• User Newbie

    Analisi log gmer

    Ciao sono nuovo del forum ho fatto una scansione con gmer chi mi aiuta a decifrarla ....sono alle prime armi . Grazie

    GMER 1.0.15.15087 -
    Rootkit scan 2009-09-18 13:05:04
    Windows 5.1.2600 Service Pack 2
    Running: gmer.exe; Driver: C:\DOCUME~1\PASQUA~1.000\IMPOST~1\Temp\pwtyakob.sys

    ---- System - GMER 1.0.15 ----
    SSDT 85485410 ZwAlertResumeThread
    SSDT 85485B10 ZwAlertThread
    SSDT 8547FC58 ZwAllocateVirtualMemory
    SSDT 8548C8A0 ZwAssignProcessToJobObject
    SSDT 84EB02E0 ZwConnectPort
    SSDT ??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF41EF130]
    SSDT 85477308 ZwCreateMutant
    SSDT 85495DE8 ZwCreateSymbolicLinkObject
    SSDT 8545DFB0 ZwCreateThread
    SSDT 854724E8 ZwDebugActiveProcess
    SSDT ??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF41EF3B0]
    SSDT ??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF41EF910]
    SSDT 854804F8 ZwDuplicateObject
    SSDT spvt.sys ZwEnumerateKey [0xF738ECA2]
    SSDT spvt.sys ZwEnumerateValueKey [0xF738F030]
    SSDT 8547F968 ZwFreeVirtualMemory
    SSDT 85477650 ZwImpersonateAnonymousToken
    SSDT 85477EC8 ZwImpersonateThread
    SSDT 85405B28 ZwLoadDriver
    SSDT 8547F800 ZwMapViewOfSection
    SSDT 85476F90 ZwOpenEvent
    SSDT spvt.sys ZwOpenKey [0xF73700C0]
    SSDT 854808D0 ZwOpenProcess
    SSDT 8545EE00 ZwOpenProcessToken
    SSDT 85476728 ZwOpenSection
    SSDT 85480608 ZwOpenThread
    SSDT 85495F58 ZwProtectVirtualMemory
    SSDT spvt.sys ZwQueryKey [0xF738F108]
    SSDT spvt.sys ZwQueryValueKey [0xF738EF88]
    SSDT 85456DD8 ZwResumeThread
    SSDT 85486E00 ZwSetContextThread
    SSDT 85478FC0 ZwSetInformationProcess
    SSDT 85472D10 ZwSetSystemInformation
    SSDT ??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF41EFB60]
    SSDT 85476AE0 ZwSuspendProcess
    SSDT 85485D30 ZwSuspendThread
    SSDT 8545EEE8 ZwTerminateProcess
    SSDT 85485F70 ZwTerminateThread
    SSDT 8545ED38 ZwUnmapViewOfSection
    SSDT 8547FB30 ZwWriteVirtualMemory
    INT 0x62 ? 8576DBF8
    INT 0x63 ? 855F7F00
    INT 0x83 ? 8576DBF8
    INT 0x83 ? 8576DBF8
    INT 0x83 ? 8576DBF8
    INT 0xB4 ? 855F7F00
    ---- Kernel code sections - GMER 1.0.15 ----
    .text ntkrnlpa.exe!ZwCallbackReturn + 23FC 805012EC 8 Bytes CALL 30D55C4E
    .text ntkrnlpa.exe!ZwCallbackReturn + 2410 80501300 4 Bytes CALL F0D55A29
    .text ntkrnlpa.exe!ZwCallbackReturn + 2730 80501620 8 Bytes CALL F0D55C13
    ? spvt.sys Impossibile trovare il file specificato. !
    ? SYMEFA.SYS Impossibile trovare il file specificato. !
    .text USBPORT.SYS!DllUnload F6D9162C 5 Bytes JMP 855F74E0
    ---- User code sections - GMER 1.0.15 ----
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] ntdll.dll!RtlValidateUnicodeString + 554 7C925CB6 10 Bytes JMP 01E4003A
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!UnhookWindowsHookEx 7E39F21E 5 Bytes JMP 402F43F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!CallNextHookEx 7E39F85B 5 Bytes JMP 4037CB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!CreateWindowExW 7E39FC25 5 Bytes JMP 4038D3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!DialogBoxParamW 7E3A555F 5 Bytes JMP 402B51FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!SetWindowsHookExW 7E3ADDB5 5 Bytes JMP 40389521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!DialogBoxIndirectParamW 7E3B2032 5 Bytes JMP 40483C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!MessageBoxIndirectA 7E3BA04A 5 Bytes JMP 40483B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!DialogBoxParamA 7E3BB10C 5 Bytes JMP 40483BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!MessageBoxExW 7E3D05D8 5 Bytes JMP 40483A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!MessageBoxExA 7E3D05FC 5 Bytes JMP 40483A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!DialogBoxIndirectParamA 7E3D6B50 5 Bytes JMP 40483C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 40483AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] ole32.dll!OleInitialize + 38C 774CFA66 7 Bytes JMP 01E400F3
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] ole32.dll!CoCreateInstance 774CFAC3 5 Bytes JMP 4038D408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] ole32.dll!CoGetCallContext + 7C 774E5DAD 7 Bytes JMP 01E401A9
    .text C:\Programmi\Internet Explorer\iexplore.exe[920] ole32.dll!OleLoadFromStream 774FA257 5 Bytes JMP 40483F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!CreateWindowExW 7E39FC25 5 Bytes JMP 4038D3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!DialogBoxParamW 7E3A555F 5 Bytes JMP 402B51FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!DialogBoxIndirectParamW 7E3B2032 5 Bytes JMP 40483C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!MessageBoxIndirectA 7E3BA04A 5 Bytes JMP 40483B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!DialogBoxParamA 7E3BB10C 5 Bytes JMP 40483BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!MessageBoxExW 7E3D05D8 5 Bytes JMP 40483A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!MessageBoxExA 7E3D05FC 5 Bytes JMP 40483A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!DialogBoxIndirectParamA 7E3D6B50 5 Bytes JMP 40483C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[2816] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 40483AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] ntdll.dll!RtlValidateUnicodeString + 554 7C925CB6 10 Bytes JMP 01D0003A
