Aller au contenu

  • Pas encore inscrit ?

    Pourquoi ne pas vous inscrire ? C'est simple, rapide et gratuit.
    Pour en savoir plus, lisez Les avantages de l'inscription... et la Charte de Zébulon.
    De plus, les messages que vous postez en tant qu'invité restent invisibles tant qu'un modérateur ne les a pas validés. Inscrivez-vous, ce sera un gain de temps pour tout le monde, vous, les helpeurs et les modérateurs ! :wink:

rootkit sur disque dur externe HELP!

mercurefi

Par mercurefi
dans Analyses et éradication malwares

 Partager

Messages recommandés

Jack_Burton Godlike Member

Jack_Burton

Posté(e)
Posté(e) (modifié)

Bonjour a tous,

 

Juste une petite précision mercurefi :

C:\DOCUME~1\Salon\LOCALS~1\Temp\Rar$EX00.672\HijackThis.exe

Ne pas placer Hijackthis dans un dossier Temp (temporaire) car tu ne pourrais pas conserver les sauvegardes des lignes fixées!

 

Voila, je laisse le soin a megataupe et Charly de te guider!

Modifié par Jack_Burton

mercurefi Member

mercurefi

Posté(e)
  • Auteur
Posté(e)

hello tout le monde...

 

après avoir posté les rapports du C d'aproposfix et hijackthis voici ceux du portable sur lequel est isolé le DD externe défaillant. je ne sais pas si ça sera d'une quelconque utilité mais dans le doute....

 

APROPOSFIX =

Log of AproposFix v1

***********

Running from directory:

C:\Documents and Settings\Siboni\Bureau\aproposfix

************

Registry entries found:

************

No service found!

Removing hidden folder:

No folder found!

Deleting files:

Backing up files:

Done!

Removing registry entries:

REGEDIT4

Done!

Finished!

 

 

 

 

HIJACKTHIS

Logfile of HijackThis v1.99.1

Scan saved at 14:53:01, on 11/12/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-internet.fr/navig/mail.phtml

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [adiras] adiras.exe

O4 - HKLM\..\Run: [CapFax] C:\Program Files\WinFax Plus\CapFax.EXE

O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"

O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Wireless Client Manager.lnk = ?

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01347765-1965-426B-91A4-AA6BB342B9A3} (InstallerObj Class) - http://videohd.m6.fr.ipercast.net/installer-hidden.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab

O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodate/bin/1...pdatePortal.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106413635273

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab

O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

O23 - Service: SHYXOA - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Siboni\LOCALS~1\Temp\SHYXOA.exe

 

 

voilà voilà...

et encore merci à tous

megataupe Godlike Member

megataupe

Posté(e)
Posté(e)

Bon, au moins on est sur que ce n'est pas le rootkit Apropos

qui hante ton PC.

 

On peux aussi essayer avec Process Guard (si tu arrives à le

télécharger car, le site semble être hors service ce soir).

 

Donc, télécharger Process Guard free et l'installer (fermer toutes les

autres applications avant).

 

-vérifier que la case Learning mode est cochée dans l'onglet Main.

 

-redémarrer le PC et enregistrer dans un fichier txt (à créer avec le bloc-notes)

les entrées indiquées dans View logfiles (onglet alerts).

 

-décocher la case Learning mode dans l'onglet Main et redémarrer

le PC puis, copier/coller dans le fichier txt précédemment créé (à la suite

de la première copie) les entrées indiquées dans View logfiles (onglet alerts)

et envoyer le rapport.

mercurefi Member

mercurefi

Posté(e)
  • Auteur
Posté(e)

Bon, au moins on est sur que ce n'est pas le rootkit Apropos

qui hante ton PC.

 

On peux aussi essayer avec Process Guard (si tu arrives à le

télécharger car, le site semble être hors service ce soir).

 

Donc, télécharger Process Guard free et l'installer (fermer toutes les

autres applications avant).

 

-vérifier que la case Learning mode est cochée dans l'onglet Main.

 

-redémarrer le PC et enregistrer dans un fichier txt (à créer avec le bloc-notes)

les entrées indiquées dans View logfiles (onglet alerts).

 

-décocher la case Learning mode dans l'onglet Main et redémarrer

le PC puis, copier/coller dans le fichier txt précédemment créé (à la suite

de la première copie) les entrées indiquées dans View logfiles (onglet alerts)

et envoyer le rapport.

 

 

re bonsoir mégataupe...

