[OK] Infection par ADSPY/Bho.aa.1

Sécurité et insécurité. Virus, Trojans, Spywares, Failles etc. …

Modérateur: Modérateurs et Modératrices

Règles du forum
Assiste.com a suspendu l'assistance à la décontamination après presque 15 ans sur l'ancien forum puis celui-ci. Voir :

Procédure de décontamination 1 - Anti-malware
Décontamination anti-malwares

Procédure de décontamination 2 - Anti-malware et antivirus (La Manip)
La Manip - Procédure standard de décontamination

Entretien périodique d'un PC sous Windows
Entretien périodique d'un PC sous Windows

Protection des navigateurs, de la navigation et de la vie privée
Protéger le navigateur, la navigation et la vie privée

Messagede nickW » 20 Juin 2009, 23:52

Bonsoir,

Nouvelle analyse (recherche de processus "rootkittés"):


Note: Ces manips doivent être effectuées en ayant ouvert une session avec les "droits Administrateur" (ne pas utiliser le profil utilisateur nommé "Administrateur" visible en mode sans échec).


Étape 1: RootRepeal (de AD)
Télécharger RootRepeal via un clic droit sur le lien ci-dessous:
http://rootrepeal.googlepages.com/RootRepeal.zip
Enregistrer le fichier sur le Bureau.
Créer un nouveau dossier nommé RootRepeal à la racine du disque système (généralement C:\)

Décompresser l'archive téléchargée dans ce nouveau dossier RootRepeal


Étape 2: Pas de processus de contrôle en temps réel
Désactiver le module résident de l'antivirus.
Image Avira Antivir: clic droit sur l'icône dans la SysBarre (à coté de l'horloge), décocher "Activer Antivir Guard/AntiVir Guard enable"


Étape 3: RootRepeal (de AD)
Dans l'Explorateur, ouvrir le dossier RootRepeal
Faire un double clic sur RootRepeal.exe pour lancer l'outil.

Cliquer sur l'onglet Report (en bas de la fenêtre)
Cliquer sur le bouton Scan
Dans la nouvelle fenêtre Select Scan, cocher:
+ Drivers
+ Files
+ Processes
+ SSDT
+ Stealth Objects
+ Hidden Services

Cliquer sur le bouton OK
Dans la nouvelle fenêtre Select Drives, cocher tous les lecteurs affichés
Cliquer sur le bouton OK pour lancer l'analyse

Note: Cette analyse prend un certain temps. NE PAS LANCER d'autres programmes tant qu'elle est active.

Lorsque l'analyse est terminée, le bouton Save Report sera disponible
Cliquer sur ce bouton Save Report et enregistrer le fichier rapport dans le dossier RootRepeal sous le nom RootRepeal-090620.txt

Ouvrir le menu File, cliquer sur Exit pour fermer le programme.


Étape 4: Processus de contrôle en temps réel
Important: Réactiver le module résident de l'antivirus.


Étape 5: Résultats
Envoyer en réponse:
*- le rapport de RootRepeal (contenu du fichier RootRepeal-090620.txt)
Ce rapport peut être très long. Bien vérifier qu'il est complet dans le message envoyé. Si nécessaire, le découper en plusieurs messages.

Note importante: Pour l'envoi de ta(tes) réponse(s), il ne faut pas créer un nouveau sujet, mais cliquer sur le bouton "Répondre"
Image pour continuer dans ce fil de discussion.

A suivre,
nickW - Image
30/07/2012: Plus de désinfection de PC jusqu'à nouvel ordre.
Pas de demande d'analyse de log en MP (Message Privé)
Mes configs
Avatar de l’utilisateur
nickW
Modérateur
 
Messages: 21698
Inscription: 20 Mai 2004, 17:41
Localisation: Dordogne/Île de France

Messagede nicop » 21 Juin 2009, 14:02

Bonjour,

voici le rapport :

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time: 2009/06/21 12:18
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 00000045
Image Path: \Driver\00000045
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: a4fnkiog.SYS
Image Path: C:\WINDOWS\System32\Drivers\a4fnkiog.SYS
Address: 0xF74DD000 Size: 303104 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5F50000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8ACB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9874000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\GameExplorer\{9C244239-ED8E-40F1-937F-51C706CD2160}\PlayTasks\1\Les Sims™ 2
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\GameExplorer\{CFFF6A83-BC15-4050-9A5B-D1F99E31944E}\PlayTasks\0\Tomb Raider - Anniversary.lnk: Boit@Look.lnk
Status: Invisible to the Windows API!

Path: D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector
Status: Locked to the Windows API!

Path: K:\autorun.inf\lpt3.This folder was created by Flash_Disinfector
Status: Locked to the Windows API!