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!UnhookWindowsHookEx 7E39F21E 5 Bytes JMP 402F43F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!CallNextHookEx 7E39F85B 5 Bytes JMP 4037CB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!CreateWindowExW 7E39FC25 5 Bytes JMP 4038D3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxParamW 7E3A555F 5 Bytes JMP 402B51FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!SetWindowsHookExW 7E3ADDB5 5 Bytes JMP 40389521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxIndirectParamW 7E3B2032 5 Bytes JMP 40483C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxIndirectA 7E3BA04A 5 Bytes JMP 40483B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxParamA 7E3BB10C 5 Bytes JMP 40483BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxExW 7E3D05D8 5 Bytes JMP 40483A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxExA 7E3D05FC 5 Bytes JMP 40483A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!DialogBoxIndirectParamA 7E3D6B50 5 Bytes JMP 40483C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 40483AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] ole32.dll!OleInitialize + 38C 774CFA66 7 Bytes JMP 01D000F3
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] ole32.dll!CoCreateInstance 774CFAC3 5 Bytes JMP 4038D408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] ole32.dll!CoGetCallContext + 7C 774E5DAD 7 Bytes JMP 01D001A9
    .text C:\Programmi\Internet Explorer\iexplore.exe[3292] ole32.dll!OleLoadFromStream 774FA257 5 Bytes JMP 40483F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    ---- Kernel IAT/EAT - GMER 1.0.15 ----
    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7371040] spvt.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F737113C] spvt.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73710BE] spvt.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73717FC] spvt.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73716D2] spvt.sys
    ---- User IAT/EAT - GMER 1.0.15 ----
    IAT C:\Programmi\Internet Explorer\iexplore.exe[920] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Programmi\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    IAT C:\Programmi\Internet Explorer\iexplore.exe[3292] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Programmi\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    ---- Devices - GMER 1.0.15 ----
    Device \FileSystem\Ntfs \Ntfs 8576C1F8
    Device \FileSystem\Fastfat \FatCdrom 853AF500
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    Device \Driver\usbohci \Device\USBPDO-0 85734338
    Device \Driver\usbehci \Device\USBPDO-1 855DE500
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    Device \Driver\Ftdisk \Device\HarddiskVolume1 857DB1F8
    Device \Driver\Cdrom \Device\CdRom0 855EC500
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8576D1F8
    Device \Driver\atapi \Device\Ide\IdePort0 8576D1F8
    Device \Driver\atapi \Device\Ide\IdePort1 8576D1F8
    Device \Driver\atapi \Device\Ide\IdePort2 8576D1F8
    Device \Driver\atapi \Device\Ide\IdePort3 8576D1F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e 8576D1F8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 84B881F8
    Device \Driver\NetBT \Device\NetbiosSmb 84B881F8
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    Device \Driver\usbohci \Device\USBFDO-0 85734338
    Device \Driver\usbehci \Device\USBFDO-1 855DE500
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 84B671F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 84B671F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{FFFA49D5-2C50-4E94-88B8-D8079C4524C7} 84B881F8
    Device \Driver\Ftdisk \Device\FtControl 857DB1F8
    Device \FileSystem\Fastfat \Fat 853AF500
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    Device \FileSystem\Cdfs \Cdfs 853AA500
    ---- Registry - GMER 1.0.15 ----
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    ---- EOF - GMER 1.0.15 ----


  • User

    Ciao ultrasso non sono molto esperto ma ti consiglio per la prossima volta di utilizzare filefafctory . com per evitare tutto sto papiro ; )


  • Consiglio Direttivo

    Ciao ultrasso e benvenuto nel forum GT! 🙂

    Gmer, segnala già dall'avvio la presenza di rootkit "attivi", con una schermata di "warning", ed un elenco di voci, di colore "rosso" e "nero".