 

j'ai réussi à le charger finalement et voici les 2 rapports :

 

AVEC LEARNING MODE =

 

---Process Guard Log Started---

Sun 11 - 20:52:05 [EXECUTION] "c:\windows\system32\wdfmgr.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\windows\system32\wdfmgr.exe ]

Sun 11 - 20:52:05 [EXECUTION] "c:\progra~1\mcafee.com\agent\mcagent.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\progra~1\mcafee.com\agent\mcagent.exe" ]

Sun 11 - 20:52:05 [EXECUTION] "c:\windows\system32\mspmspsv.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\windows\system32\mspmspsv.exe ]

Sun 11 - 20:52:05 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k netsvcs ]

Sun 11 - 20:52:05 [EXECUTION] "c:\progra~1\mcafee.com\vso\mcvsshld.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\progra~1\mcafee.com\vso\mcvsshld.exe" ]

Sun 11 - 20:52:05 [EXECUTION] "c:\windows\system32\fxssvc.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\windows\system32\fxssvc.exe ]

Sun 11 - 20:52:06 [EXECUTION] "c:\progra~1\mcafee.com\vso\mcvsescn.exe" was allowed to run

[EXECUTION] Started by "c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2064]

[EXECUTION] Commandline - [ "c:\progra~1\mcafee.com\vso\mcvsescn.exe" /disabled ]

Sun 11 - 20:52:06 [EXECUTION] "c:\progra~1\mcafee\spamki~1\mskdetct.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\progra~1\mcafee\spamki~1\mskdetct.exe" /startup ]

Sun 11 - 20:52:07 [EXECUTION] "c:\progra~1\mcafee\spamki~1\mskagent.exe" was allowed to run

[EXECUTION] Started by "c:\progra~1\mcafee\spamki~1\msksrvr.exe" [2012]

[EXECUTION] Commandline - [ c:\progra~1\mcafee\spamki~1\mskagent.exe /notifyagent ]

Sun 11 - 20:52:07 [EXECUTION] "c:\progra~1\mcafee.com\vso\mcshield.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\progra~1\mcafee.com\vso\mcshield.exe ]

Sun 11 - 20:52:07 [EXECUTION] "c:\program files\mcafee.com\shared\mghtml.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1000]

[EXECUTION] Commandline - [ "c:\program files\mcafee.com\shared\mghtml.exe" -embedding ]

Sun 11 - 20:52:07 [EXECUTION] "c:\progra~1\mcafee.com\person~1\mpftray.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\progra~1\mcafee.com\person~1\mpftray.exe" ]

Sun 11 - 20:52:09 [EXECUTION] "c:\progra~1\mcafee.com\person~1\mpftray.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\progra~1\mcafee.com\person~1\mpftray.exe" ]

Sun 11 - 20:52:11 [EXECUTION] "c:\program files\fichiers communs\real\update_ob\realsched.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\fichiers communs\real\update_ob\realsched.exe" -osboot ]

Sun 11 - 20:52:13 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" ]

Sun 11 - 20:52:13 [EXECUTION] "c:\windows\system32\alg.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\windows\system32\alg.exe ]

Sun 11 - 20:52:13 [EXECUTION] "c:\progra~1\mcafee.com\person~1\mpfagent.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1000]

[EXECUTION] Commandline - [ c:\progra~1\mcafee.com\person~1\mpfagent.exe -embedding ]

Sun 11 - 20:52:14 [EXECUTION] "c:\program files\natso backup\natsobackup_pro.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\natso backup\natsobackup_pro.exe" ]

Sun 11 - 20:52:14 [EXECUTION] "c:\windows\system32\wbem\wmiprvse.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1000]

[EXECUTION] Commandline - [ c:\windows\system32\wbem\wmiprvse.exe -embedding ]

Sun 11 - 20:52:15 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]

Sun 11 - 20:52:15 [EXECUTION] "c:\program files\itunes\ituneshelper.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\itunes\ituneshelper.exe" ]

Sun 11 - 20:52:16 [EXECUTION] "c:\program files\ipod\bin\ipodservice.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ "c:\program files\ipod\bin\ipodservice.exe" ]

Sun 11 - 20:52:16 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]

Sun 11 - 20:52:17 [EXECUTION] "c:\windows\system32\ctfmon.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\windows\system32\ctfmon.exe" ]

Sun 11 - 20:52:19 [EXECUTION] "c:\program files\messenger\msmsgs.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\messenger\msmsgs.exe" /background ]

Sun 11 - 20:52:19 [EXECUTION] "c:\progra~1\mcafee.com\person~1\mpfwizard.exe" was allowed to run

[EXECUTION] Started by "c:\progra~1\mcafee.com\person~1\mpftray.exe" [2420]

