RootKit - RogueKiller Hook.IEAT
Nifle-123
Messages postés
3
Date d'inscription
Statut
Membre
Dernière intervention
-
Malekal_morte- Messages postés 180304 Date d'inscription Statut Modérateur, Contributeur sécurité Dernière intervention -
Malekal_morte- Messages postés 180304 Date d'inscription Statut Modérateur, Contributeur sécurité Dernière intervention -
Bonjour,
Voilà j'aurais voulu avoir votre avis concernant un rapport que me sort RogueKiller aujourdhui, dans la catégorie antirootkit il me sort des dizaines de fichiers et ne veut pas me les supprimer. Je suis pas mal inquiète car ça ne m'est jamais arrivé.
D' autre part quand je refais l'analyse avec Malwarebyte il ne trouve aucun fichier infecté. Je ne comprends pas.
Je vous colle mon rapport txt ici.
Merci d'avance pour vos réponses.
Nina
RogueKiller V11.0.9.0 (x64) [Jan 24 2016] (Gratuit) par Adlice Software
email : https://www.adlice.com/contact/
Remontées : https://forum.adlice.com/
Site web : https://www.adlice.com/fr/roguekiller/
Blog : https://www.adlice.com/
Système d'exploitation : Windows 10 (10.0.10240) 64 bits version
Démarré en : Mode normal
Utilisateur : Nina [Administrateur]
Démarré depuis : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Suppression -- Date : 01/29/2016 14:25:07
¤¤¤ Processus : 0 ¤¤¤
¤¤¤ Registre : 0 ¤¤¤
¤¤¤ Tâches : 0 ¤¤¤
¤¤¤ Fichiers : 0 ¤¤¤
¤¤¤ Fichier Hosts : 0 ¤¤¤
¤¤¤ Antirootkit : 29 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll!NtSetSystemInformation : Unknown @ 0x7ffd08f401e0 (jmp 0xffffffff8014b390|jmp 0xfffffffffffffe19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtAssignProcessToJobObject : Unknown @ 0x7ffd08f40390 (jmp 0xffffffff8014c570|jmp 0xfffffffffffffc69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateProcess : Unknown @ 0x7ffd08f403d0 (jmp 0xffffffff8014cba0|jmp 0xfffffffffffffc29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateEvent : Unknown @ 0x7ffd08f402c0 (jmp 0xffffffff8014c8d0|jmp 0xfffffffffffffd39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateSection : Unknown @ 0x7ffd08f40300 (jmp 0xffffffff8014c8f0|jmp 0xfffffffffffffcf9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenMutant : Unknown @ 0x7ffd08f40290 (jmp 0xffffffff8014bc20|jmp 0xfffffffffffffd69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtNotifyChangeKey : Unknown @ 0x7ffd08f40480 (jmp 0xffffffff8014bec0|jmp 0xfffffffffffffb79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtDuplicateObject : Unknown @ 0x7ffd08f40380 (jmp 0xffffffff8014ca50|jmp 0xfffffffffffffc79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtWriteVirtualMemory : Unknown @ 0x7ffd08f403a0 (jmp 0xffffffff8014ca90|jmp 0xfffffffffffffc59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenEvent : Unknown @ 0x7ffd08f402d0 (jmp 0xffffffff8014c960|jmp 0xfffffffffffffd29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateThreadEx : Unknown @ 0x7ffd08f403c0 (jmp 0xffffffff8014c320|jmp 0xfffffffffffffc39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : Unknown @ 0x7ffd08f403e0 (jmp 0xffffffff8014c940|jmp 0xfffffffffffffc19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenThread : Unknown @ 0x7ffd08f40370 (jmp 0xffffffff8014bc70|jmp 0xfffffffffffffc89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtSuspendThread : Unknown @ 0x7ffd08f40420 (jmp 0xffffffff8014b4b0|jmp 0xfffffffffffffbd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtSetContextThread : Unknown @ 0x7ffd08f403f0 (jmp 0xffffffff8014b790|jmp 0xfffffffffffffc09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtQueryObject : Unknown @ 0x7ffd08f40440 (jmp 0xffffffff8014cdd0|jmp 0xfffffffffffffbb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateSemaphore : Unknown @ 0x7ffd08f402a0 (jmp 0xffffffff8014c220|jmp 0xfffffffffffffd59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSemaphore : Unknown @ 0x7ffd08f402b0 (jmp 0xffffffff8014bbe0|jmp 0xfffffffffffffd49|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateMutant : Unknown @ 0x7ffd08f40280 (jmp 0xffffffff8014c2a0|jmp 0xfffffffffffffd79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateTimer : Unknown @ 0x7ffd08f40320 (jmp 0xffffffff8014c270|jmp 0xfffffffffffffcd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenTimer : Unknown @ 0x7ffd08f40330 (jmp 0xffffffff8014bc20|jmp 0xfffffffffffffcc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenProcess : Unknown @ 0x7ffd08f40360 (jmp 0xffffffff8014cb90|jmp 