Gros problèmes, Virus?

[Toum_]

Bonjour,

voici le rapport Drweb que je vient de refaire:

 

UsbFix.exe\Tools\Kill_P.exe;C:\Documents and Settings\Toum\Desktop\UsbFix.exe;Tool.Prockill;;

UsbFix.exe;C:\Documents and Settings\Toum\Desktop;L'archive contient des éléments infectés;Quarantaine.;

foot_bridge_03.gmt;C:\Documents and Settings\Toum\DoctorWeb\Quarantine;Modification de Win32.Arrow.1296;Quarantaine.;

gmt.x\GameData/Locations/Vara/MODELS/foot_bridge_03.gmt;C:\Documents and Settings\Toum\DoctorWeb\Quarantine\gmt.x;Modification de Win32.Arrow.1296;;

gmt.x;C:\Documents and Settings\Toum\DoctorWeb\Quarantine;L'archive contient des éléments infectés;Quarantaine.;

SlgClientServicesRedists.exe\data002;C:\Documents and Settings\Toum\DoctorWeb\Quarantine\SlgClientServicesRedists.exe;Adware.SpywareStorm;;

SlgClientServicesRedists.exe;C:\Documents and Settings\Toum\DoctorWeb\Quarantine;L'archive contient des éléments infectés;Quarantaine.;

uninst.exe\data002;C:\Documents and Settings\Toum\DoctorWeb\Quarantine\uninst.exe;Tool.ProcessKill;;

uninst.exe;C:\Documents and Settings\Toum\DoctorWeb\Quarantine;L'archive contient des éléments infectés;Quarantaine.;

UsbFix.exe\Tools\Kill_P.exe;C:\Documents and Settings\Toum\DoctorWeb\Quarantine\UsbFix.exe;Tool.Prockill;;

UsbFix.exe;C:\Documents and Settings\Toum\DoctorWeb\Quarantine;L'archive contient des éléments infectés;Quarantaine.;

slghex.dll;C:\Program Files\Common Files\Sandlot Shared;Adware.SpywareStorm;;

slghex.dll;C:\Program Files\Fichiers communs\Sandlot Shared;Adware.SpywareStorm;;

Kill_P.exe;C:\UsbFix\Tools;Tool.Prockill;;

 

 

 

 

Merci, à plus tard.

[pear]

Désinstallez combofix sur votre machine.

 

Téléchargez une nouvelle version et lancez la.

Fermez ou désactivez tous les programmes Antivirus, Antispyware, Pare-feu actifs ,Teatimer de Spybot car ils pourraient perturber le fonctionnement de cet outil

* Pour cela, faites un clic droit sur l'icône de l'antivirus en bas à droite à côté de l'horloge puis Disable Guard ou Shield ou Résident...

Pour éviter leur réactivation après un redémarrage, décochez les dans les options de démarrage ->Msconfig

Si vous utilisez Spybot

Pour désactiver TeaTimer qui ne set à rien et peut faire échouer une désinfection:!

Afficher d'abord le Mode Avancé dans SpyBot

->Options Avancées :

- >menu Mode, Mode Avancé.

Une colonne de menus apparaît dans la partie gauche :

- >cliquer sur Outils,

- >cliquer sur Résident,

Dans Résident :

- >décocher Résident "TeaTimer" pour le désactiver.

 

Cela est absolument nécessaire au succès de la procédure.

Bien évidemment, vous les rétablirez ensuite.

Connecter tous les disques amovibles (disque dur externe, clé USB…).

*Double cliquer sur combofix.exe ou votrenom .exe pour le lancer.

 

 

Ne pas fermer la fenêtre qui vient de s'ouvrir , le bureau serait vide et cela pourrait entraîner un plantage du programme!

Pour lancer le scan

 

* Taper sur la touche 1 pour démarrer le scan.

Si pour une raison quelconque, Vista par exemple, combofix ne se lançait pas,

Démarrez en mode sans échec, choisissez le compte Administrateur, lancez Combofix

Lorsque ComboFix tourne, ne touchez plus du tout à votre ordinateur, vous risqueriez de planter le programme.

 

* Le scan pourrait prendre un certain temps:

Patientez au moins 30 minutes pendant l'analyse. Si le programme gèle (+ de 30 minutes), fermez le en cliquant le "X" au haut à droite de la fenêtre.

