Rallentisement et fenetres qui s'ouvrent sans demander

Sécurité et insécurité. Virus, Trojans, Spywares, Failles etc. …

Modérateur: Modérateurs et Modératrices

Règles du forum
Assiste.com a suspendu l'assistance à la décontamination après presque 15 ans sur l'ancien forum puis celui-ci. Voir :

Procédure de décontamination 1 - Anti-malware
Décontamination anti-malwares

Procédure de décontamination 2 - Anti-malware et antivirus (La Manip)
La Manip - Procédure standard de décontamination

Entretien périodique d'un PC sous Windows
Entretien périodique d'un PC sous Windows

Protection des navigateurs, de la navigation et de la vie privée
Protéger le navigateur, la navigation et la vie privée

Rallentisement et fenetres qui s'ouvrent sans demander

Messagede astor » 04 Juin 2007, 16:26

Bonjour Nick:

Ce systeme . qu'on avais dejà desinfecté et tuné ça fait un bon bout, a recomencé a rallentir enormement.
aussi des fenetres s'ouvrent sans demander même si Firefox à son filtre allumé. le rallentissement est evident sur Firefox, et sur Mozilla 1.7 ( un vieux que je n'utilise que pour des urgences).

J'ai fait un scan avec AVG voilá ce qu'il a trouve:

Exploit MS04-011 DCPROMO.LOG
Troyan IRC/Backdoor.SdBot3AFJ wmupd73014.exe
Troyan Downloader Agent.LBO in_psp.dll
Trojan Downloader Generic 4.SDW jdcg.exe, fpsnmpsn.exe, reot.exe
Trojan Downloader Generic 4.GSS inyew.exe
Trojan Proxy.ODN sandwr.exe
Adware Generic Familia et atdmt Familia
Winfixer.BW
Adware Generic2.CEU
mozilla23 C:\Document and settings\gus\Application Data\Mozilla\Firefox\n1pbylrx.default\cookie.txt



ça c'est le HJT



Logfile of HijackThis v1.99.1
Scan saved at 11:02:26, on 2007-06-08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\Wm24Pan.Exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\PivX\PreEmpt\loadsvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\PivX\PreEmpt\PreEmptST.exe
C:\Program Files\uTorrent\utorrent.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Webteh\BSplayerPro\bsplayer.exe
C:\WINDOWS\System32\divxsm.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\astor.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Wm24Pan] Wm24Pan.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Démarrage rapide du logiciel HP Image Zone.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: PreEmpt.lnk = C:\Program Files\PivX\PreEmpt\PreEmptST.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\FILES\PFILES\MSOFFICE\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2230199750
O17 - HKLM\System\CCS\Services\Tcpip\..\{2215E397-739F-431B-880B-4FEF2FAF9947}: NameServer = 206.123.6.11 206.123.6.10
O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: PreEmpt (qfcoresvc) - PivX Solutions, Inc. - C:\Program Files\PivX\PreEmpt\loadsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Fichiers communs\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Fichiers communs\SureThing Shared\stllssvr.exe (file missing)









J'attends de tes nouvelles

Merci

Astor
astor
 
Messages: 59
Inscription: 03 Nov 2006, 20:38

Messagede nickW » 08 Juin 2007, 22:11

Bonsoir,

Peux-tu créer puis envoyer un autre log:

Note: Ces manips doivent être effectuées en ayant ouvert une session avec les droits "Administrateur" (ne pas utiliser le profil utilisateur nommé "Administrateur" visible en mode sans échec).

BlackLight (de F-Secure)
Télécharger BlackLight depuis la page:
https://europe.f-secure.com/blacklight/try.shtml
(clic sur le bouton bleu "I accept", puis sur "Download Blacklight Beta graphical user interface version")
Enregistrer le fichier sur le Bureau.

Double-cliquer sur le fichier fsbl.exe et accepter la licence (cocher le bouton devant "I accept the agreement").
Cliquer sur Next puis sur Scan
Attendre (jusqu'à 10 mn).
Pendant le scan, il y a affichage de la liste des dossiers balayés.

En fin d'exécution, le résultat s'affiche.
Cliquer sur Close
NE PAS choisir l'option 2 "Cleaning/Rename" maintenant: il faut analyser le rapport!

