load_tdsskiller

Poster ici les programmes utiles que vous avez découverts
Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 91999
Inscription : 10 sept. 2005 13:57
Contact :

load_tdsskiller

Message par Malekal_morte » 20 déc. 2009 13:23

Obsolète : utilisez TDSSKiller de Kaspersky - voir la page : tdsskiller-kaspersky-t28637.html


load_tdsskiller comme son nom l'indique est un fix qui permet de supprimer les infections TDSS/Alueron
Il se présente sous un fichier exécutable que l'on lance.

L'auteur du fix est loup_blanc qui utilise un TDSSKiller de Kaspersky (voir http://support.kaspersky.com/viruses/so ... =208280684)
Le fix de loup_blanc repris ce fix mais de manière automatique.

Le lien du fix : http://frades.perso.neuf.fr/transf/Load_tdsskiller.exe

Voici dans le cas d'un patch atapy.sys ce que l'on obtient :
Image

et enfin un exemple de rapport :
Scanning Kernel memory ...
Driver "atapi" Irp handler infected by TDSS rootkit ... cured
File C:\WINDOWS\system32\drivers\atapi.sys infected by TDSS rootkit ... will be
cured on next reboot

Completed

Results:
Infected objects in memory: 1
Cured objects in memory: 1
Infected objects on disk: 1
Objects on disk cured on reboot: 1
Objects on disk deleted on reboot: 0
Registry nodes deleted on reboot: 0