0xfffffffffffffc99|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSection : Unknown @ 0x7ffd08f40310 (jmp 0xffffffff8014ca30|jmp 0xfffffffffffffce9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateIoCompletion : Unknown @ 0x7ffd08f40340 (jmp 0xffffffff8014c3d0|jmp 0xfffffffffffffcb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtNotifyChangeMultipleKeys : Unknown @ 0x7ffd08f40490 (jmp 0xffffffff8014bec0|jmp 0xfffffffffffffb69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x7ffd08f40470 (jmp 0xffffffff8014c680|jmp 0xfffffffffffffb89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtQueueApcThreadEx : Unknown @ 0x7ffd08f40430 (jmp 0xffffffff8014ba10|jmp 0xfffffffffffffbc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ user32.dll) ntdll!NtVdmControl : Unknown @ 0x7ffd08f40270 (jmp 0xffffffff8014b1e0|jmp 0xfffffffffffffd89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ws2_32.dll) ntdll!NtLoadDriver : Unknown @ 0x7ffd08f401d0 (jmp 0xffffffff8014bd10|jmp 0xfffffffffffffe29|jmp 0x19b)
¤¤¤ Navigateurs web : 0 ¤¤¤
¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA THNSNH128G8NT +++++
--- User ---
[MBR] 2e8d2667ba63eda7880b971141855465
[BSP] ab748712106f4403bd6488159cb1c28c : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 534528 | Size: 1474 MB
2 - [MAN-MOUNT] EFI system partition | Offset (sectors): 3553280 | Size: 260 MB
3 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 4085760 | Size: 128 MB
4 - Basic data partition | Offset (sectors): 4347904 | Size: 105515 MB
5 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 220442624 | Size: 450 MB
6 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 221364224 | Size: 350 MB
7 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 222081024 | Size: 13666 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: SD Card +++++
--- User ---
[MBR] 9ab08f4e69438c9f4fed94e43f4a2e11
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8192 | Size: 29979 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )
Voilà j'aurais voulu avoir votre avis concernant un rapport que me sort RogueKiller aujourdhui, dans la catégorie antirootkit il me sort des dizaines de fichiers et ne veut pas me les supprimer. Je suis pas mal inquiète car ça ne m'est jamais arrivé.
D' autre part quand je refais l'analyse avec Malwarebyte il ne trouve aucun fichier infecté. Je ne comprends pas.
Je vous colle mon rapport txt ici.
Merci d'avance pour vos réponses.
Nina
RogueKiller V11.0.9.0 (x64) [Jan 24 2016] (Gratuit) par Adlice Software
email : https://www.adlice.com/contact/
Remontées : https://forum.adlice.com/
Site web : https://www.adlice.com/fr/roguekiller/
Blog : https://www.adlice.com/
Système d'exploitation : Windows 10 (10.0.10240) 64 bits version
Démarré en : Mode normal
Utilisateur : Nina [Administrateur]
Démarré depuis : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Suppression -- Date : 01/29/2016 14:25:07
¤¤¤ Processus : 0 ¤¤¤
¤¤¤ Registre : 0 ¤¤¤
¤¤¤ Tâches : 0 ¤¤¤
¤¤¤ Fichiers : 0 ¤¤¤
¤¤¤ Fichier Hosts : 0 ¤¤¤
¤¤¤ Antirootkit : 29 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll!NtSetSystemInformation : Unknown @ 0x7ffd08f401e0 (jmp 0xffffffff8014b390|jmp 0xfffffffffffffe19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtAssignProcessToJobObject : Unknown @ 0x7ffd08f40390 (jmp 0xffffffff8014c570|jmp 0xfffffffffffffc69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateProcess : Unknown @ 0x7ffd08f403d0 (jmp 0xffffffff8014cba0|jmp 0xfffffffffffffc29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateEvent : Unknown @ 0x7ffd08f402c0 (jmp 0xffffffff8014c8d0|jmp 0xfffffffffffffd39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateSection : Unknown @ 0x7ffd08f40300 (jmp 0xffffffff8014c8f0|jmp 0xfffffffffffffcf9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenMutant : Unknown @ 0x7ffd08f40290 (jmp 0xffffffff8014bc20|jmp 0xfffffffffffffd69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtNotifyChangeKey : Unknown @ 0x7ffd08f40480 (jmp 0xffffffff8014bec0|jmp 0xfffffffffffffb79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtDuplicateObject : Unknown @ 0x7ffd08f40380 (jmp 0xffffffff8014ca50|jmp 0xfffffffffffffc79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtWriteVirtualMemory : Unknown @ 0x7ffd08f403a0 (jmp 0xffffffff8014ca90|jmp 0xfffffffffffffc59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenEvent : Unknown @ 0x7ffd08f402d0 (jmp 0xffffffff8014c960|jmp 