Il y a eu création sur le Bureau d'un fichier rapport nommé fsbl.xxxxxxx.log (les xxxxxxx sont des chiffres)

Envoyer le contenu de ce fichier en réponse.

A suivre,
nickW - Image
30/07/2012: Plus de désinfection de PC jusqu'à nouvel ordre.
Pas de demande d'analyse de log en MP (Message Privé)
Mes configs
Avatar de l’utilisateur
nickW
Modérateur
 
Messages: 21698
Inscription: 20 Mai 2004, 17:41
Localisation: Dordogne/Île de France

Messagede astor » 09 Juin 2007, 15:58

voilá le resultat: Il a rien trouvé

06/09/07 01:48:02 [Info]: BlackLight Engine 1.0.61 initialized
06/09/07 01:48:02 [Info]: OS: 5.1 build 2600 (Service Pack 1)
06/09/07 01:48:05 [Note]: 7019 4
06/09/07 01:48:05 [Note]: 7005 0
06/09/07 01:48:17 [Note]: 7006 0
06/09/07 01:48:18 [Note]: 7011 1256
06/09/07 01:48:19 [Note]: 7026 0
06/09/07 01:48:19 [Note]: 7026 0
06/09/07 01:48:30 [Note]: FSRAW library version 1.7.1021
06/09/07 02:09:29 [Note]: 2000 1012
06/09/07 10:56:39 [Note]: 7007 0

J'attends tes instructions

astor
astor
 
Messages: 59
Inscription: 03 Nov 2006, 20:38

Messagede nickW » 09 Juin 2007, 23:43

Bonsoir,

Peux-tu décrire les fenêtres qui s'ouvrent?
Titre
site
...



A suivre,
nickW - Image
30/07/2012: Plus de désinfection de PC jusqu'à nouvel ordre.
Pas de demande d'analyse de log en MP (Message Privé)
Mes configs
Avatar de l’utilisateur
nickW
Modérateur
 
Messages: 21698
Inscription: 20 Mai 2004, 17:41
Localisation: Dordogne/Île de France

Messagede astor » 10 Juin 2007, 04:10

par example

hxxp://www.partypoker.com/marketing/cm.htm?wm=2819461
astor
 
Messages: 59
Inscription: 03 Nov 2006, 20:38

Messagede astor » 21 Juin 2007, 04:52

Bonjour Nick

aussi maitenant vlc a de la dificulté tout comme BSplayer.
Quand je passe CCleaner , j'ai au moins un gros fichier a effacer 500 a 600 Mb. ce qui rallentis beaucoup mon systeme.
astor
 
Messages: 59
Inscription: 03 Nov 2006, 20:38

Messagede nickW » 22 Juin 2007, 20:59

Bonsoir,

Peux-tu dans CCleaner commencer par lancer une Analyse seulement, de façon à avoir le nom et l'emplacement de ce "gros" fichier?


Un nouveau log HijackThis serait bien utile (l'ancien date de plus de deux semaines).

De plus, peux-tu faire ce qui suit:

Étape 1: Création du fichier findlopjob.bat
Faire un copier/coller de la ligne ci-dessous (dans la zone "Code") dans le Bloc-notes (alias Notepad).
Note: Dans le Bloc-notes, vérifier dans le menu Format que l'option "Retour automatique à la ligne" n'est pas cochée.
Enregistrer le fichier sur le Bureau sous le nom de findlopjob.bat
Attention: l'extension doit être .bat , choisir "Tous les fichiers" dans la liste déroulante de "Type" lors du "Enregistrer sous.."
Si l'extension est .bat.txt, renommer le fichier en .bat
Code: Tout sélectionner
dir %Windir%\tasks /a h > c:\filelopjob.txt




Étape 2: Utilisation du fichier findlopjob.bat
Faire un double clic sur findlopjob.bat (une petite fenêtre à fond noir va apparaître puis disparaître très rapidement).


