Pc portable infecté avec DR/delphi.gen

[CALO41]

Bonjour,

 

merci de veiller si tard pour m'aider!

j'ai executer tdsskiller et il a supprimer un truc! Bravo !

 

Voici le rapport

10:35:15:093 1928 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25

10:35:15:093 1928 ================================================================================

10:35:15:093 1928 SystemInfo:

 

10:35:15:093 1928 OS Version: 5.1.2600 ServicePack: 3.0

10:35:15:093 1928 Product type: Workstation

10:35:15:093 1928 ComputerName: PCH

10:35:15:093 1928 UserName: PASCAL

10:35:15:093 1928 Windows directory: C:\WINDOWS

10:35:15:093 1928 Processor architecture: Intel x86

10:35:15:093 1928 Number of processors: 2

10:35:15:093 1928 Page size: 0x1000

10:35:15:093 1928 Boot type: Normal boot

10:35:15:093 1928 ================================================================================

10:35:15:125 1928 UnloadDriverW: NtUnloadDriver error 2

10:35:15:125 1928 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

10:35:15:125 1928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

10:35:15:140 1928 UtilityInit: KLMD drop and load success

10:35:15:140 1928 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)

10:35:15:140 1928 UtilityInit: KLMD open success

10:35:15:140 1928 UtilityInit: Initialize success

10:35:15:140 1928

10:35:15:140 1928 Scanning Services ...

10:35:15:140 1928 CreateRegParser: Registry parser init started

10:35:15:140 1928 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127

10:35:15:140 1928 CreateRegParser: DisableWow64Redirection error

10:35:15:140 1928 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

10:35:15:140 1928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043

10:35:15:140 1928 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

10:35:15:140 1928 wfopen_ex: Trying to KLMD file open

10:35:15:140 1928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system

10:35:15:140 1928 wfopen_ex: File opened ok (Flags 2)

10:35:15:140 1928 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 274C08

10:35:15:140 1928 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

10:35:15:140 1928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043

10:35:15:140 1928 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

10:35:15:140 1928 wfopen_ex: Trying to KLMD file open

10:35:15:140 1928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software

10:35:15:140 1928 wfopen_ex: File opened ok (Flags 2)

10:35:15:140 1928 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 274C70

10:35:15:140 1928 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127

10:35:15:140 1928 CreateRegParser: EnableWow64Redirection error

10:35:15:140 1928 CreateRegParser: RegParser init completed

10:35:15:656 1928 GetAdvancedServicesInfo: Raw services enum returned 350 services

10:35:15:656 1928 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

10:35:15:656 1928 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

10:35:15:656 1928

10:35:15:656 1928 Scanning Kernel memory ...

10:35:15:656 1928 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

10:35:15:656 1928 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AD2E9E8

10:35:15:656 1928 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects

10:35:15:656 1928

10:35:15:656 1928 DetectCureTDL3: DEVICE_OBJECT: 8AD20C68

10:35:15:656 1928 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AD20C68

10:35:15:656 1928 KLMD_ReadMem: Trying to ReadMemory 0x8AD20C68[0x38]

10:35:15:656 1928 DetectCureTDL3: DRIVER_OBJECT: 8AD2E9E8

10:35:15:656 1928 KLMD_ReadMem: Trying to ReadMemory 0x8AD2E9E8[0xA8]

10:35:15:656 1928 KLMD_ReadMem: Trying to ReadMemory 0xE16A2218[0x18]

10:35:15:656 1928 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

10:35:15:656 1928 DetectCureTDL3: IrpHandler (0) addr: BA96EBB0

10:35:15:656 1928 DetectCureTDL3: IrpHandler (1) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (2) addr: BA96EBB0

10:35:15:656 1928 DetectCureTDL3: IrpHandler (3) addr: BA968D1F

10:35:15:656 1928 DetectCureTDL3: IrpHandler (4) addr: BA968D1F

10:35:15:656 1928 DetectCureTDL3: IrpHandler (5) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (6) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (7) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler ( addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (9) addr: BA9692E2

10:35:15:656 1928 DetectCureTDL3: IrpHandler (10) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (11) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (12) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (13) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (14) addr: BA9693BB

10:35:15:656 1928 DetectCureTDL3: IrpHandler (15) addr: BA96CF28

10:35:15:656 1928 DetectCureTDL3: IrpHandler (16) addr: BA9692E2

10:35:15:656 1928 DetectCureTDL3: IrpHandler (17) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (18) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (19) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (20) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (21) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (22) addr: BA96AC82

10:35:15:656 1928 DetectCureTDL3: IrpHandler (23) addr: BA96F99E

10:35:15:656 1928 DetectCureTDL3: IrpHandler (24) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (25) addr: 804F4562

