Author Topic: help me! I want understand  (Read 10017 times)

0 Members and 1 Guest are viewing this topic.

July 22, 2014, 02:01:54 PM

yuri86

  • Guest
help me! I want understand
« on: July 22, 2014, 02:01:54 PM »

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trovato
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Trovato

¤¤¤ Le attività pianificate : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 88 (Driver: LOADED) ¤¤¤
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerAddExcludedApplication : C:\Windows\System32\wer.dll @ 0x71b79cda
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerRemoveExcludedApplication : C:\Windows\System32\wer.dll @ 0x71b79e1e
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerReportAddDump : C:\Windows\System32\wer.dll @ 0x71b60805
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerReportAddFile : C:\Windows\System32\wer.dll @ 0x71b79c25
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerReportCloseHandle : C:\Windows\System32\wer.dll @ 0x71b5a882
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerReportCreate : C:\Windows\System32\wer.dll @ 0x71b60b51
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerReportSetParameter : C:\Windows\System32\wer.dll @ 0x71b5e726
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerReportSetUIOption : C:\Windows\System32\wer.dll @ 0x71b6073d
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerReportSubmit : C:\Windows\System32\wer.dll @ 0x71b5b761
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerSysprepCleanup : C:\Windows\System32\wer.dll @ 0x71b79c4a
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerSysprepGeneralize : C:\Windows\System32\wer.dll @ 0x71b79f4a
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerSysprepSpecialize : C:\Windows\System32\wer.dll @ 0x71b79fca
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerUnattendedSetup : C:\Windows\System32\wer.dll @ 0x71b79fde
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpAddAppCompatData : C:\Windows\System32\wer.dll @ 0x71b7c3a4
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpAddFile : C:\Windows\System32\wer.dll @ 0x71b7ac8a
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpAddMemoryBlock : C:\Windows\System32\wer.dll @ 0x71b7ad24
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpAddRegisteredDataToReport : C:\Windows\System32\wer.dll @ 0x71b60e70
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpAddSecondaryParameter : C:\Windows\System32\wer.dll @ 0x71b7b571
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpAddTextToReport : C:\Windows\System32\wer.dll @ 0x71b7aef6
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpArchiveReport : C:\Windows\System32\wer.dll @ 0x71b7ccfd
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpCancelResponseDownload : C:\Windows\System32\wer.dll @ 0x71b7a6ae
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpCancelUpload : C:\Windows\System32\wer.dll @ 0x71b7b30a
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpCloseStore : C:\Windows\System32\wer.dll @ 0x71b57843
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpCreateIntegratorReportId : C:\Windows\System32\wer.dll @ 0x71b60e01
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpCreateMachineStore : C:\Windows\System32\wer.dll @ 0x71b6aaf4
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpDeleteReport : C:\Windows\System32\wer.dll @ 0x71b7a4c7
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpDestroyWerString : C:\Windows\System32\wer.dll @ 0x71b687a8
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpDownloadResponse : C:\Windows\System32\wer.dll @ 0x71b681d1
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpDownloadResponseTemplate : C:\Windows\System32\wer.dll @ 0x71b7c2f9
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpEnumerateStoreNext : C:\Windows\System32\wer.dll @ 0x71b57a2b
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpEnumerateStoreStart : C:\Windows\System32\wer.dll @ 0x71b579ef
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpExtractReportFiles : C:\Windows\System32\wer.dll @ 0x71b7b4e3
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpFreeString : C:\Windows\System32\wer.dll @ 0x71b63951
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetBucketId : C:\Windows\System32\wer.dll @ 0x71b7a821
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetBucketString : C:\Windows\System32\wer.dll @ 0x71b69ef9
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetDynamicParameter : C:\Windows\System32\wer.dll @ 0x71b7ae2a
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetEventType : C:\Windows\System32\wer.dll @ 0x71b7a51d
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetFileByIndex : C:\Windows\System32\wer.dll @ 0x71b7abb6
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetFilePathByIndex : C:\Windows\System32\wer.dll @ 0x71b7aa6f
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetIntegratorReportId : C:\Windows\System32\wer.dll @ 0x71b7bb77
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetLoadedModuleByIndex : C:\Windows\System32\wer.dll @ 0x71b7ab24
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetNumFiles : C:\Windows\System32\wer.dll @ 0x71b7a97b
