Security-X
Forum Security-X => Désinfections => Discussion démarrée par: jumeaus le janvier 26, 2012, 19:33:14
-
Bonjour,
Je vous contacte car je n'arrive pas à résoudre ce problème alors que j'ai consulté de nombreux forums & tutoriaux.
J'ai été infecté par System Check et en faisant des recherches j'ai utilisé les outils Rogue Killer (avec les options 1-2-6) puis Malwarebytes'anti malware. Une fois le scan effectué le PC a redemarré.
Maintenant le PC ne redémarre que en Mode Sans Echec (dans tous les autres modes j'obtiens un écran bleu pendant une fraction de seconde et le PC reboot).
En mode sans echec si je relance RogueKiller avec l'option 1 je constate la présence de Zero Rootkit et il se peut que le MBR soit infecté aussi (je ne sais pas trop si le unknow est normal ou pas). J'ai téléchargé TDSSKiler qui a vu 2 problèmes mais il n'arrive pas à les soigner.
Si besoin, je peux poster le compte rendu de RogueKiller ou autre.
Je vous remercie par avance pour l'aide que vous pourrez m'apporter.
Cordialement,
Adrien
-
J'ai également essayé l'outil combofix et ca m'a permis de supprimer le rootkit mais je n'arrive toujours pas à lancer Windows dans un autre mode que le mode sans echec.
Voici les différents rapports:
RogueKiller :
RogueKiller V6.2.0 [12/12/2011] par Tigzy
mail: tigzyRK<at>gmail<dot>com
Remontees: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Blog: http://tigzyrk.blogspot.com
Systeme d'exploitation: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Demarrage : Mode sans echec
Utilisateur: Monique [Droits d'admin]
Mode: Recherche -- Date : 26/01/2012 19:49:06
¤¤¤ Processus malicieux: 0 ¤¤¤
¤¤¤ Entrees de registre: 0 ¤¤¤
¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ Fichier HOSTS: ¤¤¤
127.0.0.1 localhost
¤¤¤ MBR Verif: ¤¤¤
--- User ---
[MBR] bffaa62aab98bfceebc3c29a53835da7
[BSP] 259f448746243414fff839354e653af8 : MBR Code unknown
Partition table:
0 - [XXXXXX] UNKNW [HIDDEN!] Offset (sectors): 63 | Size: 6448 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 12594960 | Size: 76280 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 161581056 | Size: 77310 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Termine : << RKreport[12].txt >>
RKreport[10].txt ; RKreport[11].txt ; RKreport[12].txt ; RKreport[1].txt ; RKreport[2].txt ;
RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ; RKreport[6].txt ; RKreport[7].txt ;
RKreport[8].txt ; RKreport[9].txt
TDSSKILER:
19:51:26.0953 1436 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
19:51:27.0000 1436 ============================================================
19:51:27.0000 1436 Current date / time: 2012/01/26 19:51:27.0000
19:51:27.0000 1436 SystemInfo:
19:51:27.0000 1436
19:51:27.0000 1436 OS Version: 5.1.2600 ServicePack: 3.0
19:51:27.0000 1436 Product type: Workstation
19:51:27.0000 1436 ComputerName: YOUR-5B36462D72
19:51:27.0000 1436 UserName: Monique
19:51:27.0000 1436 Windows directory: C:\WINDOWS
19:51:27.0000 1436 System windows directory: C:\WINDOWS
19:51:27.0000 1436 Processor architecture: Intel x86
19:51:27.0000 1436 Number of processors: 1
19:51:27.0000 1436 Page size: 0x1000
19:51:27.0000 1436 Boot type: Safe boot
19:51:27.0000 1436 ============================================================
19:51:29.0640 1436 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:51:29.0640 1436 Drive \Device\Harddisk1\DR4 - Size: 0xEEBF8000 (3.73 Gb), SectorSize: 0x200, Cylinders: 0x1E6, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
19:51:29.0796 1436 Initialize success
19:51:33.0015 1488 ============================================================
19:51:33.0015 1488 Scan started
19:51:33.0015 1488 Mode: Manual;
19:51:33.0015 1488 ============================================================
19:51:35.0046 1488 Abiosdsk - ok
19:51:35.0187 1488 abp480n5 - ok
19:51:35.0437 1488 ACPI (e5e6dbfc41ea8aad005cb9a57a96b43b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:51:35.0468 1488 ACPI - ok
19:51:35.0656 1488 ACPIEC (e4abc1212b70bb03d35e60681c447210) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
19:51:35.0656 1488 ACPIEC - ok
19:51:35.0812 1488 adpu160m - ok
19:51:36.0031 1488 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:51:36.0031 1488 aec - ok
19:51:36.0250 1488 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
19:51:36.0281 1488 AFD - ok
19:51:36.0437 1488 Aha154x - ok
19:51:36.0593 1488 aic78u2 - ok
19:51:36.0734 1488 aic78xx - ok
19:51:36.0890 1488 AliIde - ok
19:51:37.0046 1488 amsint - ok
19:51:37.0578 1488 AR5416 (6eacc829e76b1efdface633619a3db31) C:\WINDOWS\system32\DRIVERS\athw.sys
19:51:37.0890 1488 AR5416 - ok
19:51:38.0046 1488 asc - ok
19:51:38.0203 1488 asc3350p - ok
19:51:38.0343 1488 asc3550 - ok
