-
Junior Member
- Вес репутации
- 55
Подозрение на rootkit
День добрый
просьба глянуть на лог Rootlit Unhooker
_________________________________________________
>SSDT State
>Shadow
NtGdiBitBlt
Actual Address 0xF6706938
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtGdiMaskBlt
Actual Address 0xF6706998
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtGdiPlgBlt
Actual Address 0xF67069C8
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtGdiStretchBlt
Actual Address 0xF6706968
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserAttachThreadInput
Actual Address 0xF6705E28
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserCallOneParam
Actual Address 0xF6706FF8
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserFindWindowEx
Actual Address 0xF6706106
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserGetAsyncKeyState
Actual Address 0xF6705D68
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserGetKeyboardState
Actual Address 0xF6705DC8
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserGetKeyState
Actual Address 0xF6705D98
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserMessageCall
Actual Address 0xF670849C
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserPostMessage
Actual Address 0xF67084F4
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserPostThreadMessage
Actual Address 0xF6708520
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserRegisterRawInputDevices
Actual Address 0xF6706FA2
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserSendInput
Actual Address 0xF67060E0
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserSetWindowsHookEx
Actual Address 0xF6705806
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
NtUserSetWinEventHook
Actual Address 0xF67059F2
Hooked by: C:\WINDOWS\system32\DRIVERS\klif.sys
>Processes
>Drivers
>Stealth
>Files
>Hooks
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2 [TUKERNEL.EXE]
ntoskrnl.exe-->IoCreateDevice, Type: EAT modification 0x80683874 [kl1.sys]
tcpip.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification 0xF66A9488 [kl1.sys]
wanarp.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification 0xF86BBC08 [kl1.sys]
[1800]avp.exe-->advapi32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x77DC11E4 [unknown_code_page]
[1800]avp.exe-->advapi32.dll-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x77DC1070 [unknown_code_page]
[1800]avp.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DC1218 [unknown_code_page]
[1800]avp.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DC1214 [unknown_code_page]
[1800]avp.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DC105C [unknown_code_page]
[1800]avp.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DC11E0 [unknown_code_page]
[1800]avp.exe-->advapi32.dll-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x77DC1058 [unknown_code_page]
[1800]avp.exe-->advapi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77DC115C [unknown_code_page]
[1800]avp.exe-->gdi32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x77F110B0 [unknown_code_page]
[1800]avp.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4 [unknown_code_page]
[1800]avp.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084 [unknown_code_page]
[1800]avp.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078 [unknown_code_page]
[1800]avp.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8 [unknown_code_page]
[1800]avp.exe-->gdi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77F1102C [unknown_code_page]
[1800]avp.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x0041F138 [unknown_code_page]
[1800]avp.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x0041F1CC [unknown_code_page]
[1800]avp.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x0041F0E4 [unknown_code_page]
[1800]avp.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x0041F0E0 [unknown_code_page]
[1800]avp.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0041F1C8 [unknown_code_page]
[1800]avp.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x0041F1C4 [unknown_code_page]
[1800]avp.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x0041F0B0 [unknown_code_page]
[1800]avp.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x0041F140 [unknown_code_page]
[1800]avp.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x0041F110 [unknown_code_page]
[1800]avp.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C1844 [unknown_code_page]
[1800]avp.exe-->shell32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x7C9C1A7C [unknown_code_page]
[1800]avp.exe-->shell32.dll-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x7C9C19D0 [unknown_code_page]
[1800]avp.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C1A04 [unknown_code_page]
[1800]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C1858 [unknown_code_page]
[1800]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C1A98 [unknown_code_page]
[1800]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C1A78 [unknown_code_page]
[1800]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C1A00 [unknown_code_page]
[1800]avp.exe-->shell32.dll-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x7C9C19F0 [unknown_code_page]
[1800]avp.exe-->shell32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x7C9C1848 [unknown_code_page]
[1800]avp.exe-->user32.dll+0x00002A78, Type: Inline - RelativeJump 0x7E362A78 [user32.dll]
