2009.10.10 - Microsoft 1.5101 2009.10.10 - NOD32 4494 2009.10.09 - Norman 6.01.09 2009.10.09 - nProtect 2009.1.8.0 2009.10.10 - Panda 10.0.2.2 2009.10.09 - PCTools 4.4.2.0 2009.10.09 - Prevx 3.0 2009.10.10 - Rising 21.50.51.00 2009.10.10 - Sophos 4.45.0 2009.10.10 - Sunbelt 3.2.1858.2 2009.10.10 - Symantec 1.4.4.12 2009.10.10 - TheHacker 6.5.0.2.035 2009.10.10 - TrendMicro 8.950.0.1094 2009.10.10 - VBA32 3.12.10.11 2009.10.09 - ViRobot 2009.10.9.1978 2009.10.09 - VirusBuster 4.6.5.0 2009.10.09 - Information additionnelle File size: 638816 bytes MD5...: b60dddd2d63ce41cb8c487fcfbb6419e SHA1..: eadce51c88c8261852c1903399dde742fba2061b SHA256: b18a0d4beba606bf30f5010ba3c72abafac80d5f303a8bffb24d7f7b78b786e6 ssdeep: 12288:fX+pd167QhE0s7+jM+M6ugRfMMkIM7tX+pd167QhE0S7+oPd:fE6Ehg7mM<BR>+M6RkMkIM7tE6Ehm7Hd<BR> PEiD..: - PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1a25<BR>timedatestamp.....: 0x49b3ad2e (Sun Mar 08 11:34:06 2009)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 4 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x9e65 0xa000 5.82 6f4b4058b7d8a274f013151130b1fe63<BR>.data 0xb000 0x660 0x800 0.22 419d60dc6b239eaff0e14f76eacce1a5<BR>.rsrc 0xc000 0x8ee18 0x8f000 6.78 57661f31be42fec90a9312f710873968<BR>.reloc 0x9b000 0xb04 0xc00 6.23 a92eabd61b4ac11fdf667c8da4e34bf1<BR><BR>( 10 imports ) <BR>> ADVAPI32.dll: TraceEvent, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, UnregisterTraceGuids, RegisterTraceGuidsW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW<BR>> KERNEL32.dll: GetCommandLineW, LocalAlloc, ExpandEnvironmentStringsW, CreateProcessW, LocalFree, lstrlenW, InitializeCriticalSection, GetCurrentProcess, GetLastError, SetLastError, CloseHandle, SetErrorMode, ReleaseMutex, GetCurrentDirectoryW, VerSetConditionMask, VerifyVersionInfoW, GetModuleHandleW, GetProcAddress, GetVersionExW, GetModuleFileNameW, HeapSetInformation, DeleteCriticalSection, TerminateProcess, GetWindowsDirectoryW, CreateFileW, SetDllDirectoryW, GetFileTime, RaiseException, LoadLibraryA, CreateMutexW, WaitForSingleObject, WaitForSingleObjectEx, CreateEventW, GetSystemDefaultLCID, GetUserDefaultLCID, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, LoadLibraryW, SearchPathW, FindResourceW, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, UnmapViewOfFile, FreeLibrary, GetLocaleInfoW, CreateFileMappingW, MapViewOfFile, LoadLibraryExW, FindResourceExW, LoadResource, UnhandledExceptionFilter, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoW, InterlockedCompareExchange, Sleep, InterlockedExchange<BR>> USER32.dll: GetThreadDesktop, GetUserObjectInformationW, MessageBoxW, LoadStringW, AllowSetForegroundWindow, CharNextW<BR>> msvcrt.dll: _wcmdln, _initterm, _amsg_exit, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, memcpy, _terminate@@YAXXZ, _controlfp, _XcptFilter, _exit, _cexit, __wgetmainargs, wcsncmp, iswspace, memset, _vsnwprintf, _unlock, __dllonexit, _lock, _onexit, __2@YAPAXI@Z, __3@YAXPAX@Z, bsearch, _wcsnicmp, _wcsicmp, exit<BR>> ntdll.dll: RtlUnwind<BR>> SHLWAPI.dll: SHGetValueW, PathQuoteSpacesW, PathAppendW, PathRemoveFileSpecW, -, PathFindFileNameW, StrStrW, SHEnumValueW, UrlApplySchemeW, UrlCreateFromPathW, -, UrlCanonicalizeW, -, PathIsURLW, -, SHSetValueW, SHRegGetValueW, PathCombineW<BR>> SHELL32.dll: CommandLineToArgvW, -<BR>> ole32.dll: CoInitialize, CoUninitialize<BR>> iertutil.