    Le voci in "rosso" sono quelle "non visibili" all'utente, tipico dei rootkit; quelle di colore "nero" indicano modifiche al sistema.

    :ciauz:


  • User Newbie

    Grazie per la risposta , ho ancora un dubbio .Alla partenza di GMER viene come hai detto tu una schermata con possibili problemi in rosso e in nero modifiche al sistema . Ma le modifiche sono state fatte da me o sono problemi anche loro? Aggiungo log . GMER 1.0.15.15087 -
    Rootkit quick scan 2009-10-03 13:18:37
    Windows 5.1.2600 Service Pack 2
    Running: gmer.exe; Driver: C:\DOCUME~1\PASQUA~1.000\IMPOST~1\Temp\pwtyakob.sys

    ---- System - GMER 1.0.15 ----
    SSDT spft.sys ZwEnumerateKey [0xF738ECA2]
    SSDT spft.sys ZwEnumerateValueKey [0xF738F030]
    ---- Devices - GMER 1.0.15 ----
    Device \FileSystem\Ntfs \Ntfs 8576C1F8
    Device \FileSystem\Fastfat \Fat 83D381F8
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
    ---- EOF - GMER 1.0.15 ----ngo log Grazie per l'aiuto


  • Consiglio Direttivo

    Ciao ultrasso,

    effettua anche un controllo, con panda antirootkit.

    😉


  • User Newbie

    Ho fatto la scansione non ha rilevato nulla. Poi un'altra cosa , ieri ho installato dopo tanti dubbi perche ho un vecchio processore amd semprom da 2000 MHz ,il SP3 (HO XP HOME) e ho notato un forte rallentamento nelle aperture di tutti i programmi . Avrei pensato di disinstallarlo e tornare al SP2. Cosa ne pensi ? Intanto grazie Wolf Otakar.


  • Consiglio Direttivo

    Ciao ultrasso,

    è normale che rallenti un pò windows; il sp3 include numerosi aggiornamenti. 🙂

    Su pc da 1gb di ram è un suicidio! 😄

    Comunque, per info:
    Rimuovere il service pack 3

    :ciauz:


  • User Newbie

    Ciao non posso piu levare il pack 3. ho gia provato tutti i modi che mi hai segnalato .....niente . E' colpa mia ho pulito con un programma tutti gli aggionanamenti del 2 in, in installazioni sono spariti non c'è neanche il pack 3 e questo non lo capisco . Non c'è piu neanche il file cd $ntserviceuninstall.......mi terro il 3 o formatto ,non vedo altro .O esiste un'altra via? A ho trovato questo l'altro giorno con malwarebytes.......C:\WINDOWS\system32:ZomgWHAT.exe(Rootkit.ADS) Oppure posso aumentare la ram , ma a quanto posso arrivare con il mio pc? Ciao e grazie


  • Consiglio Direttivo

    Ciao ultrasso,

    verifica da Risorse del computer --> tasto destro su "proprietà" la versione del Service Pack. 🙂


  • User Newbie

    Ciao, ho il pack 3


  • Consiglio Direttivo

    Ciao ultrasso,

    da Start --> Esegui:

    c:\windows$NtServicePackUninstall$\spuninst\spuninst.exe

    Segui poi, la procedura guidata per la rimozione del SP3.

    :ciauz:


  • User Newbie

    Ciao wolf otakar niente da fare non mi trova niente in esegui . sto provando a installare ancora il pack 3 per poi disinstallare , vediamo cosa succede . Intanto lo sto scaricando .A installarlo aspetto ancora un po .


  • User Newbie

    Ciao wolf otakar
    Ho risolto ho formattato , cosi adesso ho xp home sp2 nuovo e pulito che va una meraviglia .Comunque mi conosco bene sono un po inesperto e smanettone , provero a trattenermi ....Ciao e tante belle cose WOLF OTAKAR


  • Consiglio Direttivo

    Ciao ultrasso,

    peccato, potevi tentare con un ripristino!!! 🙂

    @ultrasso said:

    Ciao e tante belle cose WOLF OTAKAR

    :ciauz: