Infecté par un rootkit!!!
Meowmeow
-
J'abandonne! -
J'abandonne! -
Salutation,
MERCI d'avance à celui ou celle qui pendra en charge de mon fil.
Tout d'abord, j'aimerais que ce soit un pro du programme GMER qui prenne en charge ce log qui suivra.
En effet, j'essaie de comprendre les étranges logs et le site de Malekal (qui m'a fait découvrir ce puissant logiciel)ne dit pas grand chose à son propos. Même le site de GMER s'occupe de quelques rootkits mais pas tout.
En tout cas, je crois être infecté pas spXX.sys...je trouve bizarre ces deux caractères aléatoires. Oui, c'est le site de greatis(écrivez «greatis» et «spxx» sur google) affirme que ce n'est pas un rootkit, mais je ne comprend rien à leur charabia.
En passant, je n'ai pas mis de rapport HijackThis! puisque quelqu'un l'a déjà vérifié sur commentcamarche il y a quelque jours et a confirmé la propreté du log.
Je voudrait que quelqu'un se penche sur mon cas:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-07 07:59:50
Windows 6.0.6001 Service Pack 1
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x8F4DE706]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x8F4DE366]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8F4DB974]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x8F4E6388]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x8F4DEA3E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x8F4E4166]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x8F4E4380]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x8F4E7B9E]
SSDT 80D9DC24 ZwCreateThread
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x8F4DEACE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x8F4DBE54]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x8F4E6C84]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x8F4E6A00]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x8F4E3F08]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x8F4E6E34]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x8F4DBCEC]
SSDT 80D9DC10 ZwOpenProcess
SSDT 80D9DC15 ZwOpenThread
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x8F4E7810]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x8F4E7246]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x8F4DDFF0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x8F4E7650]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x8F4DE506]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x8F4DC042]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x8F4E6706]
SSDT 80D9DC1F ZwTerminateProcess
SSDT 80D9DC1A ZwWriteVirtualMemory
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x8F4E459E]
INT 0x52 ? 8689EBF8
INT 0x62 ? 8689EBF8
INT 0x72 ? 84F92BF8
INT 0x82 ? 84F92BF8
INT 0x92 ? 84F92BF8
INT 0x92 ? 84F92BF8
INT 0x92 ? 8689EBF8
INT 0x92 ? 84F92BF8
INT 0xA2 ? 8689EBF8
---- Kernel code sections - GMER 1.0.14 ----
.text ntkrnlpa.exe!KeSetTimerEx + 370 820FD934 4 Bytes [ 06, E7, 4D, 8F ]
.text ntkrnlpa.exe!KeSetTimerEx + 3F4 820FD9B8 4 Bytes [ 66, E3, 4D, 8F ]
.text ntkrnlpa.exe!KeSetTimerEx + 40C 820FD9D0 4 Bytes [ 74, B9, 4D, 8F ]
.text ntkrnlpa.exe!KeSetTimerEx + 41C 820FD9E0 4 Bytes [ 88, 63, 4E, 8F ]
.text ntkrnlpa.exe!KeSetTimerEx + 438 820FD9FC 12 Bytes JMP 41668F4D
.text ...
? System32\Drivers\spzz.sys Le fichier spécifié est introuvable. !
.text USBPORT.SYS!DllUnload 833A646F 5 Bytes JMP 8689E1D8
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [826916D2] \SystemRoot\System32\Drivers\spzz.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82691040] \SystemRoot\System32\Drivers\spzz.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [826917FC] \SystemRoot\System32\Drivers\spzz.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [826910BE] \SystemRoot\System32\Drivers\spzz.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8269113C] \SystemRoot\System32\Drivers\spzz.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [826A0D92] \SystemRoot\System32\Drivers\spzz.sys
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74627BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [746698C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7462D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7461F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74627599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7461E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7465B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7462D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7462012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74620095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746171F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [746AD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [746475E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7461DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7461668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746166BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74621E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 859231F8
Device \Driver\volmgr \Device\VolMgrControl 84F941F8
Device \Driver\usbuhci \Device\USBPDO-0 868751F8
Device \Driver\usbuhci \Device\USBPDO-1 868751F8
Device \Driver\usbuhci \Device\USBPDO-2 868751F8
Device \Driver\usbuhci \Device\USBPDO-3 868751F8
Device \Driver\usbehci \Device\USBPDO-4 868801F8
Device \Driver\volmgr \Device\HarddiskVolume1 84F941F8
Device \Driver\volmgr \Device\HarddiskVolume2 84F941F8
Device \Driver\cdrom \Device\CdRom0 868B81F8
Device \Driver\netbt \Device\NetBT_Tcpip_{02E132AE-92A8-46D3-B974-530411CED648} 86EF11F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 859221F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 859221F8