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -<BR>> urlmon.dll: -, -, -<BR><BR>( 0 exports ) <BR> RDS...: NSRL Reference Data Set<BR>- trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<BR>Win32 Executable Generic (14.7%)<BR>Win32 Dynamic Link Library (generic) (13.1%)<BR>Generic Win/DOS Executable (3.4%)<BR>DOS Executable Generic (3.4%) pdfid.: - ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=b60dddd2d63ce41cb8c487fcfbb6419e' target='_blank'>http://www.threatexpert.com/report.aspx?md5=b60dddd2d63ce41cb8c487fcfbb6419e</a> sigcheck:<BR>publisher....: Microsoft Corporation<BR>copyright....: © Microsoft Corporation. All rights reserved.<BR>product......: Windows_ Internet Explorer<BR>description..: Internet Explorer<BR>original name: IEXPLORE.EXE<BR>internal name: iexplore<BR>file version.: 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)<BR>comments.....: n/a<BR>signers......: Microsoft Corporation<BR>Microsoft Code Signing PCA<BR>Microsoft Root Authority<BR>signing date.: 11:09 PM 3/8/2009<BR>verified.....: -<BR> voila je pense que tout est la merci -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonsoir voila des le debut meme avant le scan gmer a detecter le rootkit ( IE etait lancé ) sinon voici le rapport GMER 1.0.15.15125 - http://www.gmer.net Rootkit scan 2009-10-09 20:56:48 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\narca\LOCALS~1\Temp\pgliqaow.sys ---- Processes - GMER 1.0.15 ---- Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 2528 ---- EOF - GMER 1.0.15 ---- on dirait qu'il ne le reconnait pas non plus -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonjour j'ai lancé une analyse dans la nuit et meme resultat pourtant malware avait supprimé un objet infecté bonne journée -
[Résolu] Rootkit récalcitrant
narca a répondu à un(e) sujet de narca dans Analyses et éradication malwares
bonsoir voila je n'ai pas eu de soucis pour telecharger et installer malwarebytes voici le contenu du rapport d'analyse Malwarebytes' Anti-Malware 1.41 Version de la base de données: 2926 Windows 5.1.2600 Service Pack 3 08/10/2009 20:31:12 mbam-log-2009-10-08 (20-31-12).txt Type de recherche: Examen rapide Eléments examinés: 117785 Temps écoulé: 12 minute(s), 23 second(s) Processus mémoire infecté(s): 0 Module(s) mémoire infecté(s): 0 Clé(s) du Registre infectée(s): 1 Valeur(s) du Registre infectée(s): 0 Elément(s) de données du Registre infecté(s): 0 Dossier(s) infecté(s): 0 Fichier(s) infecté(s): 0 Processus mémoire infecté(s): (Aucun élément nuisible détecté) Module(s) mémoire infecté(s): (Aucun élément nuisible détecté) Clé(s) du Registre infectée(s): HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully. Valeur(s) du Registre infectée(s): (Aucun élément nuisible détecté) Elément(s) de données du Registre infecté(s): (Aucun élément nuisible détecté) Dossier(s) infecté(s): (Aucun élément nuisible détecté) Fichier(s) infecté(s): (Aucun élément nuisible détecté) merci