Logi są wstawione poprawnie:
Logi wstawiamy w tagi CODE (zaznaczamy myszką cały log i naciskamy Code). Ułatwia to sprawdzanie logów.
Forum ma jednak limit znaków i jeśli taki problem wystąpi proszę logi umieścić na http://www.wklej.org/ (żadna inna strona ponieważ inne ucinają logi i nie jesteśmy w stanie ich odczytać). W poście umieszczamy oczywiście linki do waszych logów.
Log z GMER:
- Kod: Zaznacz wszystko
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-01 09:43:02
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\Leszek\AppData\Local\Temp\kwwoapob.sys
---- System - GMER 1.0.15 ----
SSDT 870A7048 ZwAlertResumeThread
SSDT 870A6048 ZwAlertThread
SSDT 870A4270 ZwAllocateVirtualMemory
SSDT 86F049B0 ZwAlpcConnectPort
SSDT 870F00D0 ZwAssignProcessToJobObject
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwCreateFile [0x9533399C]
SSDT 870AA138 ZwCreateMutant
SSDT 870F1188 ZwCreateSymbolicLinkObject
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwCreateThread [0x953331A2]
SSDT 870F15D8 ZwCreateThreadEx
SSDT 870F0D50 ZwDebugActiveProcess
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwDeleteKey [0x9533378A]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwDeleteValueKey [0x9533365C]
SSDT 870A4488 ZwDuplicateObject
SSDT 870A5C70 ZwFreeVirtualMemory
SSDT 870AA948 ZwImpersonateAnonymousToken
SSDT 870A9048 ZwImpersonateThread
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwLoadDriver [0x95332FD8]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwMapViewOfSection [0x95332D7A]
SSDT 870AB908 ZwOpenEvent
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwOpenFile [0x95333C82]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwOpenKey [0x95333956]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwOpenProcess [0x953332C4]
SSDT 87004EB0 ZwOpenProcessToken
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwOpenSection [0x9533342A]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwOpenThread [0x95333374]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwProtectVirtualMemory [0x95333E18]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwQueueApcThread [0x95333252]
SSDT 86FCA0E0 ZwResumeThread
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwSecureConnectPort [0x95333DB0]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwSetContextThread [0x95332D0C]
SSDT 870A5838 ZwSetInformationProcess
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwSetSystemInformation [0x95333134]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwSetValueKey [0x95333856]
SSDT 870AB248 ZwSuspendProcess
SSDT 870A0210 ZwSuspendThread
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwTerminateProcess [0x95333542]
SSDT 870118C8 ZwTerminateThread
SSDT 87011DA0 ZwUnmapViewOfSection
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwWriteVirtualMemory [0x95332C3E]
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8342EAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8342E104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8342E3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83416634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83416898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8342E1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8342E958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8342E6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8342EF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8342F1A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8348E599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 834B2F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 834BA734 8 Bytes [48, 70, 0A, 87, 48, 60, 0A, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 834BA74C 4 Bytes [70, 42, 0A, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 834BA758 4 Bytes [B0, 49, F0, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 834BA7AC 4 Bytes [D0, 00, 0F, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 2F8 834BA808 4 Bytes [9C, 39, 33, 95] {PUSHF ; CMP [EBX], ESI; XCHG EBP, EAX}
.text ...
.text peauth.sys 9933DC9D 28 Bytes [0F, D0, 81, 0B, 1D, 38, 9E, ...]
.text peauth.sys 9933DCC1 28 Bytes [0F, D0, 81, 0B, 1D, 38, 9E, ...]
PAGE peauth.sys 99343E20 57 Bytes [E4, 0A, 26, 6F, 7E, 1B, B2, ...]
PAGE peauth.sys 99343E64 33 Bytes [A8, 92, BB, 80, A0, B2, 70, ...]
PAGE peauth.sys 9934402C 102 Bytes [47, 23, 7E, A5, 4B, CB, 6A, ...]
