Показано с 1 по 4 из 4.

Подозрение на rootkit (заявка № 47478)

  1. 08.06.2009, 18:02 #1
    Lee Dawson
    Lee Dawson вне форума
    Junior Member Репутация
    Регистрация
    08.06.2009
    Сообщений
    2
    Вес репутации
    55

    Подозрение на rootkit

    День добрый

    просьба глянуть на лог Rootlit Unhooker

    _________________________________________________
    >SSDT State
    >Shadow
    NtGdiBitBlt
    Actual Address 0xF6706938
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtGdiMaskBlt
    Actual Address 0xF6706998
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtGdiPlgBlt
    Actual Address 0xF67069C8
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtGdiStretchBlt
    Actual Address 0xF6706968
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserAttachThreadInput
    Actual Address 0xF6705E28
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserCallOneParam
    Actual Address 0xF6706FF8
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserFindWindowEx
    Actual Address 0xF6706106
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserGetAsyncKeyState
    Actual Address 0xF6705D68
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserGetKeyboardState
    Actual Address 0xF6705DC8
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserGetKeyState
    Actual Address 0xF6705D98
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserMessageCall
    Actual Address 0xF670849C
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserPostMessage
    Actual Address 0xF67084F4
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserPostThreadMessage
    Actual Address 0xF6708520
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserRegisterRawInputDevices
    Actual Address 0xF6706FA2
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserSendInput
    Actual Address 0xF67060E0
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserSetWindowsHookEx
    Actual Address 0xF6705806
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    NtUserSetWinEventHook
    Actual Address 0xF67059F2
    Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys

    >Processes
    >Drivers
    >Stealth
    >Files
    >Hooks
    ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2 [TUKERNEL.EXE]
    ntoskrnl.exe-->IoCreateDevice, Type: EAT modification 0x80683874 [kl1.sys]
    tcpip.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification 0xF66A9488 [kl1.sys]
    wanarp.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification 0xF86BBC08 [kl1.sys]
    [1800]avp.exe-->advapi32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x77DC11E4 [unknown_code_page]
    [1800]avp.exe-->advapi32.dll-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x77DC1070 [unknown_code_page]
    [1800]avp.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DC1218 [unknown_code_page]
    [1800]avp.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DC1214 [unknown_code_page]
    [1800]avp.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DC105C [unknown_code_page]
    [1800]avp.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DC11E0 [unknown_code_page]
    [1800]avp.exe-->advapi32.dll-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x77DC1058 [unknown_code_page]
    [1800]avp.exe-->advapi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77DC115C [unknown_code_page]
    [1800]avp.exe-->gdi32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x77F110B0 [unknown_code_page]
    [1800]avp.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4 [unknown_code_page]
    [1800]avp.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084 [unknown_code_page]
    [1800]avp.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078 [unknown_code_page]
    [1800]avp.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8 [unknown_code_page]
    [1800]avp.exe-->gdi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77F1102C [unknown_code_page]
    [1800]avp.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x0041F138 [unknown_code_page]
    [1800]avp.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x0041F1CC [unknown_code_page]
    [1800]avp.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x0041F0E4 [unknown_code_page]
    [1800]avp.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x0041F0E0 [unknown_code_page]
    [1800]avp.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0041F1C8 [unknown_code_page]
    [1800]avp.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x0041F1C4 [unknown_code_page]
    [1800]avp.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x0041F0B0 [unknown_code_page]
    [1800]avp.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x0041F140 [unknown_code_page]
    [1800]avp.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x0041F110 [unknown_code_page]
    [1800]avp.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C1844 [unknown_code_page]
    [1800]avp.exe-->shell32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x7C9C1A7C [unknown_code_page]
    [1800]avp.exe-->shell32.dll-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x7C9C19D0 [unknown_code_page]
    [1800]avp.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C1A04 [unknown_code_page]
    [1800]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C1858 [unknown_code_page]
    [1800]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C1A98 [unknown_code_page]
    [1800]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C1A78 [unknown_code_page]
    [1800]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C1A00 [unknown_code_page]
    [1800]avp.exe-->shell32.dll-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x7C9C19F0 [unknown_code_page]
    [1800]avp.exe-->shell32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x7C9C1848 [unknown_code_page]
    [1800]avp.exe-->user32.dll+0x00002A78, Type: Inline - RelativeJump 0x7E362A78 [user32.dll]
    [1800]avp.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E36127C [unknown_code_page]
    [1800]avp.exe-->user32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x7E361344 [unknown_code_page]
    [1800]avp.exe-->user32.dll-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x7E3612E4 [unknown_code_page]
    [1800]avp.exe-->user32.dll-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x7E361370 [unknown_code_page]
    [1800]avp.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E36133C [unknown_code_page]
    [1800]avp.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E3612F4 [unknown_code_page]
    [1800]avp.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E361208 [unknown_code_page]
    [1800]avp.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E361340 [unknown_code_page]
    [1800]avp.exe-->user32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x7E361304 [unknown_code_page]
    [300]avp.exe-->advapi32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x77DC11E4 [unknown_code_page]
    [300]avp.exe-->advapi32.dll-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x77DC1070 [unknown_code_page]
    [300]avp.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DC1218 [unknown_code_page]
    [300]avp.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DC1214 [unknown_code_page]
    [300]avp.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DC105C [unknown_code_page]
    [300]avp.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DC11E0 [unknown_code_page]
    [300]avp.exe-->advapi32.dll-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x77DC1058 [unknown_code_page]
    [300]avp.exe-->advapi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77DC115C [unknown_code_page]
    [300]avp.exe-->gdi32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x77F110B0 [unknown_code_page]
    [300]avp.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4 [unknown_code_page]
    [300]avp.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084 [unknown_code_page]
    [300]avp.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078 [unknown_code_page]
    [300]avp.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8 [unknown_code_page]
    [300]avp.exe-->gdi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77F1102C [unknown_code_page]
    [300]avp.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x0041F138 [unknown_code_page]
    [300]avp.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x0041F1CC [unknown_code_page]
    [300]avp.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x0041F0E4 [unknown_code_page]
    [300]avp.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x0041F0E0 [unknown_code_page]
    [300]avp.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0041F1C8 [unknown_code_page]
    [300]avp.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x0041F1C4 [unknown_code_page]
    [300]avp.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x0041F0B0 [unknown_code_page]
    [300]avp.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x0041F140 [unknown_code_page]
    [300]avp.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x0041F110 [unknown_code_page]
    [300]avp.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C1844 [unknown_code_page]
    [300]avp.exe-->shell32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x7C9C1A7C [unknown_code_page]
    [300]avp.exe-->shell32.dll-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x7C9C19D0 [unknown_code_page]
    [300]avp.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C1A04 [unknown_code_page]
    [300]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C1858 [unknown_code_page]
    [300]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C1A98 [unknown_code_page]
    [300]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C1A78 [unknown_code_page]
    [300]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C1A00 [unknown_code_page]
    [300]avp.exe-->shell32.dll-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x7C9C19F0 [unknown_code_page]
    [300]avp.exe-->shell32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x7C9C1848 [unknown_code_page]
    [300]avp.exe-->user32.dll+0x00002A78, Type: Inline - RelativeJump 0x7E362A78 [user32.dll]
    [300]avp.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E36127C [unknown_code_page]
    [300]avp.exe-->user32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x7E361344 [unknown_code_page]
    [300]avp.exe-->user32.dll-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x7E3612E4 [unknown_code_page]
    [300]avp.exe-->user32.dll-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x7E361370 [unknown_code_page]
    [300]avp.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E36133C [unknown_code_page]
    [300]avp.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E3612F4 [unknown_code_page]
    [300]avp.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E361208 [unknown_code_page]
    [300]avp.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E361340 [unknown_code_page]
    [300]avp.exe-->user32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x7E361304 [unknown_code_page]
    !!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
    __________________________________________________ ____

