Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gmer log


  • Please log in to reply
4 replies to this topic

#1 billmar123

billmar123

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 13 February 2009 - 12:48 PM

I ran Gmer and this is the result. Can someone please help me to understand it. I can't find any understandable info on it.

Thanks in advance

Bill





GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-02-12 10:58:12

Windows 5.1.2600





---- System - GMER 1.0.14 ----



SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xF7B104D0]

SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xF7B10520]



---- Kernel code sections - GMER 1.0.14 ----



.text ntoskrnl.exe!ZwCallbackReturn + 23BA 804F7686 2 Bytes [ B1, F7 ]



---- User IAT/EAT - GMER 1.0.14 ----



IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\System32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\System32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\System32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\System32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\System32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3680] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [017F7376] C:\Program Files\Mozilla Thunderbird\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)



---- Devices - GMER 1.0.14 ----



AttachedDevice \FileSystem\Ntfs \Ntfs sbapifs.sys (Sunbelt ActiveProtection Filter/Sunbelt Software)

AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)



Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)



AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

AttachedDevice \FileSystem\Fastfat \Fat sbapifs.sys (Sunbelt ActiveProtection Filter/Sunbelt Software)



---- Registry - GMER 1.0.14 ----



Reg HKLM\SOFTWARE\Classes\CLSID\{7CACDF5A-0E2D-A998-38B4B1D490EAE887}\{83892839-8EE2-C547-3E6DBF0265E34072}\{B9A8F094-A05A-7BFC-2DD781993331EE07}

Reg HKLM\SOFTWARE\Classes\CLSID\{7CACDF5A-0E2D-A998-38B4B1D490EAE887}\{83892839-8EE2-C547-3E6DBF0265E34072}\{B9A8F094-A05A-7BFC-2DD781993331EE07}@S6KI1YERXJTIP3T5RVDI41UR2G1 0x01 0x00 0x01 0x00 ...



---- EOF - GMER 1.0.14 ----

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 PM

Posted 13 February 2009 - 01:08 PM

Hello Bill.

There does not appear to be any items of concern.

Are you experiencing any issues that prompted you to run GMER.

With Regards,
The Panda

#3 billmar123

billmar123
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 13 February 2009 - 04:11 PM

No, just wanted to see if I had a problem and didn't know it. Where can I find info on the log?

Thanks

Bill

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 PM

Posted 13 February 2009 - 04:19 PM

Hello Bill.

GMER is a very advanced tool, and is not meant for general malware detection and removal.

You can find some documents on its site.

With Regards,
The Panda

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:21 PM

Posted 13 February 2009 - 04:27 PM

Hello.

The GMER log indeed is clean but the CLSID entry in the Registry Section contains embedded nulls that we could remove. I have read somewhere about those CLSID's and most of them are 0 bytes so they won't do any harm. If you want we can remove it.

Understanding how GMER works exactly and interpreting the logs requires some knowledge on Windows itself.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users