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetNumLoadedModules : C:\Windows\System32\wer.dll @ 0x71b7aa0f
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetNumSecParams : C:\Windows\System32\wer.dll @ 0x71b7a88a
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetNumSigParams : C:\Windows\System32\wer.dll @ 0x71b7a57f
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetReportConsent : C:\Windows\System32\wer.dll @ 0x71b7b1c5
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetReportFinalConsent : C:\Windows\System32\wer.dll @ 0x71b7b2a8
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetReportFlags : C:\Windows\System32\wer.dll @ 0x71b7b9d3
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetReportInformation : C:\Windows\System32\wer.dll @ 0x71b7afec
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetReportSettings : C:\Windows\System32\wer.dll @ 0x71b7bae7
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetReportTime : C:\Windows\System32\wer.dll @ 0x71b7a707
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetReportType : C:\Windows\System32\wer.dll @ 0x71b7b15c
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetResponseId : C:\Windows\System32\wer.dll @ 0x71b697e7
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetResponseUrl : C:\Windows\System32\wer.dll @ 0x71b69e85
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetSecParamByIndex : C:\Windows\System32\wer.dll @ 0x71b7a8e7
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetSigParamByIndex : C:\Windows\System32\wer.dll @ 0x71b7a5e1
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetStoreLocation : C:\Windows\System32\wer.dll @ 0x71b64a43
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetStorePath : C:\Windows\System32\wer.dll @ 0x71b56aaf
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetStoreType : C:\Windows\System32\wer.dll @ 0x71b7b0bf
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetTextFromReport : C:\Windows\System32\wer.dll @ 0x71b7af8e
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetUIParamByIndex : C:\Windows\System32\wer.dll @ 0x71b7a649
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetUploadTime : C:\Windows\System32\wer.dll @ 0x71b7a765
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetWerStringData : C:\Windows\System32\wer.dll @ 0x71b68772
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpGetWow64Process : C:\Windows\System32\wer.dll @ 0x71b7bd72
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpIsDisabled : C:\Windows\System32\wer.dll @ 0x71b569cd
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpIsTransportAvailable : C:\Windows\System32\wer.dll @ 0x71b6060a
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpLaunchResponse : C:\Windows\System32\wer.dll @ 0x71b7bdd0
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpLoadReport : C:\Windows\System32\wer.dll @ 0x71b69f82
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpOpenMachineArchive : C:\Windows\System32\wer.dll @ 0x71b68790
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpOpenMachineQueue : C:\Windows\System32\wer.dll @ 0x71b578ad
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpOpenUserArchive : C:\Windows\System32\wer.dll @ 0x71b5ae39
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpOpenUserQueue : C:\Windows\System32\wer.dll @ 0x71b57924
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpPromtUser : C:\Windows\System32\wer.dll @ 0x71b7b1b5
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpReportCancel : C:\Windows\System32\wer.dll @ 0x71b7ba5d
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpRestartApplication : C:\Windows\System32\wer.dll @ 0x71b7c74b
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpSetCallBack : C:\Windows\System32\wer.dll @ 0x71b60d4d
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpSetDefaultUserConsent : C:\Windows\System32\wer.dll @ 0x71b7bbdf
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpSetDynamicParameter : C:\Windows\System32\wer.dll @ 0x71b5d56d
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpSetEventName : C:\Windows\System32\wer.dll @ 0x71b7b92d
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpSetIntegratorReportId : C:\Windows\System32\wer.dll @ 0x71b60d99
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpSetReportFlags : C:\Windows\System32\wer.dll @ 0x71b7b97f
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpSetReportInformation : C:\Windows\System32\wer.dll @ 0x71b7b047
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpSetReportTime : C:\Windows\System32\wer.dll @ 0x71b7a7c3
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpSetReportUploadContextToken : C:\Windows\System32\wer.dll @ 0x71b7ada8
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpShowUpsellUI : C:\Windows\System32\wer.dll @ 0x71b7ba4d
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpSubmitReportFromStore : C:\Windows\System32\wer.dll @ 0x71b7bfd8
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpSvcReportFromMachineQueue : C:\Windows\System32\wer.dll @ 0x71b7b6e5
[EAT:Addr] (explorer.exe) PortableDeviceApi.dll - WerpUpdateReportResponse : C:\Windows\System32\wer.dll @ 0x71b7be21