10:35:15:656 1928 DetectCureTDL3: IrpHandler (26) addr: 804F4562

10:35:15:656 1928 TDL3_FileDetect: Processing driver: Disk

10:35:15:656 1928 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

10:35:15:656 1928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

10:35:15:687 1928 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

10:35:15:687 1928

10:35:15:687 1928 DetectCureTDL3: DEVICE_OBJECT: 8AC1AC68

10:35:15:687 1928 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AC1AC68

10:35:15:687 1928 KLMD_ReadMem: Trying to ReadMemory 0x8AC1AC68[0x38]

10:35:15:687 1928 DetectCureTDL3: DRIVER_OBJECT: 8AD2E9E8

10:35:15:687 1928 KLMD_ReadMem: Trying to ReadMemory 0x8AD2E9E8[0xA8]

10:35:15:687 1928 KLMD_ReadMem: Trying to ReadMemory 0xE16A2218[0x18]

10:35:15:687 1928 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

10:35:15:687 1928 DetectCureTDL3: IrpHandler (0) addr: BA96EBB0

10:35:15:687 1928 DetectCureTDL3: IrpHandler (1) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (2) addr: BA96EBB0

10:35:15:687 1928 DetectCureTDL3: IrpHandler (3) addr: BA968D1F

10:35:15:687 1928 DetectCureTDL3: IrpHandler (4) addr: BA968D1F

10:35:15:687 1928 DetectCureTDL3: IrpHandler (5) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (6) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (7) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler ( addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (9) addr: BA9692E2

10:35:15:687 1928 DetectCureTDL3: IrpHandler (10) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (11) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (12) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (13) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (14) addr: BA9693BB

10:35:15:687 1928 DetectCureTDL3: IrpHandler (15) addr: BA96CF28

10:35:15:687 1928 DetectCureTDL3: IrpHandler (16) addr: BA9692E2

10:35:15:687 1928 DetectCureTDL3: IrpHandler (17) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (18) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (19) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (20) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (21) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (22) addr: BA96AC82

10:35:15:687 1928 DetectCureTDL3: IrpHandler (23) addr: BA96F99E

10:35:15:687 1928 DetectCureTDL3: IrpHandler (24) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (25) addr: 804F4562

10:35:15:687 1928 DetectCureTDL3: IrpHandler (26) addr: 804F4562

10:35:15:687 1928 TDL3_FileDetect: Processing driver: Disk

10:35:15:687 1928 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

10:35:15:687 1928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

10:35:15:687 1928 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

10:35:15:687 1928

10:35:15:687 1928 DetectCureTDL3: DEVICE_OBJECT: 8AD01AB8

10:35:15:687 1928 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AD01AB8

10:35:15:687 1928 DetectCureTDL3: DEVICE_OBJECT: 8AD070F8

10:35:15:687 1928 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AD070F8

10:35:15:687 1928 DetectCureTDL3: DEVICE_OBJECT: 8AD81BD0

10:35:15:687 1928 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AD81BD0

10:35:15:687 1928 KLMD_ReadMem: Trying to ReadMemory 0x8AD81BD0[0x38]

10:35:15:687 1928 DetectCureTDL3: DRIVER_OBJECT: 8ACD7210

10:35:15:687 1928 KLMD_ReadMem: Trying to ReadMemory 0x8ACD7210[0xA8]

10:35:15:687 1928 KLMD_ReadMem: Trying to ReadMemory 0x8ACEFD98[0x38]

10:35:15:687 1928 KLMD_ReadMem: Trying to ReadMemory 0x8AD04F38[0xA8]

10:35:15:687 1928 KLMD_ReadMem: Trying to ReadMemory 0xE1008EF8[0x1A]

10:35:15:687 1928 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi

10:35:15:687 1928 DetectCureTDL3: IrpHandler (0) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (1) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (2) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (3) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (4) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (5) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (6) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (7) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler ( addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (9) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (10) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (11) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (12) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (13) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (14) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (15) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (16) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (17) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (18) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (19) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (20) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (21) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (22) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (23) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (24) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (25) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: IrpHandler (26) addr: 8AC1E841

10:35:15:687 1928 DetectCureTDL3: All IRP handlers pointed to one addr: 8AC1E841

10:35:15:687 1928 KLMD_ReadMem: Trying to ReadMemory 0x8AC1E841[0x400]

10:35:15:687 1928 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109

10:35:15:687 1928 Driver "atapi" Irp handler infected by TDSS rootkit ... 10:35:15:687 1928 KLMD_WriteMem: Trying to WriteMemory 0x8AC1E8BA[0xD]

