Re: [WINNT] Problem z ATMFD

PM <pm@xx.xx> · Mon, 06 Oct 2014 23:05:45 +0100

W dniu 2014-10-06 22:51, JoteR napisał(a):
"PM" napisał:

Jak to ugryźć, albo wyczaić co próbuje załadować bibliotekę,
jedynie co jest z Adobe to flash i nic więcej.

Ta biblioteka, aczkolwiek pierwotnie była od Adobe (ATM - Adobe Type
Manager), od czasów bodajże XP jest częścią systemu, odpowiedzialną za
obsługę czcionek Type 1 i OpenType. Powinna być załadowana na stałe -
aktualna wersja pliku 5.1.2.238.

Tyle to ja też wiem :(
Process monitor zeznaje że maca po tym csrss i winlogon, wersja się 
zgadza, ale dalej nie wiem co jest zgrane :/

wycinek logu, ja z tego niewiele wnioskuje, ale może znajdzie się jakaś 
duszyczka która mnie naprowadzi na trop

23:42:34,2242650	csrss.exe	2436	CreateFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Desired Access: Generic 
Read/Execute, Disposition: Open, Options: Synchronous IO Alert, 
Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened
23:42:34,2455853	csrss.exe	2436	QueryBasicInformationFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	CreationTime: 2013-06-04 02:58:46, 
LastAccessTime: 2014-10-06 23:35:49, LastWriteTime: 2013-06-04 02:58:46, 
ChangeTime: 2014-09-09 18:58:48, FileAttributes: A
23:42:34,2455978	csrss.exe	2436	CloseFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	
23:42:36,6733257	winlogon.exe	3452	CreateFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Desired Access: Execute/Traverse, 
Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Delete, 
AllocationSize: n/a, OpenResult: Opened
23:42:36,6733578	winlogon.exe	3452	CreateFileMapping 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	SyncType: SyncTypeCreateSection, 
PageProtection: PAGE_EXECUTE
23:42:36,6733690	winlogon.exe	3452	QueryStandardInformationFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	AllocationSize: 290 816, 
EndOfFile: 287 232, NumberOfLinks: 1, DeletePending: False, Directory: False
23:42:36,6733835	winlogon.exe	3452	CreateFileMapping 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	SyncType: SyncTypeOther
23:42:36,6734030	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 0, Length: 4 096, I/O 
Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7020966	winlogon.exe	3452	CreateFileMapping 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	SyncType: SyncTypeOther
23:42:36,7021402	winlogon.exe	3452	QueryStandardInformationFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	AllocationSize: 290 816, 
EndOfFile: 287 232, NumberOfLinks: 1, DeletePending: False, Directory: False
23:42:36,7022115	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 1 024, Length: 32 768, I/O 
Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7228794	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 33 792, Length: 32 768, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7234468	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 66 560, Length: 32 768, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7248409	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 99 328, Length: 32 768, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7253602	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 132 096, Length: 32 768, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7259522	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 164 864, Length: 32 768, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7264852	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 197 632, Length: 16 896, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7268769	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 214 528, Length: 16 384, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7272501	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 230 912, Length: 9 728, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7276831	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 240 640, Length: 16 384, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7281756	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 257 024, Length: 13 312, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7285799	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 270 336, Length: 1 536, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7289492	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 271 872, Length: 1 536, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7292406	winlogon.exe	3452	ReadFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	Offset: 273 408, Length: 13 824, 
I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
23:42:36,7299745	winlogon.exe	3452	CreateFileMapping 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	SyncType: SyncTypeCreateSection, 
PageProtection: PAGE_EXECUTE
23:42:36,7299965	winlogon.exe	3452	CreateFileMapping 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	SyncType: SyncTypeOther
23:42:36,7300357	winlogon.exe	3452	CloseFile 
C:\WINDOWS\system32\atmfd.dll	SUCCESS	

--
PM

--- news://freenews.netfront.net/ - complaints: news@netfront.net ---

To:	winnt@man.lodz.pl
Subject:	Re: [WINNT] Problem z ATMFD
From:	PM <pm@xx.xx>
Date:	Mon, 06 Oct 2014 23:05:45 +0100

<Pop. w Wątku]	Aktualny Wątek	[Nast. w Wątku>
[WINNT] Problem z ATMFD, PM Re: [WINNT] Problem z ATMFD, R.e.m.e.K Re: [WINNT] Problem z ATMFD, JoteR Re: [WINNT] Problem z ATMFD, PM <= Re: [WINNT] Problem z ATMFD, PM

Poprzedni wg. Daty:	Re: [WINNT] Problem z ATMFD, JoteR
Następny wg. Daty:	Re: [WINNT] Problem z ATMFD, PM
Poprzedni w Wątku:	Re: [WINNT] Problem z ATMFD, JoteR
Następny w Wątku:	Re: [WINNT] Problem z ATMFD, PM
Indeksy:	[Data] [Wątek] [Lista archiwów] [Inne Listy]