[EXECUTION] Commandline - [ "mpfwizard.exe" ]

Sun 11 - 20:52:20 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]

Sun 11 - 20:52:21 [EXECUTION] "c:\program files\wintv\ir.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\wintv\ir.exe" /quiet ]

Sun 11 - 20:52:21 [EXECUTION] "c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe" ]

Sun 11 - 20:52:51 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1768]

[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[6e8]susds6fc9d8a98298f644bff72aa41bb0a33b ]

Sun 11 - 20:53:13 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\windows\system32\notepad.exe" c:\program files\processguard\logs\pglog_12_2005.txt ]

 

 

 

 

SANS LEARNING MODE =

 

---Process Guard Log Started---

Sun 11 - 20:52:05 [EXECUTION] "c:\windows\system32\wdfmgr.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\windows\system32\wdfmgr.exe ]

Sun 11 - 20:52:05 [EXECUTION] "c:\progra~1\mcafee.com\agent\mcagent.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\progra~1\mcafee.com\agent\mcagent.exe" ]

Sun 11 - 20:52:05 [EXECUTION] "c:\windows\system32\mspmspsv.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\windows\system32\mspmspsv.exe ]

Sun 11 - 20:52:05 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k netsvcs ]

Sun 11 - 20:52:05 [EXECUTION] "c:\progra~1\mcafee.com\vso\mcvsshld.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\progra~1\mcafee.com\vso\mcvsshld.exe" ]

Sun 11 - 20:52:05 [EXECUTION] "c:\windows\system32\fxssvc.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\windows\system32\fxssvc.exe ]

Sun 11 - 20:52:06 [EXECUTION] "c:\progra~1\mcafee.com\vso\mcvsescn.exe" was allowed to run

[EXECUTION] Started by "c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2064]

[EXECUTION] Commandline - [ "c:\progra~1\mcafee.com\vso\mcvsescn.exe" /disabled ]

Sun 11 - 20:52:06 [EXECUTION] "c:\progra~1\mcafee\spamki~1\mskdetct.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\progra~1\mcafee\spamki~1\mskdetct.exe" /startup ]

Sun 11 - 20:52:07 [EXECUTION] "c:\progra~1\mcafee\spamki~1\mskagent.exe" was allowed to run

[EXECUTION] Started by "c:\progra~1\mcafee\spamki~1\msksrvr.exe" [2012]

[EXECUTION] Commandline - [ c:\progra~1\mcafee\spamki~1\mskagent.exe /notifyagent ]

Sun 11 - 20:52:07 [EXECUTION] "c:\progra~1\mcafee.com\vso\mcshield.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\progra~1\mcafee.com\vso\mcshield.exe ]

Sun 11 - 20:52:07 [EXECUTION] "c:\program files\mcafee.com\shared\mghtml.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1000]

[EXECUTION] Commandline - [ "c:\program files\mcafee.com\shared\mghtml.exe" -embedding ]

Sun 11 - 20:52:07 [EXECUTION] "c:\progra~1\mcafee.com\person~1\mpftray.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\progra~1\mcafee.com\person~1\mpftray.exe" ]

Sun 11 - 20:52:09 [EXECUTION] "c:\progra~1\mcafee.com\person~1\mpftray.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\progra~1\mcafee.com\person~1\mpftray.exe" ]

Sun 11 - 20:52:11 [EXECUTION] "c:\program files\fichiers communs\real\update_ob\realsched.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\fichiers communs\real\update_ob\realsched.exe" -osboot ]

Sun 11 - 20:52:13 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" ]

Sun 11 - 20:52:13 [EXECUTION] "c:\windows\system32\alg.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\windows\system32\alg.exe ]

Sun 11 - 20:52:13 [EXECUTION] "c:\progra~1\mcafee.com\person~1\mpfagent.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1000]

[EXECUTION] Commandline - [ c:\progra~1\mcafee.com\person~1\mpfagent.exe -embedding ]

Sun 11 - 20:52:14 [EXECUTION] "c:\program files\natso backup\natsobackup_pro.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\natso backup\natsobackup_pro.exe" ]

Sun 11 - 20:52:14 [EXECUTION] "c:\windows\system32\wbem\wmiprvse.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1000]

[EXECUTION] Commandline - [ c:\windows\system32\wbem\wmiprvse.exe -embedding ]

Sun 11 - 20:52:15 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]

Sun 11 - 20:52:15 [EXECUTION] "c:\program files\itunes\ituneshelper.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\itunes\ituneshelper.exe" ]

Sun 11 - 20:52:16 [EXECUTION] "c:\program files\ipod\bin\ipodservice.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ "c:\program files\ipod\bin\ipodservice.exe" ]

