- Home
- Categorie
- Gaming, Hardware e Software
- Sicurezza Informatica & Privacy
- Analisi log gmer
-
Analisi log gmer
Ciao sono nuovo del forum ho fatto una scansione con gmer chi mi aiuta a decifrarla ....sono alle prime armi . Grazie
GMER 1.0.15.15087 -
Rootkit scan 2009-09-18 13:05:04
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\PASQUA~1.000\IMPOST~1\Temp\pwtyakob.sys---- System - GMER 1.0.15 ----
SSDT 85485410 ZwAlertResumeThread
SSDT 85485B10 ZwAlertThread
SSDT 8547FC58 ZwAllocateVirtualMemory
SSDT 8548C8A0 ZwAssignProcessToJobObject
SSDT 84EB02E0 ZwConnectPort
SSDT ??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF41EF130]
SSDT 85477308 ZwCreateMutant
SSDT 85495DE8 ZwCreateSymbolicLinkObject
SSDT 8545DFB0 ZwCreateThread
SSDT 854724E8 ZwDebugActiveProcess
SSDT ??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF41EF3B0]
SSDT ??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF41EF910]
SSDT 854804F8 ZwDuplicateObject
SSDT spvt.sys ZwEnumerateKey [0xF738ECA2]
SSDT spvt.sys ZwEnumerateValueKey [0xF738F030]
SSDT 8547F968 ZwFreeVirtualMemory
SSDT 85477650 ZwImpersonateAnonymousToken
SSDT 85477EC8 ZwImpersonateThread
SSDT 85405B28 ZwLoadDriver
SSDT 8547F800 ZwMapViewOfSection
SSDT 85476F90 ZwOpenEvent
SSDT spvt.sys ZwOpenKey [0xF73700C0]
SSDT 854808D0 ZwOpenProcess
SSDT 8545EE00 ZwOpenProcessToken
SSDT 85476728 ZwOpenSection
SSDT 85480608 ZwOpenThread
SSDT 85495F58 ZwProtectVirtualMemory
SSDT spvt.sys ZwQueryKey [0xF738F108]
SSDT spvt.sys ZwQueryValueKey [0xF738EF88]
SSDT 85456DD8 ZwResumeThread
SSDT 85486E00 ZwSetContextThread
SSDT 85478FC0 ZwSetInformationProcess
SSDT 85472D10 ZwSetSystemInformation
SSDT ??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF41EFB60]
SSDT 85476AE0 ZwSuspendProcess
SSDT 85485D30 ZwSuspendThread
SSDT 8545EEE8 ZwTerminateProcess
SSDT 85485F70 ZwTerminateThread
SSDT 8545ED38 ZwUnmapViewOfSection
SSDT 8547FB30 ZwWriteVirtualMemory
INT 0x62 ? 8576DBF8
INT 0x63 ? 855F7F00
INT 0x83 ? 8576DBF8
INT 0x83 ? 8576DBF8
INT 0x83 ? 8576DBF8
INT 0xB4 ? 855F7F00
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 23FC 805012EC 8 Bytes CALL 30D55C4E
.text ntkrnlpa.exe!ZwCallbackReturn + 2410 80501300 4 Bytes CALL F0D55A29
.text ntkrnlpa.exe!ZwCallbackReturn + 2730 80501620 8 Bytes CALL F0D55C13
? spvt.sys Impossibile trovare il file specificato. !
? SYMEFA.SYS Impossibile trovare il file specificato. !