Étape 3: Résultat
Envoyer en réponse le contenu du fichier c:\filelopjob.txt

A suivre,
nickW - Image
30/07/2012: Plus de désinfection de PC jusqu'à nouvel ordre.
Pas de demande d'analyse de log en MP (Message Privé)
Mes configs
Avatar de l’utilisateur
nickW
Modérateur
 
Messages: 21698
Inscription: 20 Mai 2004, 17:41
Localisation: Dordogne/Île de France

Messagede astor » 23 Juin 2007, 00:39

Bonjour Nick:

Voilá le filelopjob.txt

Le volume dans le lecteur C s'appelle GIGALOGICSYS
Le num‚ro de s‚rie du volume est EC4E-DC10

R‚pertoire de C:\WINDOWS\tasks

2007-06-16 03:06 <REP> .
2007-06-16 03:06 <REP> ..
2007-06-18 06:21 284 AppleSoftwareUpdate.job
2001-08-28 08:00 65 desktop.ini
2007-06-17 02:00 390 McAfee.com Scan for Viruses - My Computer (CANDO-gus).job
2007-06-22 00:07 6 SA.DAT
2006-10-22 05:32 296 XoftSpy.job
5 fichier(s) 1ÿ041 octets

R‚pertoire de C:\Documents and Settings\gus\Bureau


Pour le gros fichier, c'est tout le temps un seul, et il est place ici dans un dossier en Hexadecimale qui change a chaque fois.


C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ quelque chose du genre comme F3B54872E

Mais si c'est necesaire que je te le donne exactement aussi tot qu' il apparaitrá je te l'envoi
astor
 
Messages: 59
Inscription: 03 Nov 2006, 20:38

Messagede astor » 27 Juin 2007, 11:47

Bonjour Nick j'ai plus de donnes:
J'ai reussi a brancher mon modem (speedstream 5200) comme router.
ceci m'a permis de voir toutes les essai d'entrer dans mon PC ( je crois).

je voulais te montrer une partie du log pour voir si tu voyez quelque chose qui peut expliquer les longues redemarrages ( jusqu'a 5 ou 10 minutes avant de pouvoir faire de quoi. en bas, la ou il y a les racourcis pour les lancements rapides et l'horloge reste bleu pendent plusieurs minutes a chaque demarrage. et je ne peux même pas acceder au menu demarrer avant tout ce temps.

Voilá: quelques lignes:

0000-00-00 01:47:11 E m |Attack Detected |TCP packet fragmented - 65.54.162.253:25441 -> 66.36.130.217:25448 len=60 id=64442

0000-00-00 01:47:14 E m |Attack Detected |TCP packet fragmented - 82.158.8.91:15452 -> 66.36.130.217:48992 len=60 id=13271

0000-00-00 01:47:15 E m |Attack Detected |TCP packet fragmented - 207.46.8.253:17505 -> 66.36.130.217:30253 len=60 id=11478

0000-00-00 01:47:17 E m |Attack Detected |TCP packet fragmented - 82.158.8.91:5150 -> 66.36.130.217:3595 len=60 id=13585

0000-00-00 01:48:24 E m |Attack Detected |TCP packet fragmented - 82.158.8.91:60710 -> 66.36.130.217:11524 len=60 id=20060

0000-00-00 01:49:00 E m |Attack Detected |TCP packet with fragmented header - 82.158.8.91:45293 -> 66.36.130.217:46747 len=39 id=24057

0000-00-00 01:49:36 E m |Attack Detected |TCP packet fragmented - 82.158.8.91:22400 -> 66.36.130.217:56553 len=60 id=27888

0000-00-00 01:50:38 E m |Attack Detected |TCP packet fragmented - 82.158.8.91:16320 -> 66.36.130.217:53159 len=60 id=35324

0000-00-00 01:50:43 E m |Attack Detected |TCP packet with fragmented header - 82.158.8.91:15646 -> 66.36.130.217:25562 len=38 id=35786

0000-00-00 01:54:13 E m |Attack Detected |TCP packet with fragmented header - 209.85.163.91:3685 -> 66.36.130.217:16985 len=38 id=25544

0000-00-00 01:54:51 E m |Attack Detected |TCP packet fragmented - 82.158.8.91:13893 -> 66.36.130.217:13081 len=60 id=59161

0000-00-00 01:55:06 E m |Attack Detected |TCP packet with no flags set - 200.126.241.78:50703 -> 66.36.130.217:60052 len=40 id=41653

0000-00-00 01:55:12 E m |Attack Detected |TCP packet fragmented - 200.42.136.212:22906 -> 66.36.130.217:63219 len=60 id=21502

0000-00-00 01:55:17 E m |Attack Detected |TCP packet fragmented - 200.42.136.253:24942 -> 66.36.130.217:26485 len=43 id=57966