Sun 11 - 20:52:16 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]

Sun 11 - 20:52:17 [EXECUTION] "c:\windows\system32\ctfmon.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\windows\system32\ctfmon.exe" ]

Sun 11 - 20:52:19 [EXECUTION] "c:\program files\messenger\msmsgs.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\messenger\msmsgs.exe" /background ]

Sun 11 - 20:52:19 [EXECUTION] "c:\progra~1\mcafee.com\person~1\mpfwizard.exe" was allowed to run

[EXECUTION] Started by "c:\progra~1\mcafee.com\person~1\mpftray.exe" [2420]

[EXECUTION] Commandline - [ "mpfwizard.exe" ]

Sun 11 - 20:52:20 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]

Sun 11 - 20:52:21 [EXECUTION] "c:\program files\wintv\ir.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\wintv\ir.exe" /quiet ]

Sun 11 - 20:52:21 [EXECUTION] "c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe" ]

Sun 11 - 20:52:51 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1768]

[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[6e8]susds6fc9d8a98298f644bff72aa41bb0a33b ]

Sun 11 - 20:53:13 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\windows\system32\notepad.exe" c:\program files\processguard\logs\pglog_12_2005.txt ]

Sun 11 - 20:53:51 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\windows\system32\notepad.exe" ]

Sun 11 - 20:54:48 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [424]

[EXECUTION] Commandline - [ "c:\windows\system32\notepad.exe" c:\program files\process guard 3150\rapport.txt ]

Sun 11 - 20:55:52 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [728]

[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]

Sun 11 - 20:56:02 [TERMINATE] c:\windows\system32\services.exe [772] was blocked from terminating c:\windows\system32\spoolsv.exe [1596]

 

---Process Guard Log Started---

Sun 11 - 20:57:26 [EXECUTION] "c:\windows\system32\fxssvc.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\windows\system32\fxssvc.exe ]

Sun 11 - 20:57:27 [EXECUTION] "c:\program files\ipod\bin\ipodservice.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ "c:\program files\ipod\bin\ipodservice.exe" ]

Sun 11 - 20:57:28 [EXECUTION] "c:\program files\mcafee.com\vso\mcshield.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\progra~1\mcafee.com\vso\mcshield.exe ]

Sun 11 - 20:57:30 [EXECUTION] "c:\program files\mcafee\spamkiller\mskagent.exe" was allowed to run

[EXECUTION] Started by "c:\progra~1\mcafee\spamki~1\msksrvr.exe" [1776]

[EXECUTION] Commandline - [ c:\progra~1\mcafee\spamki~1\mskagent.exe /notifyagent ]

Sun 11 - 20:57:31 [EXECUTION] "c:\windows\system32\alg.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\services.exe" [772]

[EXECUTION] Commandline - [ c:\windows\system32\alg.exe ]

Sun 11 - 20:57:32 [EXECUTION] "c:\windows\system32\wbem\wmiprvse.exe" was allowed to run

[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1000]

[EXECUTION] Commandline - [ c:\windows\system32\wbem\wmiprvse.exe -embedding ]

Sun 11 - 20:57:32 [EXECUTION] "c:\program files\mcafee.com\personal firewall\mpfwizard.exe" was allowed to run

[EXECUTION] Started by "c:\progra~1\mcafee.com\person~1\mpftray.exe" [532]

[EXECUTION] Commandline - [ "mpfwizard.exe" ]

Sun 11 - 20:57:36 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [1900]

[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]

Sun 11 - 20:57:37 [EXECUTION] "c:\program files\wintv\ir.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [1900]

[EXECUTION] Commandline - [ "c:\program files\wintv\ir.exe" /quiet ]

Sun 11 - 20:57:37 [EXECUTION] "c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [1900]

[EXECUTION] Commandline - [ "c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe" ]

Sun 11 - 20:58:02 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run

[EXECUTION] Started by "c:\windows\explorer.exe" [1900]

[EXECUTION] Commandline - [ "c:\windows\system32\notepad.exe" c:\program files\processguard\logs\pglog_12_2005.txt ]

 

 

merci beaucoup

 

mercurefi

 

 

oooppssss j'ai oublié d'ajouter que je n'ai fait cette manip que sur le C. Dois-je la répéter sur le DD externe isolé sur un portable ?

megataupe Godlike Member

megataupe

Posté(e)
Posté(e)

Bon, juste une remarque sur ces 2 rapports :

 

[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]

Sun 11 - 20:56:02 [TERMINATE] c:\windows\system32\services.exe [772]

was blocked from terminating c:\windows\system32\spoolsv.exe [1596]