[1800]avp.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E36127C [unknown_code_page]
[1800]avp.exe-->user32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x7E361344 [unknown_code_page]
[1800]avp.exe-->user32.dll-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x7E3612E4 [unknown_code_page]
[1800]avp.exe-->user32.dll-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x7E361370 [unknown_code_page]
[1800]avp.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E36133C [unknown_code_page]
[1800]avp.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E3612F4 [unknown_code_page]
[1800]avp.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E361208 [unknown_code_page]
[1800]avp.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E361340 [unknown_code_page]
[1800]avp.exe-->user32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x7E361304 [unknown_code_page]
[300]avp.exe-->advapi32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x77DC11E4 [unknown_code_page]
[300]avp.exe-->advapi32.dll-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x77DC1070 [unknown_code_page]
[300]avp.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DC1218 [unknown_code_page]
[300]avp.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DC1214 [unknown_code_page]
[300]avp.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DC105C [unknown_code_page]
[300]avp.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DC11E0 [unknown_code_page]
[300]avp.exe-->advapi32.dll-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x77DC1058 [unknown_code_page]
[300]avp.exe-->advapi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77DC115C [unknown_code_page]
[300]avp.exe-->gdi32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x77F110B0 [unknown_code_page]
[300]avp.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4 [unknown_code_page]
[300]avp.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084 [unknown_code_page]
[300]avp.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078 [unknown_code_page]
[300]avp.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8 [unknown_code_page]
[300]avp.exe-->gdi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77F1102C [unknown_code_page]
[300]avp.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x0041F138 [unknown_code_page]
[300]avp.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x0041F1CC [unknown_code_page]
[300]avp.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x0041F0E4 [unknown_code_page]
[300]avp.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x0041F0E0 [unknown_code_page]
[300]avp.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0041F1C8 [unknown_code_page]
[300]avp.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x0041F1C4 [unknown_code_page]
[300]avp.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x0041F0B0 [unknown_code_page]
[300]avp.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x0041F140 [unknown_code_page]
[300]avp.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x0041F110 [unknown_code_page]
[300]avp.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C1844 [unknown_code_page]
[300]avp.exe-->shell32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x7C9C1A7C [unknown_code_page]
[300]avp.exe-->shell32.dll-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x7C9C19D0 [unknown_code_page]
[300]avp.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C1A04 [unknown_code_page]
[300]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C1858 [unknown_code_page]
[300]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C1A98 [unknown_code_page]
[300]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C1A78 [unknown_code_page]
[300]avp.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C1A00 [unknown_code_page]
[300]avp.exe-->shell32.dll-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x7C9C19F0 [unknown_code_page]
[300]avp.exe-->shell32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x7C9C1848 [unknown_code_page]
[300]avp.exe-->user32.dll+0x00002A78, Type: Inline - RelativeJump 0x7E362A78 [user32.dll]
[300]avp.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E36127C [unknown_code_page]
[300]avp.exe-->user32.dll-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x7E361344 [unknown_code_page]
[300]avp.exe-->user32.dll-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x7E3612E4 [unknown_code_page]
[300]avp.exe-->user32.dll-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x7E361370 [unknown_code_page]
[300]avp.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E36133C [unknown_code_page]
[300]avp.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E3612F4 [unknown_code_page]
[300]avp.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E361208 [unknown_code_page]
[300]avp.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E361340 [unknown_code_page]
[300]avp.exe-->user32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x7E361304 [unknown_code_page]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
__________________________________________________ ____
Что мне делать в этой ситуации?
-
Будь в курсе!
Будь в курсе!
Надоело быть жертвой? Стань профи по информационной безопасности, получай самую свежую информацию об угрозах и средствах защиты от ведущего российского аналитического центра Anti-Malware.ru:
-
-
-
Junior Member
- Вес репутации
- 55
Cure it ничего не находит
Антивирус Касперского 8 так же молчит.
-
-