0000-00-00 01:55:18 E m |Attack Detected |TCP packet fragmented - 200.42.136.212:24813 -> 66.36.130.217:20588 len=60 id=47697

0000-00-00 01:55:20 E m |Attack Detected |TCP packet fragmented - 200.42.92.12:61344 -> 66.36.130.217:6348 len=60 id=2256

0000-00-00 01:55:22 E m |Attack Detected |TCP packet fragmented - 200.42.136.212:7633 -> 66.36.130.217:23582 len=60 id=21566

0000-00-00 01:55:25 E m |Attack Detected |TCP packet fragmented - 200.42.92.12:2059 -> 66.36.130.217:46120 len=60 id=7036

0000-00-00 01:55:26 E m |Attack Detected |TCP packet fragmented - 200.42.136.212:23976 -> 66.36.130.217:1674 len=60 id=47887

0000-00-00 01:55:54 E m |Attack Detected |TCP packet fragmented - 82.158.8.91:13893 -> 66.36.130.217:13081 len=60 id=65194

0000-00-00 01:56:11 E m |Attack Detected |TCP packet fragmented - 207.46.110.90:22372 -> 66.36.130.217:27682 len=60 id=34739

0000-00-00 01:56:14 E m |Attack Detected |TCP packet fragmented - 200.126.241.78:36090 -> 66.36.130.217:27130



au debut j'avais laisse le Attack Detection System (ads) de la config du modem/ routeur active mais je ne pouvais pas acceder a plein de pages internet securitaires ( comme Assiste par example).

alors , en gardant le firewall de AVG 7.5 allumé, j'ai enlevé le ADS.

est ce que c'est la bonne chose a faire ou je cours apres les troubles?.
voilá un description des choses que je peux activer et desactiver.

Same Source and Destinatination Adress
Broadcast Source Address
LAN Source Address On WAN
Invalid IP Packet Fragment
TCP NULL
TCP FIN
TCP Xmas
Fragmented TCP Packet
Fragmented TCP Header
Fragmented UDP Header
Fragmented ICMP Header
Inconsistent UDP/IP header lengths
Inconsistent IP header lengths

sur chaque option je peux faire Filter et / ou Log

voilá un copier coller de la description sur le user manual qui est disponible a cette adresse.


http://www2.windstream.net/downloads/li ... eam211.pdf




ADS (Attack Detection System)
The firewall Advanced Attack Detection System (ADS) contains various algorithms to detect and identify WAN attacks the moment they start and protect the LAN from such attacks. Though WAN access may be temporarily hindered, the LAN is protected from harmful traffic.
ADS typically looks for two types of packets: malformed packets and spoofed source address packets.
Malformed packets have been purposefully constructed with errors in them. These are used to crash systems that do not properly handle the errors. This type of attack usually happens against large sites rather than home users.

73
SpeedStream Router User Guide
Packets with spoofed source addresses are commonly sent to smaller hosts, not with the intent of bringing down a particular computer, but rather to take down a large host through a mechanism called Distributed Denial of Service (DDoS). In this situation, when a huge number of computers are used to request services, those services are rendered unavailable because of the traffic load.