19:51:38.0531 1488 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:51:38.0531 1488 AsyncMac - ok
19:51:38.0718 1488 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:51:38.0718 1488 atapi - ok
19:51:38.0875 1488 Atdisk - ok
19:51:39.0078 1488 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:51:39.0093 1488 Atmarpc - ok
19:51:39.0281 1488 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:51:39.0296 1488 audstub - ok
19:51:39.0484 1488 avgntflt (7713e4eb0276702faa08e52a6e23f2a6) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
19:51:39.0500 1488 avgntflt - ok
19:51:39.0718 1488 avipbb (475fbb85956534720858ae72010c0a43) C:\WINDOWS\system32\DRIVERS\avipbb.sys
19:51:39.0750 1488 avipbb - ok
19:51:39.0937 1488 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
19:51:39.0937 1488 avkmgr - ok
19:51:40.0125 1488 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:51:40.0125 1488 Beep - ok
19:51:40.0546 1488 BTKRNL (48aad36baefb7820bfeb986763226905) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
19:51:40.0750 1488 BTKRNL - ok
19:51:40.0953 1488 BTWUSB (053dc5be74621b63bb48c2b86bafc7b0) C:\WINDOWS\system32\Drivers\btwusb.sys
19:51:40.0968 1488 BTWUSB - ok
19:51:41.0109 1488 catchme - ok
19:51:41.0265 1488 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:51:41.0265 1488 cbidf2k - ok
19:51:41.0453 1488 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
19:51:41.0468 1488 CCDECODE - ok
19:51:41.0609 1488 cd20xrnt - ok
19:51:41.0796 1488 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:51:41.0796 1488 Cdaudio - ok
19:51:41.0984 1488 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:51:42.0000 1488 Cdfs - ok
19:51:42.0156 1488 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:51:42.0171 1488 Cdrom - ok
19:51:42.0328 1488 Changer - ok
19:51:42.0546 1488 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
19:51:42.0546 1488 CmBatt - ok
19:51:42.0687 1488 CmdIde - ok
19:51:42.0859 1488 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
19:51:42.0875 1488 Compbatt - ok
19:51:43.0046 1488 Cpqarray - ok
19:51:43.0218 1488 dac2w2k - ok
19:51:43.0375 1488 dac960nt - ok
19:51:43.0546 1488 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:51:43.0562 1488 Disk - ok
19:51:43.0921 1488 dmboot (f5deadd42335fb33edca74ecb2f36cba) C:\WINDOWS\system32\drivers\dmboot.sys
19:51:44.0093 1488 dmboot - ok
19:51:44.0328 1488 dmio (5a7c47c9b3f9fb92a66410a7509f0c71) C:\WINDOWS\system32\drivers\dmio.sys
19:51:44.0375 1488 dmio - ok
19:51:44.0546 1488 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:51:44.0546 1488 dmload - ok
19:51:44.0750 1488 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:51:44.0765 1488 DMusic - ok
19:51:44.0953 1488 DNSeFilter (128ae3aedde1e3ae772c88320628fe7c) C:\WINDOWS\system32\drivers\SamsungEDS.sys
19:51:44.0968 1488 DNSeFilter - ok
19:51:45.0140 1488 DOSMEMIO (8a4cb9438571814b128b6dc30d698064) C:\WINDOWS\system32\MEMIO.SYS
19:51:45.0140 1488 DOSMEMIO - ok
19:51:45.0312 1488 dpti2o - ok
19:51:45.0468 1488 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:51:45.0468 1488 drmkaud - ok
19:51:45.0703 1488 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:51:45.0734 1488 Fastfat - ok
19:51:45.0890 1488 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
19:51:45.0906 1488 Fdc - ok
19:51:46.0078 1488 Fips (31f923eb2170fc172c81abda0045d18c) C:\WINDOWS\system32\drivers\Fips.sys
19:51:46.0093 1488 Fips - ok
19:51:46.0265 1488 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
19:51:46.0265 1488 Flpydisk - ok
19:51:46.0500 1488 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
19:51:46.0531 1488 FltMgr - ok
19:51:46.0703 1488 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:51:46.0703 1488 Fs_Rec - ok
19:51:46.0906 1488 Ftdisk (a86859b77b908c18c2657f284aa29fe3) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:51:46.0921 1488 Ftdisk - ok
19:51:47.0140 1488 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:51:47.0156 1488 Gpc - ok
19:51:47.0406 1488 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:51:47.0406 1488 HDAudBus - ok
19:51:47.0625 1488 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:51:47.0625 1488 HidUsb - ok
19:51:47.0781 1488 hpn - ok
19:51:48.0031 1488 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:51:48.0093 1488 HTTP - ok
19:51:48.0250 1488 i2omgmt - ok
19:51:48.0406 1488 i2omp - ok
19:51:48.0609 1488 i8042prt (a09bdc4ed10e3b2e0ec27bb94af32516) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:51:48.0625 1488 i8042prt - ok
19:51:48.0812 1488 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:51:48.0828 1488 Imapi - ok
19:51:48.0984 1488 ini910u - ok
19:51:50.0296 1488 IntcAzAudAddService (2753e11723921823baacf0118811cc9f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
