Author Topic: Rootkits trouvés, que faire ?  (Read 5953 times)

0 Members and 1 Guest are viewing this topic.

May 16, 2015, 01:11:09 PM

jjmig

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Rootkits trouvés, que faire ?
« on: May 16, 2015, 01:11:09 PM »
Bonjour!
Depuis qq jours je trouve parfois des rootkits sur l'analyse, je sais pas si c légitime?
Pouvez vous m'aider?
Voici le rapport:
Système d'exploitation : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Démarré en  : Mode normal
Utilisateur : Valérie [Administrateur]
Démarré depuis : C:\Users\Valérie\Desktop\RogueKillerX64.exe
Mode : Scan -- Date : 05/16/2015  13:04:14

¤¤¤ Processus : 0 ¤¤¤

¤¤¤ Registre : 0 ¤¤¤

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 91 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ADVAPI32.dll - RegCreateKeyW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) kernel32.dll - DelayLoadFailureHook : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) GDI32.dll - GetRgnBox : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) USER32.dll - CopyRect : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) msvcrt.dll - iswalpha : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll.dll - WinSqmSetString : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) SHLWAPI.dll - StrStrIW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) SHELL32.dll - SHCreateDataObject : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) ole32.dll - CoInitializeEx : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) UxTheme.dll - GetThemeBackgroundExtent : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) POWRPROF.dll - CallNtPowerInformation : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) dwmapi.dll - DwmEnableBlurBehindWindow : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) slc.dll - SLGetWindowsInformationDWORD : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) gdiplus.dll - GdipSetInterpolationMode : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) Secur32.dll - GetUserNameExW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) RPCRT4.dll - NdrClientCall3 : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) PROPSYS.dll - PSCreateMemoryPropertyStore : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) WINMM.dll - PlaySoundW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) CFGMGR32.dll - CM_Request_Eject_PC : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) WINSTA.dll - WinStationSetInformationW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) OLEACC.dll - CreateStdAccessibleProxyW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) DUI70.dll - UnInitProcessPriv : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) netutils.dll - NetApiBufferFree : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) wkscli.dll - NetGetJoinInformation : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) KERNELBASE.dll - BaseReleaseProcessExePath : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) CRYPTSP.dll - CryptSetProvParam : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) WINTRUST.dll - WinVerifyTrust : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) SSPICLI.DLL - LogonUserExExW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) CRYPTBASE.dll - SystemFunction004 : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) WS2_32.dll - WSASocketW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) IPHLPAPI.DLL - GetBestRoute2 : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) LPK.dll - LpkGetCharacterPlacement : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) USP10.dll - ScriptRecordDigitSubstitution : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) MPR.dll - WNetGetResourceInformationA : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) urlmon.dll - CreateFormatEnumerator : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) apphelp.dll - ApphelpCheckShellObject : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) CRYPT32.dll - CertCloseStore : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) SETUPAPI.dll - SetupDiGetClassDevsW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) USERENV.dll - ExpandEnvironmentStringsForUserW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) version.DLL - GetFileVersionInfoA : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) WININET.dll - CreateUrlCacheEntryW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) samcli.dll - NetUserGetInfo : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) srvcli.dll - NetServerGetInfo : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) cscapi.dll - OfflineFilesQueryStatus : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntshrui.dll - GetNetResourceFromLocalPathW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) LINKINFO.dll - IsValidLinkInfo : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) DUser.dll - ForwardGadgetMessage : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) WindowsCodecs.dll - WICConvertBitmapSource : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) IMM32.dll - ImmGetDefaultIMEWnd : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) XmlLite.dll - CreateXmlReader : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) CLBCatQ.DLL - GetCatalogObject : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) OLEAUT32.dll - BSTR_UserSize64 : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) wer.dll - WerReportAddDump : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) MSCTF.dll - CtfImeProcessCicHotkey : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) DEVOBJ.dll - DevObjOpenDeviceInterface : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) DEVRTL.dll - DevRtlGetThreadLogToken : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) WINSPOOL.DRV - GetPrinterDriverDirectoryW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) HID.DLL - HidP_GetUsages : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) comctl32.dll - InitCommonControlsEx : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) SAMLIB.dll - SamGetMembersInAlias : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) CRYPTUI.dll - CryptUIDlgViewSignerInfoW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) WTSAPI32.dll - WTSQuerySessionInformationW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) MSASN1.dll - ASN1BEREncEndOfContents : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromString : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) api-ms-win-downlevel-shlwapi-l1-1-0.dll - PathGetDriveNumberW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) api-ms-win-downlevel-advapi32-l1-1-0.dll - RegSetValueExW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) api-ms-win-downlevel-user32-l1-1-0.dll - CharPrevA : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) api-ms-win-downlevel-normaliz-l1-1-0.dll - IdnToAscii : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) iertutil.dll - IsStringProperty : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) api-ms-win-downlevel-shlwapi-l2-1-0.dll - IStream_Reset : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) api-ms-win-downlevel-advapi32-l2-1-0.dll - ConvertStringSecurityDescriptorToSecurityDescriptorW : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) dhcpcsvc.DLL - DhcpRequestParams : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) ksuser.dll - KsCreatePin : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) AVRT.dll - AvSetMmThreadPriority : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) BatMeter.dll - IsBatteryLevelLow : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) MSACM32.dll - acmStreamSize : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) shdocvw.dll - DllRegisterWindowClasses : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) nlaapi.dll - NlaCloseQuery : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) Wlanapi.dll - WlanOpenHandle : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) wlanutil.dll - WlanSsidToDisplayName : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) NSI.dll - NsiSetParameter : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) WINNSI.DLL - NsiRpcDeregisterChangeNotification : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) dhcpcsvc6.DLL - Dhcpv6QueryLeaseInfo : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) QUtil.dll - FreeIsolationInfo : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) wevtapi.dll - EvtSubscribe : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) FXSAPI.dll - FaxAccessCheckEx : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) wwapi.dll - WwanRegister : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) WSCAPI.dll - WscRegisterForChanges : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) wercplsupport.dll - WerComGetAdminStores : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (explorer.exe) api-ms-win-downlevel-shell32-l1-1-0.dll - SetCurrentProcessExplicitAppUserModelID : Unknown @ 0xffffffffed160217 (call 0xffffffffeb2f0216)