 

pourquoi services.exe a t-il voulu tuer le spooler d'impression sans y

être autorisé (à moins que ce soit toi qui l'ait autorisé :P)

 

Fais analyser ces 2 fichiers chez virusscan :

 

c:\windows\system32\services.exe

 

c:\windows\system32\spoolsv.exe

 

Virusscan

 

et envoie le rapport.

mercurefi Member

mercurefi

Posté(e)
  • Auteur
Posté(e)

je ne sais pas si c'est moi qui ai autorisé services.exe... J'ai le plus petit brevet de pilote d'anglais existant et je passe mon temps à me battre contre mcafee et maintenant processguard qui me posent des question à chaque fois que je clique sur internet ou que j'installe un programme de vérif. Heureusement que j'ai désinstallé antivir sinon c'était plus possible lool.

 

bon, voici les rapports =

 

c:\windows\system32\services.exe =

 

Service load: 0% 100%

 

File: services.exe

Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5 63dcde1a0d86eeb8924d6738ff616ead

Packers detected: -

Scanner results

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

UNA Found nothing

VBA32 Found nothing

 

 

 

c:\windows\system32\spoolsv.exe =

 

Service load: 0% 100%

 

File: spoolsv.exe

Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5 da81ec57acd4cdc3d4c51cf3d409af9f

Packers detected: -

Scanner results

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

UNA Found nothing

VBA32 Found nothing

 

 

ps = j'applaudis ta patience !!!!

Invité tesgaz

Invité tesgaz

Posté(e)
Posté(e)

salut,

 

ton disque externe, il est en usb ?

 

tu as essayé en le démontant et en le mettant directement sur une nappe de ta carte mère ?

megataupe Godlike Member

megataupe

Posté(e)
Posté(e)

Pour Process Guard, tu le repasses en learning mode jusqu'à demain

pour le calmer :P mais, c'est clair qu'il ne laisse rien passer s'il est bien

paramétré après la phase d'apprentissage.

 

Rien d'infectieux donc dans ces 2 fichiers, ne reste plus qu'à tester

l'anti-rootkit de F-Secure pour vérifier s'il ne s'agit pas de faux positifs,

ce qui reste très possible. De préférence, passer cet outil en mode sans

échec sur tous les disques.

 

Blacklight

mercurefi Member

mercurefi

Posté(e)
  • Auteur
Posté(e)

salut,

 

ton disque externe, il est en usb ?

 

tu as essayé en le démontant et en le mettant directement sur une nappe de ta carte mère ?

 

 

hello tesfaz, pour le moment le dd externe est pluggué en usb sur un portable pour l'isoler. Pour ce que tu me dis, j'attends que le chéri rentre car pour moi c'est chinois c que tu me dis... tout ce que je peux te dire, c'est que 90% des fichiers sont planqués où qu'on le branche...

merci

 

Pour Process Guard, tu le repasses en learning mode jusqu'à demain

pour le calmer :P mais, c'est clair qu'il ne laisse rien passer s'il est bien

paramétré après la phase d'apprentissage.

 

Rien d'infectieux donc dans ces 2 fichiers, ne reste plus qu'à tester

l'anti-rootkit de F-Secure pour vérifier s'il ne s'agit pas de faux positifs,

ce qui reste très possible. De préférence, passer cet outil en mode sans

échec sur tous les disques.

 

Blacklight

 

 

tu m'inquiètes mégataupe pour le process guard... je l'ai lancé tel quel sans paramétrer quoi que ce soit...

faut-il que je recommence tout ?

pour f-sécure, là encore j'attends qu'on me rebranche le dd externe sur le c car c'est vraiment trop long les manips sur le portable préhistorique... Donc à priori la suite demain...

et merci beaucoup pour ta patience..

mercurefi

Rejoindre la conversation

Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.
Remarque : votre message nécessitera l’approbation d’un modérateur avant de pouvoir être visible.

Invité
Répondre à ce sujet…

×   Collé en tant que texte enrichi.   Coller en tant que texte brut à la place

  Seulement 75 émoticônes maximum sont autorisées.

×   Votre lien a été automatiquement intégré.   Afficher plutôt comme un lien

×   Votre contenu précédent a été rétabli.   Vider l’éditeur

×   Vous ne pouvez pas directement coller des images. Envoyez-les depuis votre ordinateur ou insérez-les depuis une URL.

×
 Partager
Aller sur la liste des sujets

  • En ligne récemment   0 membre est en ligne

    • Aucun utilisateur enregistré regarde cette page.
×
×
  • Créer...