.text USBPORT.SYS!DllUnload F6D9162C 5 Bytes JMP 855F74E0
---- User code sections - GMER 1.0.15 ----
.text C:\Programmi\Internet Explorer\iexplore.exe[920] ntdll.dll!RtlValidateUnicodeString + 554 7C925CB6 10 Bytes JMP 01E4003A
.text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!UnhookWindowsHookEx 7E39F21E 5 Bytes JMP 402F43F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!CallNextHookEx 7E39F85B 5 Bytes JMP 4037CB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!CreateWindowExW 7E39FC25 5 Bytes JMP 4038D3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!DialogBoxParamW 7E3A555F 5 Bytes JMP 402B51FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!SetWindowsHookExW 7E3ADDB5 5 Bytes JMP 40389521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!DialogBoxIndirectParamW 7E3B2032 5 Bytes JMP 40483C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!MessageBoxIndirectA 7E3BA04A 5 Bytes JMP 40483B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!DialogBoxParamA 7E3BB10C 5 Bytes JMP 40483BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!MessageBoxExW 7E3D05D8 5 Bytes JMP 40483A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!MessageBoxExA 7E3D05FC 5 Bytes JMP 40483A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!DialogBoxIndirectParamA 7E3D6B50 5 Bytes JMP 40483C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 40483AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] ole32.dll!OleInitialize + 38C 774CFA66 7 Bytes JMP 01E400F3
.text C:\Programmi\Internet Explorer\iexplore.exe[920] ole32.dll!CoCreateInstance 774CFAC3 5 Bytes JMP 4038D408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[920] ole32.dll!CoGetCallContext + 7C 774E5DAD 7 Bytes JMP 01E401A9
.text C:\Programmi\Internet Explorer\iexplore.exe[920] ole32.dll!OleLoadFromStream 774FA257 5 Bytes JMP 40483F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!CreateWindowExW 7E39FC25 5 Bytes JMP 4038D3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!DialogBoxParamW 7E3A555F 5 Bytes JMP 402B51FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!DialogBoxIndirectParamW 7E3B2032 5 Bytes JMP 40483C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!MessageBoxIndirectA 7E3BA04A 5 Bytes JMP 40483B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!DialogBoxParamA 7E3BB10C 5 Bytes JMP 40483BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!MessageBoxExW 7E3D05D8 5 Bytes JMP 40483A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!MessageBoxExA 7E3D05FC 5 Bytes JMP 40483A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!DialogBoxIndirectParamA 7E3D6B50 5 Bytes JMP 40483C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 40483AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] ntdll.dll!RtlValidateUnicodeString + 554 7C925CB6 10 Bytes JMP 01D0003A
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!UnhookWindowsHookEx 7E39F21E 5 Bytes JMP 402F43F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!CallNextHookEx 7E39F85B 5 Bytes JMP 4037CB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!CreateWindowExW 7E39FC25 5 Bytes JMP 4038D3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxParamW 7E3A555F 5 Bytes JMP 402B51FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!SetWindowsHookExW 7E3ADDB5 5 Bytes JMP 40389521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxIndirectParamW 7E3B2032 5 Bytes JMP 40483C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxIndirectA 7E3BA04A 5 Bytes JMP 40483B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxParamA 7E3BB10C 5 Bytes JMP 40483BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxExW 7E3D05D8 5 Bytes JMP 40483A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxExA 7E3D05FC 5 Bytes JMP 40483A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxIndirectParamA 7E3D6B50 5 Bytes JMP 40483C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 40483AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] ole32.dll!OleInitialize + 38C 774CFA66 7 Bytes JMP 01D000F3
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] ole32.dll!CoCreateInstance 774CFAC3 5 Bytes JMP 4038D408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] ole32.dll!CoGetCallContext + 7C 774E5DAD 7 Bytes JMP 01D001A9
.text C:\Programmi\Internet Explorer\iexplore.exe[3292] ole32.dll!OleLoadFromStream 774FA257 5 Bytes JMP 40483F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7371040] spvt.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F737113C] spvt.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73710BE] spvt.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73717FC] spvt.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73716D2] spvt.sys
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Programmi\Internet Explorer\iexplore.exe[920] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Programmi\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Programmi\Internet Explorer\iexplore.exe[3292] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Programmi\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8576C1F8
Device \FileSystem\Fastfat \FatCdrom 853AF500
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\usbohci \Device\USBPDO-0 85734338
Device \Driver\usbehci \Device\USBPDO-1 855DE500
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Ftdisk \Device\HarddiskVolume1 857DB1F8
Device \Driver\Cdrom \Device\CdRom0 855EC500
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8576D1F8
Device \Driver\atapi \Device\Ide\IdePort0 8576D1F8
Device \Driver\atapi \Device\Ide\IdePort1 8576D1F8
Device \Driver\atapi \Device\Ide\IdePort2 8576D1F8
Device \Driver\atapi \Device\Ide\IdePort3 8576D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e 8576D1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 84B881F8
Device \Driver\NetBT \Device\NetbiosSmb 84B881F8
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\usbohci \Device\USBFDO-0 85734338
Device \Driver\usbehci \Device\USBFDO-1 855DE500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 84B671F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 84B671F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{FFFA49D5-2C50-4E94-88B8-D8079C4524C7} 84B881F8
Device \Driver\Ftdisk \Device\FtControl 857DB1F8
Device \FileSystem\Fastfat \Fat 853AF500
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs 853AA500
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
---- EOF - GMER 1.0.15 ----
-
Ciao ultrasso non sono molto esperto ma ti consiglio per la prossima volta di utilizzare filefafctory . com per evitare tutto sto papiro ; )
-
Ciao ultrasso e benvenuto nel forum GT!