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS547550A9E384 +++++
--- User ---
[MBR] 64e4db3452f27c4a32873fa392ed7e5c
[BSP] db72436dae6851f801c9cb932f4323a9 : Kiwi MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 452246 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 926406656 | Size: 24593 MB
User = LL1 ... OK
User = LL2 ... OK

Merci de votre aide

Reply #1May 17, 2015, 08:37:01 PM

jjmig

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: Rootkits trouvés, que faire ?
« Reply #1 on: May 17, 2015, 08:37:01 PM »
Rebonjour!
En fait depuis hier soir ça n'apparait plus aux plusieurs analyses de Roguekiller!
Merci quand même de me tenir au courant.

Reply #2May 20, 2015, 12:45:43 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Rootkits trouvés, que faire ?
« Reply #2 on: May 20, 2015, 12:45:43 AM »
Bonsoir jjmig,

Bienvenue sur le forum Adlice.
Peux-tu télécharger la dernière version de RoguKiller, refaire un scan et copier/coller le rapport obtenu dans ta prochaine réponse ?

Meilleures salutations.

Note : Pour davantage de clarté, ce fil de discussions à été déplacé dans la section "RogueKiller" du forum.

Reply #3May 20, 2015, 01:06:04 PM

jjmig

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: Rootkits trouvés, que faire ?
« Reply #3 on: May 20, 2015, 01:06:04 PM »
Voila le nouveau rapport:
RogueKiller V10.6.5.0 (x64) [May 20 2015] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Démarré en  : Mode normal
Utilisateur : Valérie [Administrateur]
Démarré depuis : C:\Users\Valérie\Desktop\RogueKillerX64.exe
Mode : Scan -- Date : 05/20/2015  13:05:06

¤¤¤ Processus : 0 ¤¤¤

¤¤¤ Registre : 0 ¤¤¤

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Chargé) ¤¤¤

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS547550A9E384 +++++
--- User ---
[MBR] 64e4db3452f27c4a32873fa392ed7e5c
[BSP] db72436dae6851f801c9cb932f4323a9 : Kiwi MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 452246 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 926406656 | Size: 24593 MB
User = LL1 ... OK
User = LL2 ... OK

effectivement ça n'apparait plus, pourquoi?
Cordialement

Reply #4May 21, 2015, 12:50:39 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Rootkits trouvés, que faire ?
« Reply #4 on: May 21, 2015, 12:50:39 AM »
Bonsoir jjmig,

Il s'agissait très vraisemblablement d'un hook temporaire et, selon toutes vraisemblances, légitime.
Le rapport est propre. Si tu as encore d'autres questions, n'hésite pas.

Meilleures salutations.