.text d:\Program Files\CyberLink\PowerDVD9\000.fcl section is writeable [0x935D0000, 0x2892, 0xE8000020]
.vmp2 d:\Program Files\CyberLink\PowerDVD9\000.fcl entry point in ".vmp2" section [0x935F3050]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\Dwm.exe[1516] ntdll.dll!NtCreateKey 773F4A50 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1516] ntdll.dll!NtCreateKey + 4 773F4A54 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\Dwm.exe[1516] ntdll.dll!NtSetValueKey 773F5C50 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1516] ntdll.dll!NtSetValueKey + 4 773F5C54 2 Bytes [0B, 5F]
.text C:\Windows\system32\Dwm.exe[1516] kernel32.dll!LoadLibraryExW 75E0B6BF 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\Dwm.exe[1516] ADVAPI32.dll!CreateServiceW 75A7DBC1 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\Dwm.exe[1516] ADVAPI32.dll!CreateServiceA 75A92120 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\Dwm.exe[1516] ADVAPI32.dll!CreateProcessWithLogonW 75A942A1 6 Bytes JMP 5F040F5A
.text C:\Windows\Explorer.EXE[1588] kernel32.dll!LoadLibraryExW 75E0B6BF 6 Bytes JMP 5F070F5A
.text C:\Windows\Explorer.EXE[1588] ADVAPI32.dll!CreateProcessWithLogonW 75A942A1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Pasek TVN24\tvn-ustawienia.exe[2920] ntdll.dll!DbgBreakPoint 773E3540 1 Byte [90]
.text C:\Program Files\Pasek TVN24\tvn-ustawienia.exe[2920] kernel32.dll!LoadLibraryExW 75E0B6BF 6 Bytes JMP 5F070F5A
.text C:\Program Files\Pasek TVN24\tvn-ustawienia.exe[2920] kernel32.dll!CloseHandle 75E105D7 6 Bytes JMP 5F190F5A
.text C:\Program Files\Pasek TVN24\tvn-ustawienia.exe[2920] kernel32.dll!GetFileAttributesW 75E113EE 6 Bytes JMP 5F130F5A
.text C:\Program Files\Pasek TVN24\tvn-ustawienia.exe[2920] kernel32.dll!CreateFileA 75E1291C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Pasek TVN24\tvn-ustawienia.exe[2920] kernel32.dll!GetFileAttributesA 75E12A3F 6 Bytes JMP 5F160F5A
.text C:\Program Files\Pasek TVN24\tvn-ustawienia.exe[2920] USER32.dll!SetCursor 758152EA 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Pasek TVN24\tvn-ustawienia.exe[2920] USER32.dll!SetCursor + 4 758152EE 2 Bytes [1D, 5F]
.text C:\Program Files\Pasek TVN24\tvn-ustawienia.exe[2920] USER32.dll!MessageBeep 758344F7 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Pasek TVN24\tvn-ustawienia.exe[2920] USER32.dll!MessageBoxA 7585EA71 6 Bytes JMP 5F040F5A
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73D92494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73D75624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73D756E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73D9250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73D88573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73D84D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73D850CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73D851A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73D866D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73D882CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73D88819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73D8907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73D8E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73D84C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT D:\Program Files\ivo\Expressivo\integr\OutlookExpress\ExprOElauncher.exe[3172] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [754C5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT D:\Program Files\ivo\Expressivo\integr\OutlookExpress\ExprOElauncher.exe[3172] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [754C5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT D:\Program Files\ivo\Expressivo\integr\OutlookExpress\ExprOElauncher.exe[3172] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [754C5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT D:\Program Files\ivo\Expressivo\integr\OutlookExpress\ExprOElauncher.exe[3172] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [754C5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\ACPI_HAL \Device\0000005e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001167b392c7 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001167b392c7@00210885471a 0x9A 0xB2 0xBE 0x0A ...
Reg HKLM\SYSTEM\ControlSet001\services\DcomLaunch\Parameters@ServiceDll %SystemRoot%\system32\rpcss.dll
Reg HKLM\SYSTEM\ControlSet001\services\RpcSs\Parameters@ServiceDll %SystemRoot%\system32\rpcss.dll
Reg HKLM\SYSTEM\ControlSet001\services\TrkWks\Parameters@ServiceDll %SystemRoot%\System32\trkwks.dll
Reg HKLM\SYSTEM\ControlSet001\services\TrkWks\Parameters@ServiceDllUnloadOnStop 1
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167b392c7
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167b392c7@00210885471a 0x9A 0xB2 0xBE 0x0A ...
Reg HKLM\SYSTEM\CurrentControlSet\services\DcomLaunch\Parameters@ServiceDll %SystemRoot%\system32\rpcss.dll
Reg HKLM\SYSTEM\CurrentControlSet\services\RpcSs\Parameters@ServiceDll %SystemRoot%\system32\rpcss.dll
Reg HKLM\SYSTEM\CurrentControlSet\services\TrkWks\Parameters@ServiceDll %SystemRoot%\System32\trkwks.dll
Reg HKLM\SYSTEM\CurrentControlSet\services\TrkWks\Parameters@ServiceDllUnloadOnStop 1
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001167b392c7 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001167b392c7@00210885471a 0x9A 0xB2 0xBE 0x0A ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{50EF3326-3C4E-5A5E-8784-F0CEB88D34AF}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{50EF3326-3C4E-5A5E-8784-F0CEB88D34AF}@jalebbofjnelmefgcakf 0x62 0x61 0x65 0x6B ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{50EF3326-3C4E-5A5E-8784-F0CEB88D34AF}@ialdncpdifplchlofd 0x6B 0x61 0x6D 0x6B ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{50EF3326-3C4E-5A5E-8784-F0CEB88D34AF}@hapefdfkhlokohjm 0x61 0x62 0x6D 0x6D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{50EF3326-3C4E-5A5E-8784-F0CEB88D34AF}@jaoeianjjlgbfeljlimf 0x64 0x62 0x64 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{50EF3326-3C4E-5A5E-8784-F0CEB88D34AF}@jalebbofjnelmefgcaof 0x62 0x61 0x70 0x6B ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{50EF3326-3C4E-5A5E-8784-F0CEB88D34AF}@habfdbnpdffkobpf 0x6B 0x61 0x6D 0x6B ...
---- EOF - GMER 1.0.15 ----
Dodano 01.05.2010 14:15:14:Proszę o zamknięcie tematu. Problem rozwiązany.