The Attack Detection System generates a log entry for a particular type of attack once per minute. Consequently, there will be multiple entries for long-term attacks. This lets the user know the period of time that the attack persisted.
Background
TCP/IP (Transmission Control Protocol/Internet Protocol) is the “language” computers that make up the Internet (called hosts) use to talk to each other. TCP and IP dictate the meaning of two sets of tags (or headers) that are added to user data before being sent. An IP header contains a destination address and a source address that tell all of the hosts delivering the data where it is supposed to go, much like an envelope for an inter-office memo. A TCP header is similar to a subject line on the memo: it contains information that allows the recipient to quickly figure out what the data is and where it goes once the IP “envelope” has been removed. The combination of a block of data and its associated TCP and IP headers is often referred to as a packet.
The part of a host that writes and reads the TCP and IP headers is called a network stack. Almost all network stacks have flaws in them (some more than others!) due to intolerance to improper or invalid headers. This can result in a variety of problems from computer crashes to security breaches. While newer protocols attempt to address these issues (e.g., IPSec), the current version of IP, called IPv4, will be here to stay for some time, flaws and all. This is where the SpeedStream Attack Detection System (ADS) comes in.
Types of Attack
The two most common attack types are unauthorized access and Denial of Service (DoS). Someone guessing your login password is one example of unauthorized access; unfortunately, an external device like the SpeedStream router is unable to do much to prevent that except perhaps have a firewall rule that limits which hosts may log in. The SpeedStream ADS, however, can block attempts by external (WAN) hosts to “impersonate” a LAN host in order to gain access to weakly protected data services on other LAN connected computers.
DoS attacks take several forms, but the basic intended effect is the same: to prevent a host from accessing other hosts, or preventing other hosts from accessing it. In effect, this kicks the host off the Internet. One type of DoS attack sends more data to a host than its connection can handle. Little can be done about this attack without having the Internet service provider block it upstream.
Another type of DoS attack attempts to crash the host by sending bad data to its network stack. The SpeedStream ADS as described below can filter several popular incarnations of this attack. One way in which the bad data is created is by spoofing, or modifying, the source address in the IP header. Normally, when a host sends a packet to another host, it puts its address in the IP header so the other host knows where it came from.
While most small users will never be on the receiving end of a direct DoS attack, a new twist to the DoS does quite often take advantage of broadband-connected Internet hosts. Instead of attempting to generate
74
SpeedStream Router User Guide
enough data to flood a large Internet host’s connection, a would-be attacker instead “convinces” hundreds or thousands of other hosts to do it for him. This is called a Distributed Denial of Service (DDoS). Several viruses can turn a host into a remote-controlled “zombie,” although some attacks can simply use a host’s network stack to do the job if it is too trusting. The SpeedStream ADS monitors this behavior.
ADS Configuration Options
The SpeedStream Attack Detection System filters (i.e., discards) and/or logs the following attack attempts from the WAN:
Same Source and Destination Address (a.k.a. Land Attack): This packet has a spoofed source IP address set to be the same as the destination host and can result in the DoS or crash of the local host. When the receiving host tries to respond to the source address in the packet, it ends up just sending it back to itself. This packet could ping-pong back and forth over 200 times (consuming CPU resources) before being discarded.






Broadcast Source Address (a.k.a. Smurf or Fraggle Attack): This packet has a spoofed source IP address set to the “broadcast” address. Most hosts only accept packets destined for their own IP address, but there are a couple of special IP address called broadcast addresses that hosts will also accept in addition to their own. The broadcast address is invalid as a packet’s source address, however, because a packet has to come from a host. If a network stack does respond to a packet with a broadcast source address, the response will be sent to the broadcast address on which all of the hosts on the subnet are listening. All of the hosts that received the broadcast would then respond back to the host flooding it with data, possibly making inaccessible to other users.
LAN Source Address On WAN: This packet has a spoofed source address set to be a typical trusted LAN address. One method of separating a LAN from a WAN is by using NAPT. This allows the LAN to use IP addresses that are normally not accessible by WAN hosts and, therefore, helps shield the LAN from WAN attacks. A packet with a LAN source address coming from the WAN is attempting to masquerade as a LAN packet so that it might be trusted by a LAN host and received.
Invalid IP Packet Fragment (a.k.a. Ping of Death): IP packets can be large. If a link between two hosts transporting a packet can only handle smaller packets, the large packet may be split (or fragmented) into smaller ones. When the packet fragments get to the destination host, they must be reassembled into the original large packet like pieces of a puzzle. If each stage of reassembly is not carefully checked by the receiving host’s network stack, a specially crafted invalid fragment can cause the host to crash.
TCP NULL Flags: The TCP header contains a set of “flags” that indicate information about the packet which is used by receiving host to process it. At least one TCP flag must be set, but for a TCP NULL flags packet, none was. This packet can cause some hosts to crash.
TCP FIN Flag: The TCP FIN flag should never appear in a packet by itself. This packet can cause some hosts to crash.
75
SpeedStream Router User Guide
TCP Xmas Flags: The TCP Xmas flag configuration is an invalid combination of the FIN, URG and PUSH flags. This packet can cause some hosts to crash.







