Les Forums

Les forums sont fermés. Ils restent présent pour consultation et archivage.
Vous pouvez désormais poser vos questions directement dans les commentaires en bas de chaque page du site.
Alors n'hésitez pas à participer

unauthorized user rights modifications?

experts,

je viens de voir le suivant dans mon Mcafee Access Protection Log:

1)Would be blocked by Access Protection rule (rule is currently not enforced) C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\PC\Local Settings\Temporary Internet Files\Content.IE5\P71VJADC\iaa23_enu[1].exe Common Standard Protection:Prevent common programs from running files from the Temp folder; Action blocked : Execute

2) Would be blocked by Access Protection rule (rule is currently not enforced) C:\WINDOWS\Explorer.EXE C:\Documents and Settings\PC\Local Settings\Temp\pft3~tmp\Disk1\Setup.exe; Common Standard Protection:Prevent common programs from running files from the Temp folder; Action blocked : Execute

3) Blocked by Access Protection rule; C:\WINDOWS\Explorer.EXE \REGISTRY\MACHINE\System\CurrentControlSet\Control\LSA Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4) Blocked by Access Protection rule C:\WINDOWS\Explorer.EXE; \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\LSA; Anti-virus Standard Protection:Prevent user rights policies from being altered Action blocked : Write

5) Blocked by Access Protection rule; C:\WINDOWS\Explorer.EXE; \REGISTRY\MACHINE\System\CurrentControlSet\Control\LSA; Anti-virus Standard Protection:Prevent user rights policies from being altered Action blocked : Write

6) Blocked by Access Protection rule; C:\WINDOWS\Explorer.EXE\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\LSA; Anti-virus Standard Protection:Prevent user rights policies from being altered Action blocked : Write

Any assistance would be much appreciated.

Paul

Hi,

iaa23_enu.ewe = Intel® Application Accelerator Performance Software
Don't worry about that.

Your Mcafee AV prevent downloaded programs from being executed in their temp folder.
It's just a security.. When you wanna execute a downloaded file, just save it on the desktop for example and then run it.

Don't really know about the rest. Do you have any virus alert ?

Merci de votre reponse rapide.

No virus alert, but indications that my Mcafee files and settings have been modified. My security log has has Se Audit Privilege lines recently. If spyware is behind this, then whoever designed it made concerted efforts to disguise its presence. One thing that may help: on booting, my desktop flashes as explorer loads (possibly indicating an explorer sploofing?). Svchost is using 25k on average and my harddrive is running when my use of the comp is "idle". J'espere d'avoir fourni sufissiment d'information.

Paul

Do you speak french or english ?

You can download a great little software called 'GMER' http://www.gmer.net/index.php
It will give you real informations about your process, files, startup, even hidden process and files.

Answer here if you see something strange.

Hello,

That is a cool and very useful little tool. Good question: I speak both French and English, so feel free to use whatever is easier (I tend to use English when describing technical details about computers).

Below is the results of the scan. Is all that Mcafee activity normal?

Thank you,

Paul

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-30 20:57:08
Windows 5.1.2600 Service Pack 3, v.3311

---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF20EF57B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF20EF4FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF20EF5A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF20EF50F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF20EF53B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF20EF5CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF20EF4E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF20EF58F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF20EF525]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF20EF551]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF20EF567]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF20EF5E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF20EF5B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----

Everything seem OK.
As long as you don't have any red lines, it's ok.
But you can check to be sure in the Process tab each process name (copy paste in google)

Hi again,

I just found more information that may be helpful (from the Mcafee Enterprise 8.5 On-Access Scanner Log). I hope it helps troubleshoot a potential security vulnerability,

4/10/2008 2:43:25 AM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\system32\rundll32.exe
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 2:43:33 AM
Blocked by Access Protection rule
NT AUTHORITY\SYSTEMC:\WINDOWS\System32\svchost.exe
\Registry\Machine\System\CurrentControlSet\Services\LanmanServer\Parameters
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 2:43:42 AM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\system32\rundll32.exe\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:26:48 PM Blocked by Access Protection rule PAUL\PC
C:\WINDOWS\Explorer.EXE
\REGISTRY\MACHINE\System\CurrentControlSet\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:26:52 PM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\Explorer.EXE
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:27:04 PM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\Explorer.EXE\REGISTRY\MACHINE\System\CurrentControlSet\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:27:05 PM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\Explorer.EXE
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:31:51 PM
Blocked by Access Protection rule
PAUL\PC C:\WINDOWS\Explorer.EXE
\REGISTRY\MACHINE\System\CurrentControlSet\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:31:52 PM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\Explorer.EXE\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:53:51 PM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\Explorer.EXE\REGISTRY\MACHINE\System\CurrentControlSet\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:53:52 PM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\Explorer.EXE
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

suite à problème de serveur proxy pour msn live messenger, j'aimerais ajouter le programme:
MSNmsgr.exe
au pare feu avast, procédure? please.
merci.

____________________
Get free demos for [url=http://www.braindumps.com/70-680.htm]70-680[/url] exam and mcts exam with [url=http://www.braindumps.com/MCSA-2003.htm]mcsa pdf[/url] guaranteed success. Our [url=http://www.braindumps.com/MCP.htm]mcp course[/url] best quality prepares you well before appearing in the final exams.

FRAMEIP.COM

Partage des connaissances du monde TCP/IP

Les Forums

unauthorized user rights modifications?