A la fin,,un rapport sera généré : postez en le contenu dans un prochain message.

* Si le rapport est trop long, postez le en deux fois.

Il se trouve à c:\combofix.txt

 

En cas de problème, essayez en mode sans échec.

[Toum_]

J'ai supprimer combofix et telecharger une autre version, mais lorsque je le lance, meme en mode sans echec, le message "some installation files are corupt.

please download a fresh version and retry instalation" apparait encore. J'ai beau chercher sur d'autres forum je trouve pas comment le faire fonctionner.

 

Merci

[pear]

J'ai beau chercher sur d'autres forum je trouve pas comment le faire fonctionner.

 

Si vous voulez vous faire aider sur un autre forum, je vous demande de m'en avertir afin que les procédures soient compatibles.

 

Recherche de rootkit

Téléchargez RootRepeal

Vous devez avoir les droits Administrateur

Installez RootRepeal , cliquez sur *Settings->Options*

Onglet "Général Cochez->Only suspicious ..

. [Driver scan] ... [Files scan] ... [Processes scan] ... [sSDT scan] (v. 1.1.0)

aucune raison de changer les paramètres standards.

 

Dans le [ File Scan ] l'option [X] [ Check for file size differences ] est celle qui permet la détection des fichiers dont la taille a été modifiée comme le fait par exemple le rootkit "Rustock.C". Il est donc fortement conseillé de ne pas la désactiver.

 

Dans le [ SSDT scan ], l'option [X] [ Check for hooked SYSENTER/INT 2E ] permet le scan des appels au système par SYSENTER ou INT 2E.

 

Choix des scans (boutons de sélection en bas, à gauche).

 

Chaque option comporte deux boutons [ Scan ] pour lancer l'analyse et [ Save Report ]qui permet d'enregistrer le rapport au format « .txt » dans le répertoire choisi (éventuellement dans le répertoire de démarrage de RootRepeal).

 

[ Report ]permet d'enchaîner plusieurs ou toutes les fonctions précédentes.

Cliquez [select scan]

Dans la fenêtre qui s'ouvre, sélectionner les options à exécuter(Cochez tout).

Un choix des partitions du disque est possible dans la fenêtre [select drives].

Cliquez sur Save Report

Lancez le scan,

Si RootRepeal ne trouve rien , il affichera ceci:

 

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/04 18:47

Program Version: Version 1.3.2.0

Windows Version: Windows XP SP3

==================================================

 

Drivers

-------------------

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEB27E000 Size: 49152 File Visible: No Signed: -

Status: -

==EOF==

 

Dans tous les cas

Postez le rapport

[Toum_]

Bonjour,

 

Rootrepeal plante à chaque fois à un moment ou un autre. Peut être en mode sans échec?

 

 

Merci

[Toum_]

Bon étant donner que rootrepeal plant sur le scan de fichier j'ai fait le reste, voici le rapport:

 

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/10/22 16:01

Program Version: Version 1.3.5.0

Windows Version: Windows Vista SP2

==================================================

 

Processes

-------------------

Path: System

PID: 4 Status: Locked to the Windows API!

 

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System Address: 0x85f251f8 Size: 121

 

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]

Process: System Address: 0x85f231f8 Size: 121

 

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]

Process: System Address: 0x85f231f8 Size: 121

 

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85f231f8 Size: 121

 

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85f231f8 Size: 121

 

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]

Process: System Address: 0x85f231f8 Size: 121

 

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85f231f8 Size: 121

 

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]

Process: System Address: 0x85f231f8 Size: 121

 

Object: Hidden Code [Driver: cdrom贼梑贼, IRP_MJ_CREATE]

Process: System Address: 0x8702b1f8 Size: 121

 

Object: Hidden Code [Driver: cdrom贼梑贼, IRP_MJ_CLOSE]

Process: System Address: 0x8702b1f8 Size: 121

 

Object: Hidden Code [Driver: cdrom贼梑贼, IRP_MJ_READ]

Process: System Address: 0x8702b1f8 Size: 121

 

Object: Hidden Code [Driver: cdrom贼梑贼, IRP_MJ_WRITE]

Process: System Address: 0x8702b1f8 Size: 121

 

Object: Hidden Code [Driver: cdrom贼梑贼, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8702b1f8 Size: 121

 

Object: Hidden Code [Driver: cdrom贼梑贼, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8702b1f8 Size: 121

 

Object: Hidden Code [Driver: cdrom贼梑贼, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8702b1f8 Size: 121

 

Object: Hidden Code [Driver: cdrom贼梑贼, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8702b1f8 Size: 121

 

Object: Hidden Code [Driver: cdrom贼梑贼, IRP_MJ_POWER]

Process: System Address: 0x8702b1f8 Size: 121

 

Object: Hidden Code [Driver: cdrom贼梑贼, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8702b1f8 Size: 121

 

Object: Hidden Code [Driver: cdrom贼梑贼, IRP_MJ_PNP]

Process: System Address: 0x8702b1f8 Size: 121

 

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]

Process: System Address: 0x86f72500 Size: 121

 

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]

Process: System Address: 0x86f72500 Size: 121

 

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]

Process: System Address: 0x86f72500 Size: 121

 

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]

Process: System Address: 0x86f72500 Size: 121

 

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86f72500 Size: 121

 

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86f72500 Size: 121

 

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]

Process: System Address: 0x86f72500 Size: 121

 

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86f72500 Size: 121

 

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]

Process: System Address: 0x86f72500 Size: 121

 

Object: Hidden Code [Driver: usbuhcinП牄朰譧뒈贱, IRP_MJ_CREATE]

Process: System Address: 0x86f241f8 Size: 121

 

Object: Hidden Code [Driver: usbuhcinП牄朰譧뒈贱, IRP_MJ_CLOSE]

Process: System Address: 0x86f241f8 Size: 121

 

Object: Hidden Code [Driver: usbuhcinП牄朰譧뒈贱, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86f241f8 Size: 121

 

Object: Hidden Code [Driver: usbuhcinП牄朰譧뒈贱, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86f241f8 Size: 121

 

Object: Hidden Code [Driver: usbuhcinП牄朰譧뒈贱, IRP_MJ_POWER]

Process: System Address: 0x86f241f8 Size: 121

 

Object: Hidden Code [Driver: usbuhcinП牄朰譧뒈贱, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86f241f8 Size: 121

 

Object: Hidden Code [Driver: usbuhcinП牄朰譧뒈贱, IRP_MJ_PNP]

Process: System Address: 0x86f241f8 Size: 121

 

Object: Hidden Code [Driver: alk4amooП牄朰譧誈譧, IRP_MJ_CREATE]

Process: System Address: 0x870611f8 Size: 121

 

Object: Hidden Code [Driver: alk4amooП牄朰譧誈譧, IRP_MJ_CLOSE]

Process: System Address: 0x870611f8 Size: 121

 

Object: Hidden Code [Driver: alk4amooП牄朰譧誈譧, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x870611f8 Size: 121

 

Object: Hidden Code [Driver: alk4amooП牄朰譧誈譧, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x870611f8 Size: 121

 

Object: Hidden Code [Driver: alk4amooП牄朰譧誈譧, IRP_MJ_POWER]

Process: System Address: 0x870611f8 Size: 121

 

Object: Hidden Code [Driver: alk4amooП牄朰譧誈譧, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x870611f8 Size: 121

 

Object: Hidden Code [Driver: alk4amooП牄朰譧誈譧, IRP_MJ_PNP]

Process: System Address: 0x870611f8 Size: 121

 

Object: Hidden Code [Driver: iScsiPrtЃ潉†TermDD, IRP_MJ_CREATE]

Process: System Address: 0x870c61f8 Size: 121

 

Object: Hidden Code [Driver: iScsiPrtЃ潉†TermDD, IRP_MJ_CLOSE]

Process: System Address: 0x870c61f8 Size: 121

 

Object: Hidden Code [Driver: iScsiPrtЃ潉†TermDD, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x870c61f8 Size: 121

 

Object: Hidden Code [Driver: iScsiPrtЃ潉†TermDD, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x870c61f8 Size: 121

 

Object: Hidden Code [Driver: iScsiPrtЃ潉†TermDD, IRP_MJ_POWER]

Process: System Address: 0x870c61f8 Size: 121

 

Object: Hidden Code [Driver: iScsiPrtЃ潉†TermDD, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x870c61f8 Size: 121

 

Object: Hidden Code [Driver: iScsiPrtЃ潉†TermDD, IRP_MJ_PNP]

Process: System Address: 0x870c61f8 Size: 121

 

