McAfee Avert Labs Rootkit Detective Beta

Poster ici les programmes utiles que vous avez découverts
Malekal_morte
Messages : 116665
Inscription : 10 sept. 2005 13:57

McAfee Avert Labs Rootkit Detective Beta

par Malekal_morte »

MacAfee vient de sortir en Beta sont anti-roorkit : http://vil.nai.com/vil/stinger/

Ce dernier est capable de détecter les processus caché ainsi que les services et drivers.

McAfee Anti-rookit semble être capable de détecter le driver et service du rootkit Pe386

Image et Image

Le programme a la possibilité de renommer ou supprimer le processus ou service détecté.
Il suffit de cocher l'élément dans la liste et cliquer sur le bouton Rename ou Delete.



J'ai essaye de supprimer le rootkit mais au redémarrage (la suppression necessite un redémarrage).
Le service semble avoir été renommé et le service du rootkit est tjrs présent. On voit ici les deux essais des services renommés.

Image


A noter qu'un rapport est créé lors du scan :
Image

Voici un exemple de rapport :
McAfee(R) Rootkit Detective 1.0 Beta scan report
On 08-01-2007 at 21:11:14
OS-Version 5.1.2600
Service Pack 2.0
====================================

Object-Type: Registry-key
Object-Name: pe386fee(R) Rootkit Detective 1.0 Beta scan report

Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386
Status: Hidden

Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Unable to access registry key

Object-Type: Registry-key
Object-Name: EnumEM\ControlSet001\Services\pe386.REN.REN
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN\Enum
Status: Unable to access registry key

Object-Type: Registry-value
Object-Name: 0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: Count
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: NextInstance
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: Type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: Start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: ErrorControl
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: ImagePath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: DisplayName
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: Group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: ExtParam
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-key
Object-Name: pe386M\ControlSet001\Services\pe386.REN.REN
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pe386
Status: Hidden

Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pe386.REN.REN
Status: Unable to access registry key

Object-Type: Registry-key
Object-Name: pe386M\ControlSet002\Services\pe386.REN.REN
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386
Status: Hidden

Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Unable to access registry key

Object-Type: Registry-key
Object-Name: EnumEM\ControlSet001\Services\pe386.REN.REN
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN\Enum
Status: Unable to access registry key

Object-Type: Registry-value
Object-Name: 0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: Count
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: NextInstance
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN\Enum
Status: Hidden

Object-Type: Registry-value
Object-Name: Type
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: Start
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: ErrorControl
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: ImagePath
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: DisplayName
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: Group
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: ExtParam
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386.REN.REN
Status: Hidden

Object-Type: File/Folder
Object-Name: System Idle Process
Pid: n/a
Object-Path: System Idle Process
Status: Visible

Object-Type: Process
Object-Name: System
Pid: 4
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1036
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: wuauclt.exe
Pid: 1804
Object-Path: C:\WINDOWS\system32\wuauclt.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1324
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 848
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: spoolsv.exe
Pid: 1632
Object-Path: C:\WINDOWS\system32\spoolsv.exe
Status: Visible

Object-Type: Process
Object-Name: csrss.exe
Pid: 616
Object-Path: C:\WINDOWS\system32\csrss.exe
Status: Visible

Object-Type: Process
Object-Name: smss.exe
Pid: 372
Object-Path: C:\WINDOWS\system32\smss.exe
Status: Visible

Object-Type: Process
Object-Name: winlogon.exe
Pid: 640
Object-Path: C:\WINDOWS\system32\winlogon.exe
Status: Visible

Object-Type: Process
Object-Name: wscntfy.exe
Pid: 1160
Object-Path: C:\WINDOWS\system32\wscntfy.exe
Status: Visible

Object-Type: Process
Object-Name: explorer.exe
Pid: 1424
Object-Path: C:\WINDOWS\explorer.exe
Status: Visible

Object-Type: Process
Object-Name: Rootkit_Detecti
Pid: 168
Object-Path: C:\Documents and Settings\thib\Desktop\Rootkit_Detective.exe
Status: Visible

Object-Type: Process
Object-Name: services.exe
Pid: 684
Object-Path: C:\WINDOWS\system32\services.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 940
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: lsass.exe
Pid: 696
Object-Path: C:\WINDOWS\system32\lsass.exe
Status: Visible

Object-Type: Process
Object-Name: svchost.exe
Pid: 1212
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible

Object-Type: Process
Object-Name: IceSword.exe
Pid: 1740
Object-Path:
Status: Visible

Object-Type: Process
Object-Name: VMwareUser.exe
Pid: 1756
Object-Path: C:\Program Files\VMware\VMware Tools\VMwareUser.exe
Status: Visible

Object-Type: Process
Object-Name: VMwareService.e
Pid: 244
Object-Path: C:\Program Files\VMware\VMware Tools\VMwareService.exe
Status: Visible

Object-Type: Process
Object-Name: ctfmon.exe
Pid: 1784
Object-Path: C:\WINDOWS\system32\ctfmon.exe
Status: Visible

Object-Type: Process
Object-Name: alg.exe
Pid: 1020
Object-Path: C:\WINDOWS\system32\alg.exe
Status: Visible
Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas !
Comment protéger son PC des virus
Windows 11 : Compatibilité, Configuration minimale requise, télécharger ISO et installer Windows 11

Comment demander de l'aide sur le forum
Partagez malekal.com : n'hésitez pas à partager les articles qui vous plaisent sur la page Facebook du site.
Mr Strange

Re: McAfee Avert Labs Rootkit Detective Beta

par Mr Strange »

Bonjour,

Le bon lien vers le soft est celui là : http://vil.nai.com/vil/stinger/rkstinger.aspx

Cordialement.

Mr Strange
  • Sujets similaires
    Réponses
    Vues
    Dernier message

Revenir à « Programmes utiles »