19:51:51.0437 1488 IntcAzAudAddService - ok
19:51:51.0671 1488 IntelIde - ok
19:51:51.0875 1488 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
19:51:51.0875 1488 Ip6Fw - ok
19:51:52.0046 1488 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:51:52.0062 1488 IpFilterDriver - ok
19:51:52.0203 1488 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:51:52.0218 1488 IpInIp - ok
19:51:52.0421 1488 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:51:52.0453 1488 IpNat - ok
19:51:52.0656 1488 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:51:52.0656 1488 IPSec - ok
19:51:52.0843 1488 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:51:52.0843 1488 IRENUM - ok
19:51:53.0062 1488 isapnp (355836975a67b6554bca60328cd6cb74) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:51:53.0062 1488 isapnp - ok
19:51:53.0265 1488 Kbdclass (16813155807c6881f4bfbf6657424659) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:51:53.0281 1488 Kbdclass - ok
19:51:53.0437 1488 kbdhid (94c59cb884ba010c063687c3a50dce8e) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:51:53.0437 1488 kbdhid - ok
19:51:53.0656 1488 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:51:53.0703 1488 kmixer - ok
19:51:53.0890 1488 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:51:53.0921 1488 KSecDD - ok
19:51:54.0078 1488 lbrtfdc - ok
19:51:54.0312 1488 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
19:51:54.0312 1488 MBAMProtector - ok
19:51:54.0515 1488 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:51:54.0515 1488 mnmdd - ok
19:51:54.0687 1488 Modem (510ade9327fe84c10254e1902697e25f) C:\WINDOWS\system32\drivers\Modem.sys
19:51:54.0703 1488 Modem - ok
19:51:54.0859 1488 Mouclass (027c01bd7ef3349aaebc883d8a799efb) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:51:54.0859 1488 Mouclass - ok
19:51:55.0046 1488 mouhid (124d6846040c79b9c997f78ef4b2a4e5) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:51:55.0046 1488 mouhid - ok
19:51:55.0203 1488 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:51:55.0218 1488 MountMgr - ok
19:51:55.0375 1488 mraid35x - ok
19:51:55.0578 1488 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:51:55.0609 1488 MRxDAV - ok
19:51:55.0875 1488 MRxSmb (97109161684b95bcc8441850f34457a4) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:51:55.0984 1488 MRxSmb ( Virus.Win32.ZAccess.l ) - infected
19:51:55.0984 1488 MRxSmb - detected Virus.Win32.ZAccess.l (0)
19:51:56.0171 1488 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:51:56.0171 1488 Msfs - ok
19:51:56.0359 1488 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:51:56.0375 1488 MSKSSRV - ok
19:51:56.0546 1488 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:51:56.0546 1488 MSPCLOCK - ok
19:51:56.0718 1488 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:51:56.0718 1488 MSPQM - ok
19:51:56.0890 1488 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:51:56.0906 1488 mssmbios - ok
19:51:57.0062 1488 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
19:51:57.0062 1488 MSTEE - ok
19:51:57.0250 1488 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:51:57.0281 1488 Mup - ok
19:51:57.0468 1488 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
19:51:57.0484 1488 NABTSFEC - ok
19:51:57.0687 1488 NDIS (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys
19:51:57.0687 1488 NDIS - ok
19:51:57.0875 1488 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
19:51:57.0875 1488 NdisIP - ok
19:51:58.0031 1488 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:51:58.0046 1488 NdisTapi - ok
19:51:58.0234 1488 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:51:58.0234 1488 Ndisuio - ok
19:51:58.0421 1488 NdisWan (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:51:58.0437 1488 NdisWan - ok
19:51:58.0640 1488 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:51:58.0640 1488 NDProxy - ok
19:51:58.0812 1488 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:51:58.0828 1488 NetBIOS - ok
19:51:59.0046 1488 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:51:59.0093 1488 NetBT - ok
19:51:59.0312 1488 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:51:59.0312 1488 Npfs - ok
19:51:59.0609 1488 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:51:59.0609 1488 Ntfs - ok
19:51:59.0812 1488 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:51:59.0812 1488 Null - ok
19:51:59.0984 1488 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:51:59.0984 1488 NwlnkFlt - ok
19:52:00.0156 1488 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:52:00.0171 1488 NwlnkFwd - ok
19:52:00.0375 1488 Parport (8fd0bdbea875d06ccf6c945ca9abaf75) C:\WINDOWS\system32\drivers\Parport.sys
19:52:00.0406 1488 Parport - ok