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]

Process: System Address: 0x851631f8 Size: 121

 

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]

Process: System Address: 0x851631f8 Size: 121

 

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]

Process: System Address: 0x851631f8 Size: 121

 

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x851631f8 Size: 121

 

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x851631f8 Size: 121

 

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x851631f8 Size: 121

 

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]

Process: System Address: 0x851631f8 Size: 121

 

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]

Process: System Address: 0x851631f8 Size: 121

 

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]

Process: System Address: 0x851631f8 Size: 121

 

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x851631f8 Size: 121

 

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]

Process: System Address: 0x851631f8 Size: 121

 

Object: Hidden Code [Driver: Ѕ瑎硦, IRP_MJ_CREATE]

Process: System Address: 0x86f251f8 Size: 121

 

Object: Hidden Code [Driver: Ѕ瑎硦, IRP_MJ_CLOSE]

Process: System Address: 0x86f251f8 Size: 121

 

Object: Hidden Code [Driver: Ѕ瑎硦, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86f251f8 Size: 121

 

Object: Hidden Code [Driver: Ѕ瑎硦, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86f251f8 Size: 121

 

Object: Hidden Code [Driver: Ѕ瑎硦, IRP_MJ_POWER]

Process: System Address: 0x86f251f8 Size: 121

 

Object: Hidden Code [Driver: Ѕ瑎硦, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86f251f8 Size: 121

 

Object: Hidden Code [Driver: Ѕ瑎硦, IRP_MJ_PNP]

Process: System Address: 0x86f251f8 Size: 121

 

Object: Hidden Code [Driver: msahci, IRP_MJ_POWER]

Process: System Address: 0x85f241f8 Size: 121

 

Object: Hidden Code [Driver: msahci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85f241f8 Size: 121

 

Object: Hidden Code [Driver: msahci, IRP_MJ_PNP]

Process: System Address: 0x85f241f8 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_CREATE]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_CLOSE]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_READ]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_WRITE]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_CLEANUP]

Process: System Address: 0x8767a500 Size: 121

 

Object: Hidden Code [Driver: cdfsІ癅, IRP_MJ_PNP]

Process: System Address: 0x8767a500 Size: 121

 

==EOF==

 

 

Merci à plus tard.

[pear]

Bonsoir,

 

Puisque Rootrepeal plante, on va en essayer un autre:

 

Recherche de Rootkit

Télécharger SysProtsur le bureau

Installez le et double cliquez sur "SysProt.exe"

Cliquez sur l'onglet "log" ;

Cochez toutes les cases présentes dans la fenêtre "Write to log" ;

Cochez Hidden Objects Only (au bas, à gauche)

Les "Objets cachés (Hidden)" sont en Rouge dans tous les modules

Cliquez sur Create log (au bas, à droite)

Une nouvelle fenêtre apparaîtra : cochez Scan root drive et cliquez sur Start ;

Un rapport sera sauvegardé dans le dossier SysProt.

Copiez/collez en le contenu dans votre réponse.

 

Et si ça plante encore:

 

Recherche Win32kDiag

Fermez ou désactivez tous les programmes Antivirus, Antispyware, Pare-feu actifs car ils pourraient perturber le fonctionnement de cet outil

* Pour cela, faites un clic droit sur l'icône de l'antivirus en bas à droite à côté de l'horloge puis Disable Guard ou Shield ou Résident...

Pour éviter leur réactivation après un redémarrage, décochez les dans les options de démarrage ->Msconfig

Si vous utilisez Spybot

Pour désactiver TeaTimer qui ne set à rien et peut faire échouer une désinfection:!

Afficher d'abord le Mode Avancé dans SpyBot

->Options Avancées :

- >menu Mode, Mode Avancé.

Une colonne de menus apparaît dans la partie gauche :

- >cliquer sur Outils,

- >cliquer sur Résident,

Dans Résident :

- >décocher Résident "TeaTimer" pour le désactiver.

Effacer le contenu du dossier Snapshots(le contenu de snapshots, pas le fichier snapshots) , sous XP :

C:\Documents and Settings\All Users\Application Data\Spybot - Search &Destroy\Snapshots

Et sous Vista :

Désactivez le contrôle des comptes utilisateurs (Vous le réactiverez par la suite):

http://www.zebulon.fr/astuces/220-desactiv...dans-vista.html

- Démarrer puis panneau de configuration->"Comptes d'utilisateurs"

- Cliquer ensuite sur désactiver et valider.

