mardi 30 juillet 2013

Tout les fichiers téléchargés sont vus comme des Virus par Windows Defender.

Après une recherche sur internet, j'ai trouvé ce site qui décrit comment corriger le problème.

http://blog.crosbydrive.com/?p=411

À noter que maintenant MalwareByte Anti-Rookit (http://www.malwarebytes.org/products/mbar/) semble identifier et corriger le problème.  Cependant, suite à un commentaire de mon ami Simon, il semble y avoir des étapes à faire avec Microsoft Security Essential.

"Effectivement, mbam antirootkit a fait la job, il a rétabli windows defender, y'a fallu que je scrap Microsoft security essential à la main dans windows 7 portable (comme ERD Commander). Réinstaller MSE et ca la arrêter de me dire que tout était infecté lors du téléchargement."

Voici une copie de texte du blog si jamais le blog vient qu'à disparaître:

This was a computer with a nasty virus on it that attacked Microsoft Security Essentials and Windows Defender. The problem here has to do with Windows Defender but the little bugger did the same thing to both. You might notice that MSE can’t be uninstalled or removed in any way. Regardless of the MSE problem, IE is complaining because the virus has damaged Windows Defender. I will assume you have worked out your problems with MSE already.
The problem is that the virus writer has used symbolic links to point the Windows Defender files and folders at the registry folder, so “running” any file in C:/program files/windows defender actually tries to open C:/windows/system32/config. If you are a technician and want a detailed analysis and probably a more elegant solution, take a look at this thread at Foolish IT. What I ended up doing is a bit convoluted, there might be some short cuts but it worked:
  1. From a machine running the same version of Windows (must be same bus width, 64 or 32), copy the files from c:/Program Files/Windows Defender to a flash drive (don’t copy the folder en-US).
  2. Boot to Startup Repair
  3. Open a Command Prompt
  4. Rename C:/program files/Windows Defender to C:/program files/BADWD
  5. Make a copy of the C:/Windows/System32/config folder, call it configbackup (double and triple check that this copy has been successful)
  6. Use a *nix live CD to boot the problem computer, I used Ubuntu
  7. In Ubuntu, delete c:/Windows/System32/config (see why you need to triple-check that you have a good backup?)
  8. Now, delete all the files and folders in c:/program files/BADWD and then delete that folder
  9. Make a(nother) copy of c/windows/system32/configbackup, if you do a copy and paste it should be called configbackup (Copy 1)
  10. Rename configbackup (Copy 1) to config
  11. Reboot the computer into Windows (here’s where you find out if your copy commands were all good)
  12. If you’re still in the game, reboot again into Startup Repair
  13. Run SFC /scannow (using the OFFBOOTDIR and OFFWINDIR switches). This will partially create the Windows Defender folder but not the files in it. This command will actually fail, alas I do not have a solution for this other than to reinstall Windows
  14. Reboot to Windows and copy the file from your flash drive to the C:/Program Files/Windows Defender folder
  15. Run MSASCui
You can now download using IE and Windows Defender is once again functional (but imperfect). As we have not got the permissions sorted, this could have downstream impacts that I can anticipate, moreover, it probably leaves Windows Defender vulnerable to further attacks. You might want to check whether Windows Update works, as it is sensitive to Windows Defender problems.
After the above fix, I got an error 0x80071a91 and Windows Update failed. If this happens to you (and it probably will) you can find the fix here (by 1bug): http://forums.whirlpool.net.au/archive/2007914. I hope that link stays OK, if it doesn’t the TL;dr is to Reset the File System Resource Manager and Reset CLFS Transaction Logs (you need to do both).

Aucun commentaire:

Publier un commentaire