To finalize removal of infection and avoid loosing of data program will
reboot your PC now.
Close all programs and choose Y to restart or N to continue.

~~~



Host Name: PROUTCOMPUTER
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 2 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: Malekal_morte
Registered Organization:
Product ID: 55274-642-6999986-23789
Original Install Date: 12/08/2007, 17:30:40
System Up Time: 0 Days, 0 Hours, 1 Minutes, 14 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 26 Stepping 8 GenuineIntel ~2793 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: fr;French (France)
Input Locale: fr;French (France)
Time Zone: (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory: 223 MB
Available Physical Memory: 119 MB
Virtual Memory: Max Size: 2ÿ048 MB
Virtual Memory: Available: 2ÿ007 MB
Virtual Memory: In Use: 41 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\PROUTCOMPUTER
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
NetWork Card(s): 1 NIC(s) Installed.
[01]: VMware Accelerated AMD PCNet Adapter
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 192.168.1.26
3:7:55:532 280 ForceUnloadDriver: NtUnloadDriver error 2
3:7:55:532 280 ForceUnloadDriver: NtUnloadDriver error 2
3:7:55:532 280 ForceUnloadDriver: NtUnloadDriver error 2
3:7:55:532 280 main: Driver KLMD successfully dropped
3:7:55:626 280 main: Driver KLMD successfully loaded
3:7:55:626 280
Scanning Registry ...
3:7:55:642 280 ScanServices: Searching service UACd.sys
3:7:55:642 280 ScanServices: Open/Create key error 2
3:7:55:642 280 ScanServices: Searching service TDSSserv.sys
3:7:55:642 280 ScanServices: Open/Create key error 2
3:7:55:642 280 ScanServices: Searching service gaopdxserv.sys
3:7:55:642 280 ScanServices: Open/Create key error 2
3:7:55:642 280 ScanServices: Searching service gxvxcserv.sys
3:7:55:642 280 ScanServices: Open/Create key error 2
3:7:55:642 280 ScanServices: Searching service MSIVXserv.sys
3:7:55:642 280 ScanServices: Open/Create key error 2
3:7:55:642 280 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
3:7:55:642 280 UnhookRegistry: Kernel local addr: B90000
3:7:55:642 280 UnhookRegistry: KeServiceDescriptorTable addr: C0B180
3:7:55:673 280 UnhookRegistry: KiServiceTable addr: BBA030
3:7:55:673 280 UnhookRegistry: NtEnumerateKey service number (local): 47
3:7:55:673 280 UnhookRegistry: NtEnumerateKey local addr: CD2412
3:7:55:673 280 KLMD_OpenDevice: Trying to open KLMD device
3:7:55:673 280 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
3:7:55:673 280 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
3:7:55:673 280 KLMD_ReadMem: Trying to ReadMemory 0x804FD801[0x4]
3:7:55:673 280 UnhookRegistry: NtEnumerateKey service number (kernel): 47
3:7:55:673 280 KLMD_ReadMem: Trying to ReadMemory 0x8050114C[0x4]
3:7:55:673 280 UnhookRegistry: NtEnumerateKey real addr: 80619412
3:7:55:673 280 UnhookRegistry: NtEnumerateKey calc addr: 80619412
3:7:55:673 280 UnhookRegistry: No SDT hooks found on NtEnumerateKey
3:7:55:673 280 KLMD_ReadMem: Trying to ReadMemory 0x80619412[0xA]
3:7:55:673 280 UnhookRegistry: No splicing found on NtEnumerateKey
3:7:55:688 280
Scanning Kernel memory ...
3:7:55:688 280 KLMD_OpenDevice: Trying to open KLMD device
3:7:55:688 280 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
3:7:55:688 280 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
3:7:55:688 280 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8111EDE8
3:7:55:688 280 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
3:7:55:688 280 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 81123030
3:7:55:688 280 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81123030
3:7:55:688 280 KLMD_ReadMem: Trying to ReadMemory 0x81123030[0x38]
3:7:55:688 280 DetectCureTDL3: DRIVER_OBJECT addr: 8111EDE8
3:7:55:688 280 KLMD_ReadMem: Trying to ReadMemory 0x8111EDE8[0xA8]
3:7:55:688 280 KLMD_ReadMem: Trying to ReadMemory 0xE1392460[0x208]
3:7:55:688 280 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
3:7:55:688 280 DetectCureTDL3: IrpHandler (0) addr: F9EB9C30
3:7:55:688 280 DetectCureTDL3: IrpHandler (1) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (2) addr: F9EB9C30
3:7:55:688 280 DetectCureTDL3: IrpHandler (3) addr: F9EB3D9B
3:7:55:688 280 DetectCureTDL3: IrpHandler (4) addr: F9EB3D9B
3:7:55:688 280 DetectCureTDL3: IrpHandler (5) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (6) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (7) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (8) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (9) addr: F9EB4366
3:7:55:688 280 DetectCureTDL3: IrpHandler (10) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (11) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (12) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (13) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (14) addr: F9EB444D
3:7:55:688 280 DetectCureTDL3: IrpHandler (15) addr: F9EB7FC3
3:7:55:688 280 DetectCureTDL3: IrpHandler (16) addr: F9EB4366
3:7:55:688 280 DetectCureTDL3: IrpHandler (17) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (18) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (19) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (20) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (21) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (22) addr: F9EB5EF3
3:7:55:688 280 DetectCureTDL3: IrpHandler (23) addr: F9EBAA24
3:7:55:688 280 DetectCureTDL3: IrpHandler (24) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (25) addr: 804F320E
3:7:55:688 280 DetectCureTDL3: IrpHandler (26) addr: 804F320E
3:7:55:688 280 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
3:7:55:688 280 KLMD_ReadMem: DeviceIoControl error 1
3:7:55:688 280 TDL3_StartIoHookDetect: Unable to get StartIo handler code
3:7:55:688 280 TDL3_FileDetect: Processing driver: Disk
3:7:55:688 280 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
3:7:55:688 280 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
3:7:55:688 280 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
3:7:55:704 280 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8111E690
3:7:55:704 280 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8111E690
3:7:55:704 280 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 81120B58
3:7:55:704 280 KLMD_GetLowerDeviceObject: Trying to get lower device object for 81120B58
3:7:55:704 280 KLMD_ReadMem: Trying to ReadMemory 0x81120B58[0x38]
3:7:55:704 280 DetectCureTDL3: DRIVER_OBJECT addr: 8116C9C8
3:7:55:704 280 KLMD_ReadMem: Trying to ReadMemory 0x8116C9C8[0xA8]
3:7:55:704 280 KLMD_ReadMem: Trying to ReadMemory 0xE13A6A58[0x208]
3:7:55:704 280 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
3:7:55:704 280 DetectCureTDL3: IrpHandler (0) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (1) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (2) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (3) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (4) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (5) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (6) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (7) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (8) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (9) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (10) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (11) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (12) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (13) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (14) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (15) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (16) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (17) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (18) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (19) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (20) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (21) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (22) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (23) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (24) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (25) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: IrpHandler (26) addr: F9CDF9F2
3:7:55:704 280 DetectCureTDL3: All IRP handlers pointed to one addr: F9CDF9F2
3:7:55:704 280 KLMD_ReadMem: Trying to ReadMemory 0xF9CDF9F2[0x400]
3:7:55:704 280 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
3:7:55:704 280 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
3:7:55:704 280 KLMD_ReadMem: Trying to ReadMemory 0x8116C394[0x4]
3:7:55:704 280 TDL3_IrpHookDetect: New IrpHandler addr: 8115CF61
3:7:55:704 280 KLMD_ReadMem: Trying to ReadMemory 0x8115CF61[0x400]
3:7:55:704 280 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
3:7:55:704 280 Driver "atapi" Irp handler infected by TDSS rootkit ... 3:7:55:704 280 KLMD_WriteMem: Trying to WriteMemory 0x8115CFE7[0xD]
3:7:55:704 280 cured
3:7:55:704 280 KLMD_ReadMem: Trying to ReadMemory 0xF9CDD7C6[0x400]
3:7:55:704 280 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 229, 0
3:7:55:704 280 TDL3_FileDetect: Processing driver: atapi
3:7:55:704 280 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
3:7:55:704 280 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
3:7:55:704 280 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
3:7:55:704 280 File C:\WINDOWS\system32\drivers\atapi.sys infected by TDSS rootkit ... 3:7:55:704 280 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
3:7:55:704 280 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
3:7:55:704 280 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\Drivers\tsk_atapi.sys
3:7:55:751 280 TDL3_FileCure: Image path (system32\Drivers\tsk_atapi.sys) was set for service (SYSTEM\CurrentControlSet\Services\atapi)
3:7:55:751 280 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS\system32\Drivers\tsk_atapi.sys, C:\WINDOWS\system32\drivers\atapi.sys) success
3:7:55:751 280 will be cured on next reboot
3:7:55:751 280
Completed

Results:
3:7:55:751 280 Infected objects in memory: 1
3:7:55:751 280 Cured objects in memory: 1
3:7:55:751 280 Infected objects on disk: 1
3:7:55:751 280 Objects on disk cured on reboot: 1
3:7:55:751 280 Objects on disk deleted on reboot: 0
3:7:55:751 280 Registry nodes deleted on reboot: 0
3:7:55:751 280


Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.


Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 91999
Inscription : 10 sept. 2005 13:57
Contact :

Re: load_tdsskiller

Message par Malekal_morte » 19 févr. 2010 10:25

Un peu à la rue le Killer de KAV :\
Pièces jointes
KAV_TDSSKiller.png
Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.

Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 91999
Inscription : 10 sept. 2005 13:57
Contact :

Re: load_tdsskiller

Message par Malekal_morte » 19 févr. 2010 10:29

c'est mieux pour le TLD 2 PDT_001
Pièces jointes
hihiKAV.png
Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.


Répondre

Revenir vers « Programmes utiles »