C:\ProgramData\Spybot - Search & Destroy\Snapshots

Cela est absolument nécessaire au succès de la procédure.

Bien évidemment, vous les rétablirez ensuite.

 

Vers le bureau ,

Télécharger (Win32kDiag.exe)

Double-cliquez sur Win32kDiag.exe et patientez

Quand apparait "Finished! Press any key to exit...", appuyez sur une clé quelconque

Double-cliquez sur Win32kDiag.txt sur le bureau et postez en le contenu par copier/coller dans votre prochain message

Modifié le 22 octobre 2009 par pear

[Toum_]

voila le rapport sysprot, je crois qu'il à planter aussi je fais l'analyse win32kdiag.

 

a plus tard.

 

SysProt AntiRootkit v1.0.1.0

by swatkat

 

********************************************************************************

**********

********************************************************************************

**********

 

No Hidden Processes found

 

********************************************************************************

**********

********************************************************************************

**********

Kernel Modules:

Module Name: \SystemRoot\System32\Drivers\spqn.sys

Service Name: ---

Module Base: 80698000

Module End: 80798000

Hidden: Yes

 

Module Name: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Service Name: ---

Module Base: 8F366000

Module End: 8F39C000

Hidden: Yes

 

Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys

Service Name: ---

Module Base: 8AD0B000

Module End: 8ADD3000

Hidden: Yes

 

********************************************************************************

**********

********************************************************************************

**********

No SSDT Hooks found

 

********************************************************************************

**********

********************************************************************************

**********

No Kernel Hooks found

 

********************************************************************************

**********

********************************************************************************

**********

IRP Hooks:

Hooked Module: C:\Windows\system32\drivers\atapi.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 85F241F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\atapi.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 85F241F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\atapi.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 85F241F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\atapi.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8349095C

Hooking Module: C:\Windows\System32\drivers\sfsync03.sys

 

Hooked Module: C:\Windows\system32\drivers\atapi.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 85F241F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\atapi.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 85F241F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\USBSTOR.SYS

Hooked IRP: IRP_MJ_CREATE

Jump To: 905A3478

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\USBSTOR.SYS

Hooked IRP: IRP_MJ_CLOSE

Jump To: 905A3478

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\USBSTOR.SYS

Hooked IRP: IRP_MJ_READ

Jump To: 905A3478

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\USBSTOR.SYS

Hooked IRP: IRP_MJ_WRITE

Jump To: 905A3478

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\USBSTOR.SYS

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 905A3478

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\USBSTOR.SYS

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8349095C

Hooking Module: C:\Windows\System32\drivers\sfsync03.sys

 

Hooked Module: C:\Windows\system32\DRIVERS\USBSTOR.SYS

Hooked IRP: IRP_MJ_POWER

Jump To: 905A3478

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\USBSTOR.SYS

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 905A3478

Hooking Module: _unknown_

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_CREATE

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_CLOSE

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_READ

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_WRITE

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_QUERY_INFORMATION

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SET_INFORMATION

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_QUERY_EA

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SET_EA

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_FLUSH_BUFFERS

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_DIRECTORY_CONTROL

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SHUTDOWN

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_LOCK_CONTROL

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_CLEANUP

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_CREATE_MAILSLOT

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_QUERY_SECURITY

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SET_SECURITY

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_POWER

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_DEVICE_CHANGE

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_QUERY_QUOTA

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SET_QUOTA

Jump To: 80699000

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: C:\Windows\system32\DRIVERS\usbuhci.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 8798A1F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\usbuhci.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 8798A1F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\usbuhci.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 8798A1F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\usbuhci.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8798A1F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\usbuhci.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 8798A1F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\usbuhci.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 8798A1F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\iaStor.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 834EA580

Hooking Module: C:\Windows\system32\DRIVERS\iaStor.sys

 

Hooked Module: C:\Windows\system32\DRIVERS\iaStor.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 834EA580

Hooking Module: C:\Windows\system32\DRIVERS\iaStor.sys

 

Hooked Module: C:\Windows\system32\DRIVERS\iaStor.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 834EA580

Hooking Module: C:\Windows\system32\DRIVERS\iaStor.sys

 