19:52:00.0562 1488 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:52:00.0562 1488 PartMgr - ok
19:52:00.0734 1488 ParVdm (9575c5630db8fb804649a6959737154c) C:\WINDOWS\system32\drivers\ParVdm.sys
19:52:00.0734 1488 ParVdm - ok
19:52:00.0906 1488 PCI (043410877bda580c528f45165f7125bc) C:\WINDOWS\system32\DRIVERS\pci.sys
19:52:00.0921 1488 PCI - ok
19:52:01.0062 1488 PCIDump - ok
19:52:01.0218 1488 PCIIde (f4bfde7209c14a07aaa61e4d6ae69eac) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:52:01.0218 1488 PCIIde - ok
19:52:01.0421 1488 Pcmcia (f0406cbc60bdb0394a0e17ffb04cdd3d) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:52:01.0453 1488 Pcmcia - ok
19:52:01.0609 1488 PDCOMP - ok
19:52:01.0750 1488 PDFRAME - ok
19:52:01.0890 1488 PDRELI - ok
19:52:02.0046 1488 PDRFRAME - ok
19:52:02.0187 1488 perc2 - ok
19:52:02.0343 1488 perc2hib - ok
19:52:02.0609 1488 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:52:02.0625 1488 PptpMiniport - ok
19:52:02.0812 1488 Processor (e19c9632ac828f6f214391e2bdda11cb) C:\WINDOWS\system32\DRIVERS\processr.sys
19:52:02.0828 1488 Processor - ok
19:52:03.0015 1488 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:52:03.0031 1488 PSched - ok
19:52:03.0187 1488 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:52:03.0187 1488 Ptilink - ok
19:52:03.0359 1488 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:52:03.0375 1488 PxHelp20 - ok
19:52:03.0515 1488 ql1080 - ok
19:52:03.0671 1488 Ql10wnt - ok
19:52:03.0828 1488 ql12160 - ok
19:52:03.0968 1488 ql1240 - ok
19:52:04.0109 1488 ql1280 - ok
19:52:04.0296 1488 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:52:04.0296 1488 RasAcd - ok
19:52:04.0484 1488 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:52:04.0484 1488 Rasl2tp - ok
19:52:04.0656 1488 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:52:04.0656 1488 RasPppoe - ok
19:52:04.0812 1488 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:52:04.0828 1488 Raspti - ok
19:52:05.0031 1488 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:52:05.0062 1488 Rdbss - ok
19:52:05.0250 1488 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:52:05.0250 1488 RDPCDD - ok
19:52:05.0500 1488 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
19:52:05.0531 1488 RDPWD - ok
19:52:05.0734 1488 redbook (d8eb2a7904db6c916eb5361878ddcbae) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:52:05.0750 1488 redbook - ok
19:52:06.0140 1488 S3GIGP (7ca594e7ff16f74fef13be2cba91759a) C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys
19:52:06.0265 1488 S3GIGP - ok
19:52:06.0500 1488 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:52:06.0500 1488 Secdrv - ok
19:52:06.0718 1488 Serial (93d313c31f7ad9ea2b75f26075413c7c) C:\WINDOWS\system32\drivers\Serial.sys
19:52:06.0734 1488 Serial - ok
19:52:06.0890 1488 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:52:06.0890 1488 Sfloppy - ok
19:52:07.0062 1488 Simbad - ok
19:52:07.0250 1488 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
19:52:07.0250 1488 SLIP - ok
19:52:07.0390 1488 Sparrow - ok
19:52:07.0578 1488 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:52:07.0578 1488 splitter - ok
19:52:07.0937 1488 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
19:52:07.0937 1488 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
19:52:07.0937 1488 sptd ( LockedFile.Multi.Generic ) - warning
19:52:07.0937 1488 sptd - detected LockedFile.Multi.Generic (1)
19:52:08.0125 1488 sr (39626e6dc1fb39434ec40c42722b660a) C:\WINDOWS\system32\DRIVERS\sr.sys
19:52:08.0140 1488 sr - ok
19:52:08.0390 1488 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:52:08.0468 1488 Srv - ok
19:52:08.0671 1488 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
19:52:08.0671 1488 ssmdrv - ok
19:52:08.0859 1488 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
19:52:08.0859 1488 streamip - ok
19:52:09.0046 1488 SUEPD (c0137b5947ae3d3fc1c17ba6fdfb3dad) C:\WINDOWS\system32\DRIVERS\SUE_PD.sys
19:52:09.0062 1488 SUEPD - ok
19:52:09.0250 1488 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:52:09.0250 1488 swenum - ok
19:52:09.0453 1488 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:52:09.0468 1488 swmidi - ok
19:52:09.0609 1488 symc810 - ok
19:52:09.0765 1488 symc8xx - ok
19:52:09.0921 1488 sym_hi - ok
19:52:10.0078 1488 sym_u3 - ok
19:52:10.0312 1488 SynTP (ea447f6db6115e8a32352f9faffa824d) C:\WINDOWS\system32\DRIVERS\SynTP.sys
19:52:10.0375 1488 SynTP - ok
19:52:10.0531 1488 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:52:10.0546 1488 sysaudio - ok
19:52:10.0828 1488 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:52:10.0828 1488 Tcpip - ok
19:52:11.0000 1488 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:52:11.0015 1488 TDPIPE - ok
19:52:11.0171 1488 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:52:11.0187 1488 TDTCP - ok
19:52:11.0343 1488 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:52:11.0359 1488 TermDD - ok
19:52:11.0546 1488 TosIde - ok
19:52:11.0765 1488 TrueSight (f69641efdb19acb4753b0155f7fdeed5) c:\windows\system32\drivers\TrueSight.sys
19:52:11.0781 1488 TrueSight - ok
19:52:11.0984 1488 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:52:12.0000 1488 Udfs - ok
19:52:12.0156 1488 ultra - ok
19:52:12.0421 1488 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:52:12.0515 1488 Update - ok
19:52:12.0703 1488 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:52:12.0718 1488 usbccgp - ok
19:52:12.0906 1488 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:52:12.0921 1488 usbehci - ok
19:52:13.0093 1488 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:52:13.0109 1488 usbhub - ok
19:52:13.0296 1488 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:52:13.0312 1488 USBSTOR - ok
19:52:13.0453 1488 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:52:13.0468 1488 usbuhci - ok
19:52:13.0687 1488 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
19:52:13.0703 1488 usbvideo - ok
19:52:13.0906 1488 vcrdrx32 (bdc66ab50745266beca6eb41563a0fe6) C:\WINDOWS\system32\DRIVERS\vcrdrx32.sys
19:52:13.0937 1488 vcrdrx32 - ok
19:52:14.0093 1488 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:52:14.0109 1488 VgaSave - ok
19:52:14.0265 1488 ViaIde - ok
19:52:14.0500 1488 VMC326 (4f101e48d060e318752fbc458a4b49f0) C:\WINDOWS\system32\Drivers\VMC326.sys
19:52:14.0546 1488 VMC326 - ok
19:52:14.0750 1488 VolSnap (46de1126684369bace4849e4fc8c43ca) C:\WINDOWS\system32\drivers\VolSnap.sys
19:52:14.0765 1488 VolSnap - ok
19:52:15.0000 1488 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:52:15.0015 1488 Wanarp - ok
19:52:15.0281 1488 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
19:52:15.0296 1488 Wdf01000 - ok
19:52:15.0437 1488 WDICA - ok
19:52:15.0640 1488 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:52:15.0671 1488 wdmaud - ok
19:52:15.0968 1488 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
19:52:15.0984 1488 WpdUsb - ok
19:52:16.0187 1488 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:52:16.0187 1488 WS2IFSL - ok
19:52:16.0375 1488 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
19:52:16.0390 1488 WSTCODEC - ok
19:52:16.0625 1488 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:52:16.0640 1488 WudfPf - ok
19:52:16.0843 1488 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:52:16.0859 1488 WudfRd - ok
19:52:17.0031 1488 xnykrsu - ok
19:52:17.0296 1488 yukonwxp (7578410b1512fad9c485b134561e8b78) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
19:52:17.0375 1488 yukonwxp - ok
19:52:17.0453 1488 MBR (0x1B8) (8a377d0e379d9908f73d2f7b479188bc) \Device\Harddisk0\DR0
19:52:17.0953 1488 \Device\Harddisk0\DR0 - ok
19:52:17.0984 1488 MBR (0x1B8) (ddae9d649db12f6aff24483f2c298989) \Device\Harddisk1\DR4
19:52:17.0984 1488 \Device\Harddisk1\DR4 - ok
19:52:18.0000 1488 Boot (0x1200) (60e6033aeb0198db9ac9def0e37eed97) \Device\Harddisk0\DR0\Partition0
19:52:18.0000 1488 \Device\Harddisk0\DR0\Partition0 - ok
19:52:18.0046 1488 Boot (0x1200) (b07664a4f1d17c36b3265b3a1604ff6a) \Device\Harddisk0\DR0\Partition1
19:52:18.0046 1488 \Device\Harddisk0\DR0\Partition1 - ok
19:52:18.0078 1488 Boot (0x1200) (4b82f3ac1926571f9d57caf0a325a277) \Device\Harddisk1\DR4\Partition0
19:52:18.0078 1488 \Device\Harddisk1\DR4\Partition0 - ok
19:52:18.0078 1488 ============================================================
19:52:18.0078 1488 Scan finished
19:52:18.0078 1488 ============================================================
19:52:18.0125 1476 Detected object count: 2
19:52:18.0125 1476 Actual detected object count: 2
19:52:38.0531 1476 Backup copy not found, trying to cure infected file..
19:52:38.0546 1476 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - Cure failed (FFFFFFFF)
19:52:38.0546 1476 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - processing error
19:52:50.0109 1476 MRxSmb ( Virus.Win32.ZAccess.l ) - User select action: Cure
19:52:50.0109 1476 sptd ( LockedFile.Multi.Generic ) - skipped by user
19:52:50.0109 1476 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
Merci par avance pour votre aide,
Adrien
-
:AAC Bonsoir jumeaus,
On va regarder cela.
Note : Télécharge les outils depuis un pc connecté puis transfère via clé usb, et inversement pour les rapports
1) Télécharge ZeroAccessRemover (http://anywhere.webrootcloudav.com/antizeroaccess.exe) (de Webroot) sur ton bureau.
- Ferme toutes tes fenêtres, puis double clique sur ZeroAccessRemover.exe pour le lancer.