    Что мне делать в этой ситуации?
  2.  Будь в курсе! Будь в курсе!
    Реклама на VirusInfo

    Надоело быть жертвой? Стань профи по информационной безопасности, получай самую свежую информацию об угрозах и средствах защиты от ведущего российского аналитического центра Anti-Malware.ru:

    Anti-Malware Telegram
     
  3. 08.06.2009, 18:10 #2
    V_Bond
    V_Bond вне форума
    Senior Helper Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    10.01.2007
    Сообщений
    22,817
    Вес репутации
    1524
    http://virusinfo.info/pravila.html
  4. 08.06.2009, 18:48 #3
    Lee Dawson
    Lee Dawson вне форума
    Junior Member Репутация
    Регистрация
    08.06.2009
    Сообщений
    2
    Вес репутации
    55
    Cure it ничего не находит

    Антивирус Касперского 8 так же молчит.
  5. 08.06.2009, 19:17 #4
    pig
    pig вне форума
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для pig
    Регистрация
    17.09.2004
    Адрес
    Апатиты, Мурманская область, Россия
    Сообщений
    10,629
    Вес репутации
    1315
    Читайте ещё раз.
    Что значит и Как сделать (ЧаВо) * Скажи, что ты думаешь о Virusinfo
    Doctor Web Eserv

  • Уважаемый(ая) Lee Dawson, наши специалисты оказали Вам всю возможную помощь по вашему обращению.

    В целях поддержания безопасности вашего компьютера настоятельно рекомендуем:

     

     

    Чтобы всегда быть в курсе актуальных угроз в области информационной безопасности и сохранять свой компьютер защищенным, рекомендуем следить за последними новостями ИТ-сферы портала Anti-Malware.ru:

     

     

    Anti-Malware VK

     

    Anti-Malware Telegram

     

     

    Надеемся больше никогда не увидеть ваш компьютер зараженным!

     

    Если Вас не затруднит, пополните пожалуйста нашу базу безопасных файлов.

    • « Предыдущая тема | Следующая тема »

    Похожие темы

    1. Подозрение на Rootkit
      От Arkidon в разделе Помогите!
      Ответов: 4
      Последнее сообщение: 24.07.2010, 00:57
    2. ПОДОЗРЕНИЕ НА ROOTKIT
      От cheburat в разделе Помогите!
      Ответов: 20
      Последнее сообщение: 30.06.2010, 16:30
    3. Подозрение на rootkit.
      От Igor_ в разделе Помогите!
      Ответов: 11
      Последнее сообщение: 11.04.2009, 16:45
    4. Подозрение на RootKit
      От sshumov в разделе Помогите!
      Ответов: 1
      Последнее сообщение: 05.03.2009, 16:14
    5. Подозрение на RootKit
      От Aleksandr в разделе Помогите!
      Ответов: 2
      Последнее сообщение: 14.05.2007, 14:35

    Свернуть/Развернуть Ваши права в разделе

    • Вы не можете создавать новые темы
    • Вы не можете отвечать в темах
    • Вы не можете прикреплять вложения
    • Вы не можете редактировать свои сообщения
    •  

    Правила форума

    Page generated in 0.00001 seconds with 16 queries