Hooked Module: C:\Windows\system32\DRIVERS\iaStor.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8349095C

Hooking Module: C:\Windows\System32\drivers\sfsync03.sys

 

Hooked Module: C:\Windows\system32\DRIVERS\iaStor.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 834EA580

Hooking Module: C:\Windows\system32\DRIVERS\iaStor.sys

 

Hooked Module: C:\Windows\system32\DRIVERS\iaStor.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 834EA580

Hooking Module: C:\Windows\system32\DRIVERS\iaStor.sys

 

Hooked Module: C:\Windows\system32\DRIVERS\smb.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 904631F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\smb.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 904631F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\smb.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 904631F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\smb.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 904631F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\smb.sys

Hooked IRP: IRP_MJ_CLEANUP

Jump To: 904631F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\System32\DRIVERS\netbt.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 9045F1F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\System32\DRIVERS\netbt.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 9045F1F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\System32\DRIVERS\netbt.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 9045F1F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\System32\DRIVERS\netbt.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 9045F1F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\System32\DRIVERS\netbt.sys

Hooked IRP: IRP_MJ_CLEANUP

Jump To: 9045F1F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\msiscsi.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 87B861F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\msiscsi.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 87B861F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\msiscsi.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 87B861F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\msiscsi.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 87B861F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\msiscsi.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 87B861F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\msiscsi.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 87B861F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 87A33500

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 87A33500

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_READ

Jump To: 87A33500

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_WRITE

Jump To: 87A33500

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_FLUSH_BUFFERS

Jump To: 87A33500

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 87A33500

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 87A33500

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_SHUTDOWN

Jump To: 87A33500

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 87A33500

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 87A33500

Hooking Module: _unknown_

 

Hooked Module: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Hooked IRP: IRP_MJ_CREATE

Jump To: 87B831F8

Hooking Module: _unknown_

 

Hooked Module: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Hooked IRP: IRP_MJ_CLOSE

Jump To: 87B831F8

Hooking Module: _unknown_

 

Hooked Module: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 87B831F8

Hooking Module: _unknown_

 

Hooked Module: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8349095C

Hooking Module: C:\Windows\System32\drivers\sfsync03.sys

 

Hooked Module: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Hooked IRP: IRP_MJ_POWER

Jump To: 87B831F8

Hooking Module: _unknown_

 

Hooked Module: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 87B831F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\volmgr.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 855951F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\volmgr.sys

Hooked IRP: IRP_MJ_READ

Jump To: 855951F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\volmgr.sys

Hooked IRP: IRP_MJ_WRITE

Jump To: 855951F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\volmgr.sys

Hooked IRP: IRP_MJ_FLUSH_BUFFERS

Jump To: 855951F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\volmgr.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 855951F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\volmgr.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 855951F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\volmgr.sys

Hooked IRP: IRP_MJ_SHUTDOWN

Jump To: 855951F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\volmgr.sys

Hooked IRP: IRP_MJ_CLEANUP

Jump To: 855951F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\volmgr.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 855951F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\volmgr.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 855951F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\usbehci.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 879771F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\usbehci.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 879771F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\usbehci.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 879771F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\usbehci.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 879771F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\usbehci.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 879771F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\DRIVERS\usbehci.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 879771F8

Hooking Module: _unknown_

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_CREATE

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_CLOSE

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_READ

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_WRITE

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_QUERY_INFORMATION

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_SET_INFORMATION

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_QUERY_EA

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_SET_EA

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_FLUSH_BUFFERS

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_DIRECTORY_CONTROL

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_SHUTDOWN

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_LOCK_CONTROL

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_CLEANUP

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_CREATE_MAILSLOT

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_QUERY_SECURITY

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_SET_SECURITY

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_POWER

Jump To: 806A0E1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 806B5514

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_DEVICE_CHANGE

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_QUERY_QUOTA

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: \Driver\PCI_PNP3543

Hooked IRP: IRP_MJ_SET_QUOTA

Jump To: 806DCB1C

Hooking Module: \SystemRoot\System32\Drivers\spqn.sys

 

Hooked Module: C:\Windows\system32\drivers\msahci.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 85F251F8

Hooking Module: _unknown_

 

Hooked Module: C:\Windows\system32\drivers\msahci.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 85F251F8

Hooking Module: _unknown_

 

********************************************************************************

**********

********************************************************************************

**********

No Ports found

 