(Utilisateur de Vista/Windows 7 faites un clic droit -> "Exécuter en tant qu'administrateur")
- Une fenêtre de commande noire apparait pour confirmer la demande de scan, répond avec "Y" pour "oui" et valide avec "entrée"
Deux cas sont possible à l'issu du scan :
- L'outil détecte l'infection, et indique que des fichiers sont patchés (lignes rouge à l'écran), il va te proposer de lancer le nettoyage, répond avec "Y" pour "oui" et valide avec "entrée"
- L'outil va travailler et tu verras apparaitre un message "Cleaned", appuie alors sur une touche pour laisser le pc redémarrer.
- Un rapport nommé "AntiZeroAccess_Log.txt " a été crée sur ton bureau, copie-colle son contenu dans ta prochaine réponse.
- Si l'outil ne détecte rien, (que des lignes vertes), dis-le moi.
2) Télécharge MbrScan (http://security-x.fr/tools/download.php?f=MbrScan.exe) (de Eric71) sur ton bureau.
- Ferme toutes tes fenêtres, puis double clique sur MbrScan.exe pour le lancer.
(Utilisateur de Vista/Windows 7 faites un clic droit -> "Exécuter en tant qu'administrateur")
- Clique sur "report", un rapport texte va s'ouvrir, copie-le moi dans ta prochaine réponse.
:AAN
-
Bonjour Hyunkel30,
Je vais faire les manipulations ce soir et te communiquerai les resultats.
En tout cas merci beaucoup pour ton aide,
Bonne journée,
Jumeaus
-
Bonsoir Hyunkel30,
Voici le résultat des différents outils. Le Rootkit zéro acces semble etre supprimé de l'ordinateur.
Webroot AntiZeroAccess 0.8 Log File
Execution time: 27/01/2012 - 20:48
Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3
20:48:30 - CheckSystem - Begin to check system...
20:48:30 - OpenRootDrive - Opening system root volume and physical drive....
20:48:30 - C Root Drive: Disk number: 0 Start sector: 0x00C02F10 Partition Size: 0x08E158F0 sectors.
20:48:30 - PrevX Main driver extracted in "C:\WINDOWS\system32\drivers\ZeroAccess.sys".
20:48:31 - InstallAndStartDriver - Unable to start AntiZeroAccess driver. StartService last error: 1084
20:48:44 - CheckFile - Unable to read "sptd.sys" file. CreateFile last eror: 0x00000020.
20:48:48 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.
20:48:48 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!
20:48:48 - Execution Ended!
PAr contre lors de l'execution il y a le message suivant :
Check file "sptd.sys"... Error!
mais bon le rapport se termine comme suit:
Warning! One or more errors occurred!
Your system is not infected by ZeroAccess/Max++ Rootkit!
Concernant MBRScan voici le résultat :
MBRScan v1.0.7
OS : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR : x86 Family 6 Model 15 Stepping 2, CentaurHauls
BOOT : Safe Boot
DATE : 2012/01/27 (ISO 8601) at 20:55:46
________________________________________________________________________________
DISK : Device\Harddisk0\DR0 __SAMSUNG HM160HI (HH100-06)
BUS_TYPE : (0x03) P-ATA
USE_PIO : YES
MAX_TRANSFER : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________
DISK : Device\Harddisk1\DR6 __TOSHIBA TransMemory (1.00)
BUS_TYPE : (0x07) USB
USE_PIO : NO
MAX_TRANSFER : 64 Kb
ALIGNMENT_MASK : byte aligned
________________________________________________________________________________
Device\Harddisk0\DR0 149.1 Go [Fixed] ==> Mebratix.B MBR Code
MBR_MD5 : BFFAA62AAB98BFCEEBC3C29A53835DA7
MBR_SHA1 : 5D37DECA12E138C6E7D3E07072B7FC44D39F4D4D
Device\Harddisk0\Partition1 6.01 Go 0x12 Diagnostic
Device\Harddisk0\Partition2 71.04 Go 0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition3 72.00 Go 0x07 NTFS / HPFS
________________________________________________________________________________
Device\Harddisk1\DR6 3.73 Go [Removable] ==> Unknown MBR Code
MBR_MD5 : 4B9ECF4DAEFE66FC56B17B7DAE09891E
MBR_SHA1 : C1804883F20E3ABC4A3DFED1733560B42A24D139
Device\Harddisk1\Partition1 3.73 Go
________________________________________________________________________________
_______MBR \Device\Harddisk0\DR0
0x00000000 33 C0 8E D8 8E C0 8E D0 BC 00 7C 8B F4 BF 00 06 3À.Ø.À.м.|.ô¿..
0x00000010 B9 00 01 FC F3 A5 EA 1B 00 60 00 0E 1F 06 E8 95 ¹..üó¥ê..`....è.
0x00000020 00 07 80 3E 97 01 01 74 75 80 3E 97 01 02 74 00 ...>...tu.>...t.
0x00000030 C6 06 94 01 00 E8 04 01 BE BE 01 B3 04 F6 04 80 Æ....è..¾¾.³.ö..
0x00000040 75 0F 83 C6 10 FE CB 75 F4 CD 18 BE 5D 01 E8 FC u..Æ.þËuôÍ.¾].èü
0x00000050 00 BB 00 7C 06 53 50 55 8B EC C7 46 02 00 00 5D .».|.SPU.ìÇF...]