Gmer, segnala già dall'avvio la presenza di rootkit "attivi", con una schermata di "warning", ed un elenco di voci, di colore "rosso" e "nero".
Le voci in "rosso" sono quelle "non visibili" all'utente, tipico dei rootkit; quelle di colore "nero" indicano modifiche al sistema.
-
Grazie per la risposta , ho ancora un dubbio .Alla partenza di GMER viene come hai detto tu una schermata con possibili problemi in rosso e in nero modifiche al sistema . Ma le modifiche sono state fatte da me o sono problemi anche loro? Aggiungo log . GMER 1.0.15.15087 -
Rootkit quick scan 2009-10-03 13:18:37
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\PASQUA~1.000\IMPOST~1\Temp\pwtyakob.sys---- System - GMER 1.0.15 ----
SSDT spft.sys ZwEnumerateKey [0xF738ECA2]
SSDT spft.sys ZwEnumerateValueKey [0xF738F030]
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8576C1F8
Device \FileSystem\Fastfat \Fat 83D381F8
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
---- EOF - GMER 1.0.15 ----ngo log Grazie per l'aiuto
-
-
Ho fatto la scansione non ha rilevato nulla. Poi un'altra cosa , ieri ho installato dopo tanti dubbi perche ho un vecchio processore amd semprom da 2000 MHz ,il SP3 (HO XP HOME) e ho notato un forte rallentamento nelle aperture di tutti i programmi . Avrei pensato di disinstallarlo e tornare al SP2. Cosa ne pensi ? Intanto grazie Wolf Otakar.
-
Ciao ultrasso,
è normale che rallenti un pò windows; il sp3 include numerosi aggiornamenti.
Su pc da 1gb di ram è un suicidio!
Comunque, per info:
Rimuovere il service pack 3
-
Ciao non posso piu levare il pack 3. ho gia provato tutti i modi che mi hai segnalato .....niente . E' colpa mia ho pulito con un programma tutti gli aggionanamenti del 2 in, in installazioni sono spariti non c'è neanche il pack 3 e questo non lo capisco . Non c'è piu neanche il file cd $ntserviceuninstall.......mi terro il 3 o formatto ,non vedo altro .O esiste un'altra via? A ho trovato questo l'altro giorno con malwarebytes.......C:\WINDOWS\system32:ZomgWHAT.exe(Rootkit.ADS) Oppure posso aumentare la ram , ma a quanto posso arrivare con il mio pc? Ciao e grazie
-
Ciao ultrasso,
verifica da Risorse del computer --> tasto destro su "proprietà" la versione del Service Pack.
-
Ciao, ho il pack 3
-
Ciao ultrasso,
da Start --> Esegui:
c:\windows$NtServicePackUninstall$\spuninst\spuninst.exe
Segui poi, la procedura guidata per la rimozione del SP3.
-
Ciao wolf otakar niente da fare non mi trova niente in esegui . sto provando a installare ancora il pack 3 per poi disinstallare , vediamo cosa succede . Intanto lo sto scaricando .A installarlo aspetto ancora un po .
-
Ciao wolf otakar
Ho risolto ho formattato , cosi adesso ho xp home sp2 nuovo e pulito che va una meraviglia .Comunque mi conosco bene sono un po inesperto e smanettone , provero a trattenermi ....Ciao e tante belle cose WOLF OTAKAR
-
Ciao ultrasso,
peccato, potevi tentare con un ripristino!!!
@ultrasso said:
Ciao e tante belle cose WOLF OTAKAR