********************************************************************************

**********

********************************************************************************

**********

Hidden files/folders:

Object: C:\System Volume Information\MountPointManagerRemoteDatabase

Status: Access denied

 

Object: C:\System Volume Information\SPP

Status: Access denied

 

Object: C:\System Volume Information\SystemRestore

Status: Access denied

 

Object: C:\System Volume Information\tracking.log

Status: Access denied

 

Object: C:\Users\Toum\AppData\Local\Microsoft\Messenger\toum_sthil@hotmail.fr\SharingMetadata\v_boch@msn.com\DFSR\Staging\CS{EB1CC4E6-EB02-4ED2-5449-412DC1D34BEE}\01\10-{EB1CC4E6-EB02-4ED2-5449-412DC1D34BEE}-v1-{BB6EA45E-8854-4F87-959E-9C9E70D3A236}-v10-Downloade

Status: Hidden

 

Object: C:\Users\Toum\AppData\Local\Microsoft\Messenger\toum_sthil@hotmail.fr\SharingMetadata\v_boch@msn.com\DFSR\Staging\CS{EB1CC4E6-EB02-4ED2-5449-412DC1D34BEE}\11\11-{BB6EA45E-8854-4F87-959E-9C9E70D3A236}-v11-{BB6EA45E-8854-4F87-959E-9C9E70D3A236}-v11-Download

Status: Hidden

 

Object: C:\Users\Toum\AppData\Local\Microsoft\Messenger\toum_sthil@hotmail.fr\SharingMetadata\v_boch@msn.com\DFSR\Staging\CS{EB1CC4E6-EB02-4ED2-5449-412DC1D34BEE}\12\12-{BB6EA45E-8854-4F87-959E-9C9E70D3A236}-v12-{BB6EA45E-8854-4F87-959E-9C9E70D3A236}-v12-Download

Status: Hidden

 

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Status: Access denied

 

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Status: Access denied

 

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Status: Access denied

 

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Status: Access denied

 

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Status: Access denied

[pear]

Vous n'avez rien vu en rouge ?

 

Nettoyage de Rootkit

Relancer Sysprot

 

Rechercher:ajj01e9s.SYS

Kernel Modules:

\SystemRoot\System32\Drivers\ajj01e9s.SYS

 

IRP Hooks:

Hooked Module: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Hooked IRP: IRP_MJ_CREATE

Jump To: 87B831F8

Hooking Module: _unknown_

 

Hooked Module: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Hooked IRP: IRP_MJ_CLOSE

Jump To: 87B831F8

Hooking Module: _unknown_

 

Hooked Module: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 87B831F8

Hooking Module: _unknown_

 

Hooked Module: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8349095C

 

Hooked Module: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Hooked IRP: IRP_MJ_POWER

Jump To: 87B831F8

Hooking Module: _unknown_

 

Hooked Module: \SystemRoot\System32\Drivers\ajj01e9s.SYS

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 87B831F8

Hooking Module: _unknown_

Pour tuer un processus(Onglet Processes) clic droit->puis clic sur Kill ou Disable(Kernel Modules), ou Fix Hook(SSDT) ou Delete(Files Système)

 

Attention Des drivers commeDump_atapi.sys,dump_wmilib.sys,dump_iaStor.sys sont légitimes.Ils sont en rouge parce que, absents du disque , ils apparaissent en mémoire

[/color]

[Toum_]

Le rapport win32kdiag:

 

unning from: C:\Users\Toum\Desktop\Win32kDiag.exe

 

Log file at : C:\Users\Toum\Desktop\Win32kDiag.txt

 

WARNING: Could not get backup privileges!

 

Searching 'C:\Windows'...

 

 

 

Cannot access: C:\Windows\bthservsdp.dat

 

[1] 2009-10-22 15:06:18 12 C:\Windows\bthservsdp.dat ()

 

 

 

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

 

[1] 2009-10-22 18:16:20 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()

 

 

 

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

 

[1] 2009-10-22 18:17:06 21896 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()

 

 

 

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

 

[1] 2009-10-22 18:22:12 274960 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()

 

 

 

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

 

[1] 2009-10-22 18:25:39 525368 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()

 

 

 

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

 

[1] 2009-10-22 18:13:47 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()

 

 

 

 

 

Finished!

 

A priori ça n'a pas marché non plus...