0x00000060 50 55 8B EC C7 46 02 00 00 5D FF 74 0A FF 74 08 PU.ìÇF...].t..t.
0x00000070 06 53 50 55 8B EC C7 46 02 01 00 5D 50 55 8B EC .SPU.ìÇF...]PU.ì
0x00000080 C7 46 02 10 00 5D 16 1F 8B F4 B4 42 CD 13 83 C4 ÇF...]...ô´BÍ..Ä
0x00000090 10 EB 00 CB C6 06 95 01 00 E8 A0 00 EB 00 BB 00 .ë.ËÆ....è..ë.».
0x000000A0 7C 06 53 B8 01 02 B5 00 B1 05 B6 00 B2 80 CD 13 |.S¸..µ.±.¶.².Í.
0x000000B0 C6 06 94 01 01 CB B8 00 F0 8E C0 33 C0 8B F0 BB Æ....˸.ð.À3À.ð»
0x000000C0 FF FF 26 81 3C 53 77 74 08 83 C6 01 4B 75 F3 EB ..&.<Swt..Æ.Kuóë
0x000000D0 1A 26 81 7C 02 53 6D 74 02 EB EE 26 81 7C 04 69 .&.|.Smt.ëî&.|.i
0x000000E0 40 74 02 EB E4 83 C6 06 E8 01 00 C3 1E 57 26 8B @t.ëä.Æ.è..Ã.W&.
0x000000F0 14 26 8A 44 03 EE 26 8B 44 07 8E D8 26 8B 44 05 .&.D.î&.D..Ø&.D.
0x00000100 8B F8 C7 05 43 58 C7 45 02 5C 00 26 8A 44 02 EE .øÇ.CXÇE.\.&.D.î
0x00000110 B1 02 8A 65 05 80 FC FF 74 13 80 FC 80 76 0E C7 ±..e..ü.t..ü.v.Ç
0x00000120 45 02 5D 00 80 EC 80 88 65 05 EE B1 01 26 8B 14 E.]..ì..e.î±.&..
0x00000130 26 8A 44 04 EE 5F 1F 88 0E 97 01 C3 BB 00 06 B8 &.D.î_.....û..¸
0x00000140 01 03 B5 00 B1 01 B6 00 B2 80 CD 13 C3 AC 3C 00 ..µ.±.¶.².Í.ì<.
0x00000150 74 0A B4 0E B7 00 B3 07 CD 10 EB F1 C3 4D 69 73 t.´.·.³.Í.ëñÃMis
0x00000160 73 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 sing operating s
0x00000170 79 73 74 65 6D 00 00 00 00 00 00 00 00 00 00 00 ystem...........
0x00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000190 46 44 53 54 00 00 3E 02 00 12 00 00 BC 0A 8D 7E FDST..>.....¼..~
0x000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001B0 00 00 00 00 00 2C 4A 7C 7A A1 E3 A3 00 00 00 01 .....,J|z¡ã£....
0x000001C0 01 00 12 FE FF 0F 3F 00 00 00 D1 2E C0 00 80 00 ...þ..?...Ñ.À...
0x000001D0 C1 10 07 FE FF FF 10 2F C0 00 F0 58 E1 08 00 FE Á..þ.../À.ðXá..þ
0x000001E0 FF FF 07 FE FF FF 00 88 A1 09 00 08 00 09 00 00 ...þ....¡.......
0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª
_______MBR \Device\Harddisk1\DR6
0x00000000 FA B8 00 00 8E D0 BC 00 7C 8B F4 50 07 50 1F FB ú¸...м.|.ôP.P.û
0x00000010 FC BF 00 06 B9 00 01 F3 A5 EA 1E 06 00 00 BE BE ü¿..¹..ó¥ê....¾¾
0x00000020 07 80 3C 80 74 02 CD 18 56 53 06 BB 00 7C B9 01 ..<.t.Í.VS.».|¹.
0x00000030 00 BA 00 00 B8 01 02 CD 13 07 5B 5E B2 80 72 0B .º..¸..Í..[^².r.
0x00000040 BF BC 7D 81 3D 55 53 75 02 B2 00 BF EB 06 88 15 ¿¼}.=USu.².¿ë...
0x00000050 8A 74 01 8B 4C 02 8B EE EB 15 BE 9B 06 AC 3C 00 .t..L..îë.¾..¬<.
0x00000060 74 0B 56 BB 07 00 B4 0E CD 10 5E EB F0 EB FE BB t.V»..´.Í.^ëðëþ»
0x00000070 00 7C B8 01 02 CD 13 73 05 BE B3 06 EB DF BE D2 .|¸..Í.s.¾³.ëß¾Ò
0x00000080 06 BF FE 7D 81 3D 55 AA 75 D3 BF 24 7C BE EB 06 .¿þ}.=UªuÓ¿$|¾ë.