Fragmented TCP Packet: As discussed in the Invalid IP Packet Fragment description, packets may be fragmented in transit. While it is entirely valid to fragment a TCP packet, this is rarely done because of a process called “MTU discovery” that occurs when two hosts begin communicating. The rarity of TCP packet fragmentation makes its occurrence suspicious and could indicate a flawed network stack exploit attempt.
Fragmented TCP Header: This indicates that the TCP header in the packet was split into multiple IP fragments. This never normally occurs and is most likely a flawed network stack exploit attempt.
Fragmented UDP Header: This indicates that the IP header in the packet was split into multiple IP fragments. This never normally occurs and is most likely a flawed network stack exploit attempt.
Fragmented ICMP Header: This indicates that the ICMP header in the packet was split into multiple IP fragments. This never normally occurs and is most likely a flawed network stack exploit attempt.
Inconsistent UDP/IP header lengths: Also known as a “UDP bomb,” this indicates that a UDP length less than the IP length was received. This does not occur normally and is most likely a flawed network stack exploit attempt.
Inconsistent IP header lengths: This indicates that a length greater than the one indicated by the IP length in the header was received. This does not occur normally and is most likely a flawed network stack exploit attempt.
When logging is selected for a particular offending packet, the ADS will write an entry to the firewall log once a minute for as long as the attack persists. This allows one to tell that a long-term attack is taking place without completely filling up the firewall log with entries for every single packet.
Enable ADS
• On the main menu, click Setup, then click Firewall, and then click ADS.
The Attack Detection System Configuration window displays.
76



J'attends de tes nouvelles
Merci a l'avance


Astor
astor
 
Messages: 59
Inscription: 03 Nov 2006, 20:38

Messagede nickW » 28 Juin 2007, 20:17

Bonsoir,

1/ Utilisation d'un programme pour lister les services et leur état:

ServiWin (de NirSoft)
Télécharger ServiWin depuis la page: http://www.nirsoft.net/utils/serviwin.html
Voir en bas de page: Download ServiWin (in Zip file)
et télécharger aussi le fichier de langue française en cliquant sur le lien "French".

Créer un nouveau dossier nommé Nirsoft et y décompresser (clic droit, puis Extraire tout) les deux archives téléchargées.

Ouvrir le dossier Nirsoft, puis lancer ServiWin par un double clic sur serviwin.exe

Dans le Menu Actions (en haut), choisir Sélectionner tout
Dans le Menu Fichier (en haut), choisir Enregistrer les éléments sélectionnés, et enregistrer le fichier sous le nom serviwin-log-070628.txt
Fermer ServiWin

Envoyer en réponse:
*- le rapport de ServiWin (contenu du fichier serviwin-log-070628.txt)


2/ Utilisation d'un outil pour nettoyer une infection Vundo
Note: Ces manips doivent être effectuées en ayant ouvert une session avec les droits "Administrateur" (ne pas utiliser le profil utilisateur nommé "Administrateur" visible en mode sans échec)

Étape 1: VundoFix (de Atribune)
Télécharger VundoFix.exe depuis:
http://www.atribune.org/ccount/click.php?id=4
Enregistrer le fichier sur le Bureau.
Fermer tous les programmes: il va y avoir arrêt du PC.
Lancer le programme en faisant un double clic sur VundoFix.exe
Cliquer sur le bouton Scan for Vundo
Lorsque le balayage (scan) est terminé, cliquer sur le bouton Remove Vundo
S'il y a infection, cliquer sur Yes sur l'invite de demande de suppression de fichiers
Le Bureau va disparaître un moment lors de la suppression des fichiers
Une fenêtre annonce que le PC va redémarrer: cliquer sur OK

Note:
Il est possible que VundoFix soit confronté à un fichier qu'il ne peut supprimer.
Si tel est le cas, l'outil se lancera au prochain redémarrage. Il faut simplement suivre les instructions ci-dessus, à partir de "Cliquer sur le bouton Scan for Vundo".



Étape 2: Résultats
Envoyer en réponse:
*- le rapport de VundoFix (contenu du fichier C:\vundofix.txt)
*- un nouveau log HijackThis

A suivre,
nickW - Image
30/07/2012: Plus de désinfection de PC jusqu'à nouvel ordre.
Pas de demande d'analyse de log en MP (Message Privé)
Mes configs
Avatar de l’utilisateur
nickW
Modérateur
 
Messages: 21698
Inscription: 20 Mai 2004, 17:41
Localisation: Dordogne/Île de France

Suivante

Retourner vers Sécurité (Contamination - Décontamination)

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 19 invités