prosím o kontrolu logu, díky

[motji]

Já se zkusím zeptám kolegů.
Ale když už jste tu, uděláme test na rootkity, pro jistotu

Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, klikněte na Save a tím si uložíte log,který sem vložíte

-Podle návodu v odkazu provedete druhý sken a log sem také vložíte.

[gugacka]

tak gmer v prostřed scenu spadne, napíše mi to chybu a když ho pak spustím znovu tak modrá smrt a restart, po restartu, se to chová stejně

[motji]

Jak stejně?

[gugacka]

jako že se mi restartuje pc, znovu pustim gmer, zase v asi (nevim přesně) v půlce scenu spadne a zase ho znovu spustim - modrá smrt a zase dokola , někde tam je něco, ale už mě to přestává bavit hledat (vás asi taky) kurňa, crecky pitomý, bych ho praštil

[motji]

Zkuste ho spustit v nouzovém režimu, pokud nepůjde, zkuste rootrepeal.
Jsou v gmeru nějaké červené řádky?

Stáhněte
http://rootrepeal.googlepages.com/RootRepeal.zip
-Stáhněte,rozbalte a spusťte
-vyberte záložku Files, klikněte na Scan,
-proběhne sken, po něm klikněte na Save Report , tím se uloží log, který zkopírujete sem

-postupně vyberte všechny záložky a udělejte skeny.

[gugacka]

tak červené řádky nebyli, v nouzovém režimu se mi povedlo log uložit, pak po stisku ok spadl taky, ale log mám

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-21 23:16:41
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\Martin\AppData\Local\Temp\pgryypow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8201FAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8201F104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8201F3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 820082D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82007898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8201F1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8201F958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8201F6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8201FF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 820201A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8207F599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 820A3F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74842494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74825624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [748256E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7484250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74838573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74834D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [748350CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [748351A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [748366D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [748382CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74838819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7483907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7483E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1136] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74834C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

[gugacka]

root repeal:

FOPS -device control error

[motji]

Já tam nic nevidím

Stahněte OTC a použijte
http://oldtimer.geekstogo.com/OTC.exe
-počítač se restartuje

Zkuste ještě opravu přes win7 manager,ale je v angličtině a návod nemám
http://www.yamicsoft.com/windows7manage ... anager.exe

[gugacka]

tak po otc beze změny, hrál jsem si ještě s gmerem, vystřihl jsem obrázek s chybou, je v příloze, třeba tam něco zahlídnete, jinak win 7 manager znám, výborná věc, ale v tomto případě nepomohla

[motji]

Jak dlouho je ten systém nainstalovaný? Pokud Váš kamarád spouští cracky a pod, a má ho co chvilka zavirovaný, může být nabořený systém.
Nevíte, jak dlouho mu to to spojení neukazuje? Od kdy? Neinstaloval nějaký nový program?
Můžete se podívat do správce zařízení, jestli někde nejsou žluté otazníky?

[motji]

Jak to tu vypadá?

[herak75]

Zdravim obcas mi spadne system - modra smrt a hotovo, ted se to ale zacalo zhorsovat. bluescreenview hlasi problem v " halmacpi.dll+ef3f "
nize uvadim vypis z gmer. prosim o radu
diky michal

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-11 20:41:53
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\WAHARA~1\AppData\Local\Temp\pxrdypog.sys


---- System - GMER 1.0.15 ----

SSDT 86732048 ZwAlertResumeThread
SSDT 8672DA48 ZwAlertThread
SSDT 868AFA90 ZwAllocateVirtualMemory
SSDT 85EB8F08 ZwAlpcConnectPort
SSDT 867273F0 ZwAssignProcessToJobObject
SSDT 868BCEB0 ZwCreateMutant
SSDT 868BC8B8 ZwCreateSymbolicLinkObject
SSDT 868AFEA0 ZwCreateThread
SSDT 868BC988 ZwCreateThreadEx
SSDT 86728A90 ZwDebugActiveProcess
SSDT 868AFBE8 ZwDuplicateObject
SSDT 868AF8F0 ZwFreeVirtualMemory
SSDT 86744048 ZwImpersonateAnonymousToken
SSDT 867362B8 ZwImpersonateThread
SSDT 85E53868 ZwLoadDriver
SSDT 868AF810 ZwMapViewOfSection
SSDT 86745048 ZwOpenEvent
SSDT 868AFD88 ZwOpenProcess
SSDT 85FD6A00 ZwOpenProcessToken
SSDT 8674D048 ZwOpenSection
SSDT 868AFCB8 ZwOpenThread
SSDT 868BCA68 ZwProtectVirtualMemory
SSDT 8671F048 ZwResumeThread
SSDT 866BE138 ZwSetContextThread
SSDT 868AF6B8 ZwSetInformationProcess
SSDT 86726048 ZwSetSystemInformation
SSDT 86746048 ZwSuspendProcess
SSDT 8671E048 ZwSuspendThread
SSDT 85FEED28 ZwTerminateProcess
SSDT 866C0400 ZwTerminateThread
SSDT 866B2DD0 ZwUnmapViewOfSection
SSDT 868AF9C0 ZwWriteVirtualMemory

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83028AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83028104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830283F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83010FB4
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830281DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83028958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830286F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83028F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830291A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C438E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C633D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntoskrnl.exe!KeRemoveQueueEx + 139B 82C6A668 8 Bytes [48, 20, 73, 86, 48, DA, 72, ...] {DEC EAX; AND [EBX-0x7a], DH; DEC EAX; FIDIV DWORD [EDX-0x7a]}
.text ntoskrnl.exe!KeRemoveQueueEx + 13B3 82C6A680 4 Bytes [90, FA, 8A, 86]
.text ntoskrnl.exe!KeRemoveQueueEx + 13BF 82C6A68C 4 Bytes [08, 8F, EB, 85]
.text ntoskrnl.exe!KeRemoveQueueEx + 1413 82C6A6E0 4 Bytes [F0, 73, 72, 86]
.text ntoskrnl.exe!KeRemoveQueueEx + 148F 82C6A75C 4 Bytes [B0, CE, 8B, 86]
.text ...
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9343A000, 0x267978, 0xE8000020]
.text peauth.sys 92E85C9E 27 Bytes [3E, 3A, 6A, DF, AB, F3, DB, ...]
.text peauth.sys 92E85CC2 27 Bytes [3E, 3A, 6A, DF, AB, F3, DB, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[5164] ntdll.dll!LdrLoadDll 77A0F585 5 Bytes JMP 01AC003A

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000054 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

[motji]

herak75
Dobrý večer, založte si prosím vlastní topic, takto by se to pletlo .
Díky.
Mimo výpisu z Gmeru vložte i log ze Rsitu, viz můj podpis .
Můžete sem dát odkaz na topic, a já se Vás ujmu .

[herak75]

pardon
http://www.viry.cz/forum/viewtopic.php?f=13&t=101902

[motji]