Device \Driver\atapi \Device\Ide\IdePort0 859221F8
Device \Driver\atapi \Device\Ide\IdePort1 859221F8
Device \Driver\atapi \Device\Ide\IdePort2 859221F8
Device \Driver\atapi \Device\Ide\IdePort3 859221F8
Device \Driver\volmgr \Device\HarddiskVolume3 84F941F8
Device \Driver\volmgr \Device\HarddiskVolume4 84F941F8
Device \Driver\volmgr \Device\HarddiskVolume5 84F941F8
Device \Driver\volmgr \Device\HarddiskVolume6 84F941F8
Device \Driver\USBSTOR \Device\00000069 86EDE1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 86EF11F8
Device \Driver\Smb \Device\NetbiosSmb 86F0C1F8
Device \Driver\iScsiPrt \Device\RaidPort0 868BA1F8
Device \Driver\USBSTOR \Device\0000006a 86EDE1F8
Device \Driver\USBSTOR \Device\0000006b 86EDE1F8
Device \Driver\USBSTOR \Device\0000006c 86EDE1F8
Device \Driver\usbuhci \Device\USBFDO-0 868751F8
Device \Driver\USBSTOR \Device\0000006d 86EDE1F8
Device \Driver\usbuhci \Device\USBFDO-1 868751F8
Device \Driver\usbuhci \Device\USBFDO-2 868751F8
Device \Driver\usbuhci \Device\USBFDO-3 868751F8
Device \Driver\usbehci \Device\USBFDO-4 868801F8
Device \FileSystem\cdfs \Cdfs 877391F8
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0D 0x88 0x1F 0x4E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF0 0xC4 0x67 0x17 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xDA 0xCF 0x68 0x2E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x62 0x2E 0x0C 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0xB1 0x6F 0x12 0x4D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0D 0x88 0x1F 0x4E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF0 0xC4 0x67 0x17 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xDA 0xCF 0x68 0x2E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x62 0x2E 0x0C 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0xB1 0x6F 0x12 0x4D ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\ProgramData\--------------\ 1
---- EOF - GMER 1.0.14 ----
En dernier lieu, j'ai quelque questions d'ordre général:
1) Est-ce les lignes concernant ZoneAlarm dans la section SSDT sont-elles légitimes? À quoi correspond le Zw dans
, par exemple,
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8F4DB974]
J'ai vu sur GMER que quelque rootkits ont ces lettres...
2)Dans la section kernel code sections, qu'est-ce que ces «ntkrnlpa.exe!KeSetTimerEx» ?
3) Quelle est la fonction de la dernière ligne du rapport GMER?
Soyez clair et adapté pour une personne ayant encore des connaissances limitées en informatique.
Merci encore.
MERCI d'avance à celui ou celle qui pendra en charge de mon fil.
Tout d'abord, j'aimerais que ce soit un pro du programme GMER qui prenne en charge ce log qui suivra.
En effet, j'essaie de comprendre les étranges logs et le site de Malekal (qui m'a fait découvrir ce puissant logiciel)ne dit pas grand chose à son propos. Même le site de GMER s'occupe de quelques rootkits mais pas tout.
En tout cas, je crois être infecté pas spXX.sys...je trouve bizarre ces deux caractères aléatoires. Oui, c'est le site de greatis(écrivez «greatis» et «spxx» sur google) affirme que ce n'est pas un rootkit, mais je ne comprend rien à leur charabia.
En passant, je n'ai pas mis de rapport HijackThis! puisque quelqu'un l'a déjà vérifié sur commentcamarche il y a quelque jours et a confirmé la propreté du log.
Je voudrait que quelqu'un se penche sur mon cas:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-07 07:59:50
Windows 6.0.6001 Service Pack 1
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x8F4DE706]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x8F4DE366]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8F4DB974]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x8F4E6388]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x8F4DEA3E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x8F4E4166]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x8F4E4380]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x8F4E7B9E]
SSDT 80D9DC24 ZwCreateThread
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x8F4DEACE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x8F4DBE54]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x8F4E6C84]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x8F4E6A00]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x8F4E3F08]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x8F4E6E34]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x8F4DBCEC]
SSDT 80D9DC10 ZwOpenProcess
SSDT 80D9DC15 ZwOpenThread
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x8F4E7810]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x8F4E7246]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x8F4DDFF0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x8F4E7650]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x8F4DE506]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x8F4DC042]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x8F4E6706]
SSDT 80D9DC1F ZwTerminateProcess
SSDT 80D9DC1A ZwWriteVirtualMemory
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x8F4E459E]
INT 0x52 ? 8689EBF8
INT 0x62 ? 8689EBF8
INT 0x72 ? 84F92BF8
INT 0x82 ? 84F92BF8
INT 0x92 ? 84F92BF8
INT 0x92 ? 84F92BF8
INT 0x92 ? 8689EBF8
INT 0x92 ? 84F92BF8
INT 0xA2 ? 8689EBF8
---- Kernel code sections - GMER 1.0.14 ----
.text ntkrnlpa.exe!KeSetTimerEx + 370 820FD934 4 Bytes [ 06, E7, 4D, 8F ]
.text ntkrnlpa.exe!KeSetTimerEx + 3F4 820FD9B8 4 Bytes [ 66, E3, 4D, 8F ]
.text ntkrnlpa.exe!KeSetTimerEx + 40C 820FD9D0 4 Bytes [ 74, B9, 4D, 8F ]
.text ntkrnlpa.exe!KeSetTimerEx + 41C 820FD9E0 4 Bytes [ 88, 63, 4E, 8F ]
.text ntkrnlpa.exe!KeSetTimerEx + 438 820FD9FC 12 Bytes JMP 41668F4D
.text ...