0xfffffffffffffd29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateThreadEx : Unknown @ 0x7ffd08f403c0 (jmp 0xffffffff8014c320|jmp 0xfffffffffffffc39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : Unknown @ 0x7ffd08f403e0 (jmp 0xffffffff8014c940|jmp 0xfffffffffffffc19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenThread : Unknown @ 0x7ffd08f40370 (jmp 0xffffffff8014bc70|jmp 0xfffffffffffffc89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtSuspendThread : Unknown @ 0x7ffd08f40420 (jmp 0xffffffff8014b4b0|jmp 0xfffffffffffffbd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtSetContextThread : Unknown @ 0x7ffd08f403f0 (jmp 0xffffffff8014b790|jmp 0xfffffffffffffc09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtQueryObject : Unknown @ 0x7ffd08f40440 (jmp 0xffffffff8014cdd0|jmp 0xfffffffffffffbb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateSemaphore : Unknown @ 0x7ffd08f402a0 (jmp 0xffffffff8014c220|jmp 0xfffffffffffffd59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSemaphore : Unknown @ 0x7ffd08f402b0 (jmp 0xffffffff8014bbe0|jmp 0xfffffffffffffd49|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateMutant : Unknown @ 0x7ffd08f40280 (jmp 0xffffffff8014c2a0|jmp 0xfffffffffffffd79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateTimer : Unknown @ 0x7ffd08f40320 (jmp 0xffffffff8014c270|jmp 0xfffffffffffffcd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenTimer : Unknown @ 0x7ffd08f40330 (jmp 0xffffffff8014bc20|jmp 0xfffffffffffffcc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenProcess : Unknown @ 0x7ffd08f40360 (jmp 0xffffffff8014cb90|jmp 0xfffffffffffffc99|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSection : Unknown @ 0x7ffd08f40310 (jmp 0xffffffff8014ca30|jmp 0xfffffffffffffce9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateIoCompletion : Unknown @ 0x7ffd08f40340 (jmp 0xffffffff8014c3d0|jmp 0xfffffffffffffcb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtNotifyChangeMultipleKeys : Unknown @ 0x7ffd08f40490 (jmp 0xffffffff8014bec0|jmp 0xfffffffffffffb69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x7ffd08f40470 (jmp 0xffffffff8014c680|jmp 0xfffffffffffffb89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtQueueApcThreadEx : Unknown @ 0x7ffd08f40430 (jmp 0xffffffff8014ba10|jmp 0xfffffffffffffbc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ user32.dll) ntdll!NtVdmControl : Unknown @ 0x7ffd08f40270 (jmp 0xffffffff8014b1e0|jmp 0xfffffffffffffd89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ws2_32.dll) ntdll!NtLoadDriver : Unknown @ 0x7ffd08f401d0 (jmp 0xffffffff8014bd10|jmp 0xfffffffffffffe29|jmp 0x19b)
¤¤¤ Navigateurs web : 0 ¤¤¤
¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA THNSNH128G8NT +++++
--- User ---
[MBR] 2e8d2667ba63eda7880b971141855465
[BSP] ab748712106f4403bd6488159cb1c28c : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 534528 | Size: 1474 MB
2 - [MAN-MOUNT] EFI system partition | Offset (sectors): 3553280 | Size: 260 MB
3 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 4085760 | Size: 128 MB
4 - Basic data partition | Offset (sectors): 4347904 | Size: 105515 MB
5 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 220442624 | Size: 450 MB
6 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 221364224 | Size: 350 MB
7 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 222081024 | Size: 13666 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: SD Card +++++
--- User ---
[MBR] 9ab08f4e69438c9f4fed94e43f4a2e11
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8192 | Size: 29979 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )
A voir également:
- RootKit - RogueKiller Hook.IEAT
- Roguekiller - Télécharger - Antivirus & Antimalwares
- Rootkit - Télécharger - Antivirus & Antimalwares
- Rootkit hunter - Télécharger - Antivirus & Antimalwares
- Roguekiller avis ✓ - Forum Virus
- Sophos anti rootkit - Télécharger - Antivirus & Antimalwares
2 réponses
Parce que RogueKiller affiche souvent ces Hook IAT, qui proviennent probablement de ton antivirus.
https://forums.commentcamarche.net/forum/affich-33053363-suite-au-passage-de-roguekiller
https://forum.malekal.com/viewtopic.php?t=52305&start=
https://forum.malekal.com/viewtopic.php?t=50126&start=
etc
https://forums.commentcamarche.net/forum/affich-33053363-suite-au-passage-de-roguekiller
https://forum.malekal.com/viewtopic.php?t=52305&start=
https://forum.malekal.com/viewtopic.php?t=50126&start=
etc
Comment vous savez?