¤¤¤ I browser Web : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9120822AS ATA Device +++++
--- User ---
[MBR] 73071902b6ac90c52efb9bebf789ae8a
[BSP] 76baf7085090bcf31ae572d7abcfa15f : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 114371 MB
User = LL1 ... OK
User = LL2 ... OK


Reply #1July 24, 2014, 10:50:34 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: help me! I want understand
« Reply #1 on: July 24, 2014, 10:50:34 AM »
Hello
Please use courtesy and ask a question.

Reply #2July 24, 2014, 01:40:57 PM

yuri86

  • Guest
Re: help me! I want understand
« Reply #2 on: July 24, 2014, 01:40:57 PM »
Hello
Excuse me, I was hoping you could help me understand the antirootkit results, Thanks

Reply #3July 24, 2014, 02:08:55 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: help me! I want understand
« Reply #3 on: July 24, 2014, 02:08:55 PM »
Ok.
Looks like Wer.dll is Windows Error Reporting DLL, and is legit.
It will be whitelisted for next release.

Reply #4July 25, 2014, 10:10:36 AM

yuri86

  • Guest
Re: help me! I want understand
« Reply #4 on: July 25, 2014, 10:10:36 AM »
Hello
Merci Tzigi pour la reponse, Je voulex savoir aussi Que est ce que signifique 'driver loaded' parce que je jamais charge c'est drive ou c'est logiciel wer.dll?
Et que est ce que fait wer.dell?
Et que est ce que signifique EAT exploere.exe( hook.IEAT)?
Enfin je suis enfecte?
Merci a l avance pour l attention

Reply #5July 28, 2014, 11:34:38 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: help me! I want understand
« Reply #5 on: July 28, 2014, 11:34:38 AM »
1/ Driver loaded signifie que le driver de RogueKiller a été chargé en mémoire
2/ Aucune idée, wer.dll est une DLL de Microsoft, elle est très probablement utile.
3/ Hook IAT/EAT: http://0vercl0k.blogspot.fr/2007/11/api-hooking-iat-patching.html
4/ Probablement pas.

Reply #6July 29, 2014, 10:32:04 AM

yuri86

  • Guest
Re: help me! I want understand
« Reply #6 on: July 29, 2014, 10:32:04 AM »
Hello
Merci Tigzy, pour la reponse 
Mais,  Je comprend pas parce que c' est ''88 driver loaded'' dans la session rootkit  sont remarque en  orange ce sont legitime?
Wer.dll c'est microsoft, et utilizze c'est tecnologie pour crèe des files dump(avec tous les information sur la ram) pour comprend la raison des crash et des problem de l ordinateur
Peu etre que c'est une malware\hacker que utilize cette tecnologie(microsoft)  pour prendre des information?
Excuse moi pour le francaise pas terrible
Merci a l avance pour l attention


Reply #7July 29, 2014, 02:58:19 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: help me! I want understand
« Reply #7 on: July 29, 2014, 02:58:19 PM »
Non pas de souci, c'est juste une DLL légitime qui se branche sur une processus pour filtrer les appels.

Reply #8July 29, 2014, 05:50:32 PM

yuri86

  • Guest
Re: help me! I want understand
« Reply #8 on: July 29, 2014, 05:50:32 PM »
Ok
Grand merci
Ca fait plaisir d avoir une personne qui t explique de chose  qui t arrive pas a comprendre tout seul.
Copliments pour le forum!