10:35:15:687 1928 cured

10:35:15:687 1928 KLMD_ReadMem: Trying to ReadMemory 0x8AC1E6EC[0x400]

10:35:15:687 1928 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1

10:35:15:687 1928 Driver "atapi" StartIo handler infected by TDSS rootkit ... 10:35:15:687 1928 TDL3_StartIoHookCure: Number of patches 1

10:35:15:687 1928 KLMD_WriteMem: Trying to WriteMemory 0x8AC1E7F5[0x6]

10:35:15:687 1928 cured

10:35:15:687 1928 TDL3_FileDetect: Processing driver: atapi

10:35:15:687 1928 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

10:35:15:687 1928 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys

10:35:15:687 1928 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected

10:35:15:687 1928 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 10:35:15:687 1928 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

10:35:15:687 1928 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3

10:35:15:718 1928 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab

10:35:15:734 1928 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..

10:35:15:781 1928 CabinetCallback: File extracted successfully: C:\DOCUME~1\PASCAL\LOCALS~1\Temp\bck9.tmp

10:35:15:781 1928 ValidateDriverFile: Stage 1 passed

10:35:15:781 1928 ValidateDriverFile: Stage 2 passed

10:35:15:843 1928 DigitalSignVerifyByHandle: Embedded DS result: 800B0100

10:35:16:109 1928 DigitalSignVerifyByHandle: Cat DS result: 00000000

10:35:16:109 1928 ValidateDriverFile: Stage 3 passed

10:35:16:109 1928 CabinetCallback: File validated successfully, restore information prepared

10:35:16:109 1928 FindDriverFileBackup: Backup copy found in cab-file

10:35:16:109 1928 TDL3_FileCure: Backup copy found, using it..

10:35:16:125 1928 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tskA.tmp

10:35:16:171 1928 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskA.tmp, system32\drivers\atapi.sys)

10:35:16:171 1928 TDL3_FileCure: KLMD jobs schedule success

10:35:16:171 1928 will be cured on next reboot

10:35:16:171 1928 UtilityBootReinit: Reboot required for cure complete..

10:35:16:171 1928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000

10:35:16:171 1928 UtilityBootReinit: KLMD drop success

10:35:16:171 1928 KLMD_ApplyPendList: Pending buffer(2F2F_7DF8, 600) dropped successfully

10:35:16:171 1928 UtilityBootReinit: Cure on reboot scheduled successfully

10:35:16:171 1928

10:35:16:171 1928 Completed

10:35:16:171 1928

10:35:16:187 1928 Results:

10:35:16:187 1928 Memory objects infected / cured / cured on reboot: 2 / 2 / 0

10:35:16:187 1928 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

10:35:16:187 1928 File objects infected / cured / cured on reboot: 1 / 0 / 1

10:35:16:187 1928

10:35:16:187 1928 UnloadDriverW: NtUnloadDriver error 1

10:35:16:187 1928 KLMD_Unload: UnloadDriverW(klmd21) error 1

10:35:16:187 1928 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

10:35:16:187 1928 UtilityDeinit: KLMD(ARK) unloaded successfully

 

 

Comme d'habitude le rapport mbam ne signale rien :

Malwarebytes' Anti-Malware 1.44

Version de la base de données: 3644

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

27/01/2010 13:26:43

mbam-log-2010-01-27 (13-26-43).txt

 

Type de recherche: Examen complet (C:\|)

Eléments examinés: 215025

Temps écoulé: 1 hour(s), 2 minute(s), 35 second(s)

 

Processus mémoire infecté(s): 0

Module(s) mémoire infecté(s): 0

Clé(s) du Registre infectée(s): 0

Valeur(s) du Registre infectée(s): 0

Elément(s) de données du Registre infecté(s): 0

Dossier(s) infecté(s): 0

Fichier(s) infecté(s): 0

 

Processus mémoire infecté(s):

(Aucun élément nuisible détecté)

 

Module(s) mémoire infecté(s):

(Aucun élément nuisible détecté)

 

Clé(s) du Registre infectée(s):

(Aucun élément nuisible détecté)

 

Valeur(s) du Registre infectée(s):

(Aucun élément nuisible détecté)

 

Elément(s) de données du Registre infecté(s):

(Aucun élément nuisible détecté)

 

Dossier(s) infecté(s):

(Aucun élément nuisible détecté)

 

Fichier(s) infecté(s):

(Aucun élément nuisible détecté)

 

A priori depuis tdsskiller, je n'ai plus de signal d'avir par lequel je suis infecté!

 

A vous lire

 

cordialement

 

calou41