0x00000090 8A 04 88 05 8B F5 EA 00 7C 00 00 49 6E 76 61 6C .....õê.|..Inval
0x000000A0 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62 id partition tab
0x000000B0 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E 67 le.Error loading
0x000000C0 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 operating syste
0x000000D0 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61 74 m.Missing operat
0x000000E0 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00 00 ing system......
0x000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001B0 00 00 00 00 00 00 00 00 12 21 E4 73 00 00 00 01 .........!äs....
0x000001C0 01 00 0B 1F FF 27 3F 00 00 00 C1 5A 77 00 00 00 .....'?...ÁZw...
0x000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª
Merci par avance pour votre aide,
Jumeaus
-
:III Re,
Tu as encore une partie infectée.
Ton pc est un pc de marque ou un pc monté ?
-
Re,
C est un pc portable de la marque Samsung. Si c est trop galère je sauvegarderai les données et réinstallerai l os.
Merci par avance
-
Re,
ça ne changerais pas obligatoirement la donne car c'est un bootkit, donc c'est le mbr qui est touché, donc selon la réinstallation, il pourrais être toujours là ensuite.
On va tester des outils qui vont pouvoir gérer ça :
Télécharge AswMBR (http://public.avast.com/~gmerek/aswMBR.exe) sur ton bureau.
- Double-clique sur aswMBR.exe situé sur ton Bureau pour le lancer.
- Refuse la demande de mise à jour.
- Clique sur le bouton Scan et laisse l'outil travailler.
- Clique sur Save Log, enregistre le rapport sur le bureau et poste son contenu dans ta prochaine réponse.
-
Bonsoir,
Voici le résultat de aswMBR.exe.
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-01-28 01:19:12
-----------------------------
01:19:12.312 OS Version: Windows 5.1.2600 Service Pack 3
01:19:12.312 Number of processors: 1 586 0xF02
01:19:12.312 ComputerName: YOUR-5B36462D72 UserName: Monique
01:19:13.250 Initialize success
01:19:26.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
01:19:26.187 Disk 0 Vendor: SAMSUNG_HM160HI HH100-06 Size: 152627MB BusType: 3
01:19:26.218 Disk 0 MBR read successfully
01:19:26.218 Disk 0 MBR scan
01:19:26.234 Disk 0 unknown MBR code
01:19:26.250 Disk 0 Partition 1 00 12 Compaq diag NTFS 6149 MB offset 63
01:19:26.265 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72747 MB offset 12594960
01:19:26.296 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 73729 MB offset 161581056
01:19:26.328 Disk 0 scanning sectors +312578048
01:19:26.437 Disk 0 scanning C:\WINDOWS\system32\drivers
01:19:38.671 Service scanning
01:19:42.828 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
01:19:43.468 Modules scanning
01:19:46.390 Module: C:\WINDOWS\System32\Drivers\atapi.sys **SUSPICIOUS**
01:19:50.156 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
01:19:50.750 Disk 0 trace - called modules:
01:19:50.796 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spjl.sys >>UNKNOWN [0x84b8e938]<<
01:19:50.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84a77ab8]
01:19:50.890 3 CLASSPNP.SYS[f7723fd7] -> nt!IofCallDriver -> \Device\0000006d[0x84a9e910]
01:19:50.937 5 ACPI.sys[f7580620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84a9ed98]
01:19:50.984 Scan finished successfully
01:20:09.296 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
01:20:09.328 The log file has been saved successfully to "E:\aswMBR.txt"
Le bouton Fix est grisé mais le bouton FixMBR est disponible. (je n'ai pas encore cliqué dessus et j'attends tes recommandations).
Merci par avance,
Jumeaus
-
Re,
Oui tu peux relancer et cliquer sur FixMBR, puis suivre la procédure.
Il te sera demandé de redémarrer.
Une fois fait, relance TDSSKiller pour voir.
-
Salut,
Il ne s'est rien passé après avoir cliqué sur FixMBR. Si je relance le scan, aswMBR détecte les mêmes erreurs.
J'ai relancé TDSSKiller. Son message est le meme aussi:
.0171 1260 Scan finished
17:41:08.0171 1260 ============================================================
17:41:08.0203 1252 Detected object count: 2
17:41:08.0203 1252 Actual detected object count: 2
17:41:31.0406 1252 Backup copy not found, trying to cure infected file..
17:41:31.0406 1252 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - Cure failed (FFFFFFFF)
17:41:31.0406 1252 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - processing error
17:41:43.0000 1252 MRxSmb ( Virus.Win32.ZAccess.l ) - User select action: Cure
17:41:43.0015 1252 sptd ( LockedFile.Multi.Generic ) - skipped by user
17:41:43.0015 1252 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
La cure du fichier en question est inefficace:
L'espoir est-il toujours permis ?
Merci encore pour ton aide.
Jumeus
-
Salut,
Je suis allé voir comment me debarasser de Virus.Win32.ZAccess.l, et j'ai reussi avec Kaspersky Virus Removal Tool.
Mon pc semble fonctionner correctement.
Merci infiniment pour votre aide.
Jumeaus
-
Re,
Tu en a peut-être eu un, mais pas obligatoirement l'infection du MBR. Attend qu'on vérifie.
Refais un scan avec MBRScan (le premier outil), et copie-moi le rapport s'il te plait.