Ciao a tutti,
a fronte di comportamenti 'strani' ( gmer che non parte, avira che non parte, ...) sono riuscito a generare un file di log con GMER cambiato di nome
GMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2009-12-29 22:53:24
Windows 5.1.2600
Running: 0gi6no0m.exe; Driver: C:\DOCUME~1\PREINS~1\IMPOST~1\Temp\pwtdqpog.sys
---- System - GMER 1.0.15 ----
Code 81E40210 ZwEnumerateKey
Code 81E3F328 ZwFlushInstructionCache
Code 81E402E6 IofCallDriver
Code 81E404FE IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text TUKERNEL.EXE!KeInitializeInterrupt + B79 804D4F8E 1 Byte [06]
.text TUKERNEL.EXE!IofCallDriver 804EC022 5 Bytes JMP 81E402EB
.text TUKERNEL.EXE!IofCompleteRequest 804EC051 5 Bytes JMP 81E40503
PAGE TUKERNEL.EXE!ZwEnumerateKey 8056A5DC 5 Bytes JMP 81E40214
PAGE TUKERNEL.EXE!ZwFlushInstructionCache 8057C60F 5 Bytes JMP 81E3F32C
.sfreloc˙˙˙˙sfsync04unknown last section [0xF84E8000, 0xBC8, 0x40000040] C:\WINDOWS\system32\drivers\sfsync04.sys unknown last section [0xF84E8000, 0xBC8, 0x40000040]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology)
AttachedDevice \FileSystem\Fastfat \Fat avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)
---- Modules - GMER 1.0.15 ----
Module \systemroot\system32\drivers\H8SRTwykridviuy.sys (*** hidden *** ) F702A000-F7046000 (114688 bytes)
---- EOF - GMER 1.0.15 ----
Mi preoccupa in particolare sfsync04.sys e soprattutto il sys nascosto.
Avete notizie su questi files ?
Grazie
Print