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1b94

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1586

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e15da

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1640

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf8c373be

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e172e

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e17ba

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e184a

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1980

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf8c373c3

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf8c373cd

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e19d4

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf844384e

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf8443bee

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1a3a

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf8c373d2

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1a8c

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf8c373a0

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1ae4

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1b3c

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1bfa

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf8443cc6

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf8443b46

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf8c373dc

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1c58

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1cb6

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1d74

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1d08

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1dde

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1e30

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1e90

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xba2e1ef4

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x823d51d8 Size: 151

Object: Hidden Code [Driver: a4fnkiogȅ౨瑎晦܂Èੈ, IRP_MJ_CREATE]
Process: System Address: 0x81b35980 Size: 463

Object: Hidden Code [Driver: a4fnkiogȅ౨瑎晦܂Èੈ, IRP_MJ_CLOSE]
Process: System Address: 0x81b35980 Size: 463

Object: Hidden Code [Driver: a4fnkiogȅ౨瑎晦܂Èੈ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81b35980 Size: 463

Object: Hidden Code [Driver: a4fnkiogȅ౨瑎晦܂Èੈ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x81b35980 Size: 463

Object: Hidden Code [Driver: a4fnkiogȅ౨瑎晦܂Èੈ, IRP_MJ_POWER]
Process: System Address: 0x81b35980 Size: 463

Object: Hidden Code [Driver: a4fnkiogȅ౨瑎晦܂Èੈ, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x81b35980 Size: 463

Object: Hidden Code [Driver: a4fnkiogȅ౨瑎晦܂Èੈ, IRP_MJ_PNP]
Process: System Address: 0x81b35980 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x81b03798 Size: 193

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x81b03798 Size: 193

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x81b03798 Size: 193

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x81b03798 Size: 193

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x81b03798 Size: 193

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81b03798 Size: 193

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x81b03798 Size: 193

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x81b03798 Size: 193

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x81b03798 Size: 193

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x81b03798 Size: 193

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x81b03798 Size: 193

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x823d61d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x823d61d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823d61d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823d61d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x823d61d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823d61d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x823d61d8 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x816725e8 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x816725e8 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x816725e8 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x816725e8 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x816725e8 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x816725e8 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x816725e8 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x816725e8 Size: 463

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x816725e8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x823691d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x823691d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x823691d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x823691d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823691d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823691d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823691d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823691d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x823691d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823691d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x823691d8 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x81b921d8 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x81b921d8 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81b921d8 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x81b921d8 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x81b921d8 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x81b921d8 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x81b921d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x823d71d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x823d71d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x823d71d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823d71d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823d71d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823d71d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823d71d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x823d71d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x823d71d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823d71d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x823d71d8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8168a980 Size: 206

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8168a980 Size: 206

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8168a980 Size: 206

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8168a980 Size: 206

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8168a980 Size: 206

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8168a980 Size: 206

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x81b341d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x81b341d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81b341d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x81b341d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x81b341d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x81b341d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x81b341d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8168e980 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_CREATE]
Process: System Address: 0x81a05468 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_CLOSE]
Process: System Address: 0x81a05468 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_READ]
Process: System Address: 0x81a05468 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x81a05468 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x81a05468 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x81a05468 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x81a05468 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x81a05468 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81a05468 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_SHUTDOWN]
Process: System Address: 0x81a05468 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x81a05468 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_CLEANUP]
Process: System Address: 0x81a05468 Size: 463

Object: Hidden Code [Driver: Cdfsȅఐ卆浩q, IRP_MJ_PNP]
Process: System Address: 0x81a05468 Size: 463

==EOF==



Merci.
Avatar de l’utilisateur
nicop
 
Messages: 371
Inscription: 21 Jan 2005, 11:00
Localisation: Pyrénées

Messagede nicop » 22 Juin 2009, 17:19

:idea: J'ai trouvé quelque chose :idea:

J'ai simplement essayé, à tout hasard, d'ouvrir ces 4 logiciels en désactivant le pare-feu.
Et ça marche !!!
Voyant ça, j'ai ouvert PC Tools pour voir la liste des applications surveillées. Aucun des quatre n'apparaissaient dans la liste :?: :?:
Je les ai alors ajoutés manuellement, comme il est possible de faire.
Malgré ça, ils replantent, dès que le pare-feu est réactivé.
Le problème n'est donc pas résolu, mais au moins on sait d'où ça vient.
Penses-tu qu'il s'agit d'un problème de paramétrage de PC Tools, ou d'incompatibilité ?

Merci
Avatar de l’utilisateur
nicop
 
Messages: 371
Inscription: 21 Jan 2005, 11:00
Localisation: Pyrénées

Messagede nickW » 23 Juin 2009, 00:00

Bonsoir,

Tu n'es pas le seul!
http://www.pctools.com/forum/showthread.php?t=54669
http://www.libellules.ch/phpBB2/attenti ... 31233.html

La solution actuelle est de désactiver l'ESV (Enhanced Security Verification)
Paramètres -> Filtrage -> Décocher "Activer les controles de sécurité avancés" -> Faire redémarrer le PC

... en attendant que le problème soit corrigé par les concepteurs du pare-feu.