? System32\Drivers\spzz.sys Le fichier spécifié est introuvable. !
.text USBPORT.SYS!DllUnload 833A646F 5 Bytes JMP 8689E1D8
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [826916D2] \SystemRoot\System32\Drivers\spzz.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82691040] \SystemRoot\System32\Drivers\spzz.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [826917FC] \SystemRoot\System32\Drivers\spzz.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [826910BE] \SystemRoot\System32\Drivers\spzz.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8269113C] \SystemRoot\System32\Drivers\spzz.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [826A0D92] \SystemRoot\System32\Drivers\spzz.sys
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74627BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [746698C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7462D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7461F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74627599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7461E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7465B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7462D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7462012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74620095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746171F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [746AD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [746475E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7461DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7461668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746166BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1864] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74621E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 859231F8
Device \Driver\volmgr \Device\VolMgrControl 84F941F8
Device \Driver\usbuhci \Device\USBPDO-0 868751F8
Device \Driver\usbuhci \Device\USBPDO-1 868751F8
Device \Driver\usbuhci \Device\USBPDO-2 868751F8
Device \Driver\usbuhci \Device\USBPDO-3 868751F8
Device \Driver\usbehci \Device\USBPDO-4 868801F8
Device \Driver\volmgr \Device\HarddiskVolume1 84F941F8
Device \Driver\volmgr \Device\HarddiskVolume2 84F941F8
Device \Driver\cdrom \Device\CdRom0 868B81F8
Device \Driver\netbt \Device\NetBT_Tcpip_{02E132AE-92A8-46D3-B974-530411CED648} 86EF11F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 859221F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 859221F8
Device \Driver\atapi \Device\Ide\IdePort0 859221F8
Device \Driver\atapi \Device\Ide\IdePort1 859221F8
Device \Driver\atapi \Device\Ide\IdePort2 859221F8
Device \Driver\atapi \Device\Ide\IdePort3 859221F8
Device \Driver\volmgr \Device\HarddiskVolume3 84F941F8
Device \Driver\volmgr \Device\HarddiskVolume4 84F941F8
Device \Driver\volmgr \Device\HarddiskVolume5 84F941F8
Device \Driver\volmgr \Device\HarddiskVolume6 84F941F8
Device \Driver\USBSTOR \Device\00000069 86EDE1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 86EF11F8
Device \Driver\Smb \Device\NetbiosSmb 86F0C1F8
Device \Driver\iScsiPrt \Device\RaidPort0 868BA1F8
Device \Driver\USBSTOR \Device\0000006a 86EDE1F8
Device \Driver\USBSTOR \Device\0000006b 86EDE1F8
Device \Driver\USBSTOR \Device\0000006c 86EDE1F8
Device \Driver\usbuhci \Device\USBFDO-0 868751F8
Device \Driver\USBSTOR \Device\0000006d 86EDE1F8
Device \Driver\usbuhci \Device\USBFDO-1 868751F8
Device \Driver\usbuhci \Device\USBFDO-2 868751F8
Device \Driver\usbuhci \Device\USBFDO-3 868751F8
Device \Driver\usbehci \Device\USBFDO-4 868801F8
Device \FileSystem\cdfs \Cdfs 877391F8
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0D 0x88 0x1F 0x4E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF0 0xC4 0x67 0x17 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xDA 0xCF 0x68 0x2E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x62 0x2E 0x0C 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0xB1 0x6F 0x12 0x4D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0D 0x88 0x1F 0x4E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF0 0xC4 0x67 0x17 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xDA 0xCF 0x68 0x2E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x62 0x2E 0x0C 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0xB1 0x6F 0x12 0x4D ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\ProgramData\--------------\ 1
---- EOF - GMER 1.0.14 ----
En dernier lieu, j'ai quelque questions d'ordre général:
1) Est-ce les lignes concernant ZoneAlarm dans la section SSDT sont-elles légitimes? À quoi correspond le Zw dans
, par exemple,
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8F4DB974]
J'ai vu sur GMER que quelque rootkits ont ces lettres...
2)Dans la section kernel code sections, qu'est-ce que ces «ntkrnlpa.exe!KeSetTimerEx» ?
3) Quelle est la fonction de la dernière ligne du rapport GMER?
Soyez clair et adapté pour une personne ayant encore des connaissances limitées en informatique.
Merci encore.
A voir également:
- Infecté par un rootkit!!!
- Rootkit - Télécharger - Antivirus & Antimalwares
- Alerte windows ordinateur infecté - Accueil - Arnaque
- Rootkit hunter - Télécharger - Antivirus & Antimalwares
- L'ordinateur de simon a été infecté par un virus répertorié récemment ✓ - Forum Virus
- L'ordinateur de mustapha a été infecté par un virus répertorié récemment - Forum Virus