Salut,
nickW - Image
30/07/2012: Plus de désinfection de PC jusqu'à nouvel ordre.
Pas de demande d'analyse de log en MP (Message Privé)
Mes configs
Avatar de l’utilisateur
nickW
Modérateur
 
Messages: 21698
Inscription: 20 Mai 2004, 17:41
Localisation: Dordogne/Île de France

Messagede nicop » 23 Juin 2009, 06:55

Bonjour,

Tout est OK maintenant.
Je suis désolé de t'avoir fait perdre du temps sur ce dernier problème...

Encore une fois merci pour tout.

nicop

PS : je peux réactiver TeaTimer :?: :wink:
Avatar de l’utilisateur
nicop
 
Messages: 371
Inscription: 21 Jan 2005, 11:00
Localisation: Pyrénées

Messagede nickW » 23 Juin 2009, 23:11

Bonsoir,

Comme le PC ne présente plus de symptômes d'infection, voici quelques conseils supplémentaires:


ImageUn conseil:
La version gratuite de MBAM (Malwarebytes' Anti-Malware) reste utilisable pour effectuer des analyses à la demande.
Tu peux donc choisir de la laisser installée, et de l'utiliser de temps en temps (pour faire du "nettoyage") en faisant une mise à jour manuelle avant de demander l'examen.


Image Il est préférable de supprimer FindyKill (relancer l'outil via le raccourci du Bureau et choisir l'option 3 (Désinstaller FindyKill)).
Image Il est préférable de supprimer Flash_Disinfector (fichier téléchargé Flash_Disinfector.exe).
Image Il est préférable de supprimer OTListIt2 (fichier téléchargé OTListIt2.exe et fichiers résultats OTListIt.txt et Extras.txt situés sur le Bureau, ainsi que s'il(s) existe(nt) le(s) fichier(s) de travail OTLI-*.txt).
Note: S'il existe, le dossier Lecteur\_OTListIt contient des sauvegardes. Après avoir vérifié que tous les logiciels du PC fonctionnent correctement, il sera possible de supprimer ce dossier.


ImageUn conseil:
Réactiver TeaTimer de Spybot-S&D selon la méthode ci-dessous:
Note: [SystemDrive représente la partition sur laquelle est installé le système, généralement C:]
  • Supprimer tous les clichés du Registre créés par TeaTimer de Spybot-S&D
    Aller avec l'Explorateur Windows jusqu'au dossier:
    SystemDrive\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2
    Mettre dans une archive (fichier .zip) tous les fichiers qui s'y trouvent pour les sauvegarder, puis supprimer tous ces fichiers (ne conserver que l'archive de sauvegarde).
  • Re-lancer TeaTimer de Spybot-S&D.
    Aller avec l'Explorateur Windows jusqu'au dossier d'installation de Spybot-S&D, par défaut SystemDrive\Program Files\Spybot - Search & Destroy.
    Faire un double clic sur TeaTimer.exe pour le lancer.
  • Arrêter TeaTimer de Spybot-S&D de façon à enregistrer de nouveaux clichés du Registre.
    Dans la barre système (à coté de l'horloge), faire un clic droit sur l'icône de Résident de Spybot-SD puis choisir Quitter Résident de Spybot-S&D.
    Lors de cette procédure d'arrêt, il y a sauvegarde des clichés du Registre créés par TeaTimer de Spybot-S&D.
  • Re-lancer TeaTimer de Spybot-S&D.
    Aller avec l'Explorateur Windows jusqu'au dossier d'installation de Spybot-S&D, par défaut SystemDrive\Program Files\Spybot - Search & Destroy.
    Faire un double clic sur TeaTimer.exe pour le lancer.
  • Réactiver le lancement automatique de TeaTimer.
    Lancer Spybot-S&D, Mode avancé, Outils, Résident, cocher la case située devant TeaTimer. Fermer Spybot-S&D.



Voilì, voilò, voilà.

Salut,

PS:
Si tu considères que ce sujet est clos, peux-tu mettre [OK] devant le titre du premier message. Voir ICI.
Merci.
nickW - Image
30/07/2012: Plus de désinfection de PC jusqu'à nouvel ordre.
Pas de demande d'analyse de log en MP (Message Privé)
Mes configs
Avatar de l’utilisateur
nickW
Modérateur
 
Messages: 21698
Inscription: 20 Mai 2004, 17:41
Localisation: Dordogne/Île de France

Messagede nicop » 24 Juin 2009, 10:35

Merci pour tout nickW
A+
Avatar de l’utilisateur
nicop
 
Messages: 371
Inscription: 21 Jan 2005, 11:00
Localisation: Pyrénées

Précédente

Retourner vers Sécurité (Contamination - Décontamination)

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 28 invités