Показано с 1 по 4 из 4.

log analyses

  1. #1
    Junior Member Репутация
    Регистрация
    27.08.2008
    Сообщений
    2
    Вес репутации
    31

    log analyses

    I am new here, I am of the Brazil, and would like that somebody analyzes this log. thanks




    <AVZ_CollectSysInfo>
    --------------------
    Start time: 2008-08-27 07:56
    Duration: 00:06:38
    Finish time: 2008-08-27 08:03

    <AVZ_CollectSysInfo>
    --------------------
    Time Event
    ---- -----
    2008-08-27 07:56 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
    2008-08-27 07:56 System Restore: enabled
    2008-08-27 07:56 1.1 Searching for user-mode API hooks
    2008-08-27 07:56 Analysis: kernel32.dll, export table found in section .text
    2008-08-27 07:56 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
    2008-08-27 07:56 Hook kernel32.dll:CreateProcessA (99) blocked
    2008-08-27 07:56 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
    2008-08-27 07:56 Hook kernel32.dll:CreateProcessW (103) blocked
    2008-08-27 07:56 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
    2008-08-27 07:56 Hook kernel32.dll:FreeLibrary (241) blocked
    2008-08-27 07:56 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
    2008-08-27 07:56 Hook kernel32.dll:GetModuleFileNameA (373) blocked
    2008-08-27 07:56 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
    2008-08-27 07:56 Hook kernel32.dll:GetModuleFileNameW (374) blocked
    2008-08-27 07:56 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
    2008-08-27 07:56 Hook kernel32.dll:GetProcAddress (409) blocked
    2008-08-27 07:56 Function kernel32.dlloadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
    2008-08-27 07:56 Hook kernel32.dlloadLibraryA (581) blocked
    2008-08-27 07:56 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
    2008-08-27 07:56 Function kernel32.dlloadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
    2008-08-27 07:56 Hook kernel32.dlloadLibraryExA (582) blocked
    2008-08-27 07:56 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
    2008-08-27 07:56 Function kernel32.dlloadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
    2008-08-27 07:56 Hook kernel32.dlloadLibraryExW (583) blocked
    2008-08-27 07:56 Function kernel32.dlloadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
    2008-08-27 07:56 Hook kernel32.dlloadLibraryW (584) blocked
    2008-08-27 07:56 IAT modification detected: GetModuleFileNameW - 009C0010<>7C80B465
    2008-08-27 07:56 Analysis: ntdll.dll, export table found in section .text
    2008-08-27 07:56 Analysis: user32.dll, export table found in section .text
    2008-08-27 07:56 Analysis: advapi32.dll, export table found in section .text
    2008-08-27 07:56 Analysis: ws2_32.dll, export table found in section .text
    2008-08-27 07:56 Analysis: wininet.dll, export table found in section .text
    2008-08-27 07:56 Analysis: rasapi32.dll, export table found in section .text
    2008-08-27 07:56 Analysis: urlmon.dll, export table found in section .text
    2008-08-27 07:56 Analysis: netapi32.dll, export table found in section .text
    2008-08-27 07:57 >> Danger ! Process masking detected
    2008-08-27 07:57 >>>> Suspicion for process masking 488 f:\arquivos de programas\windows live\messenger\msnmsgr.exe
    2008-08-27 07:57 >>>> Suspicion for process masking 1644 f:\arquiv~1\nero\neroph~1\data\xtras\mssysmgr.exe
    2008-08-27 07:57 1.2 Searching for kernel-mode API hooks
    2008-08-27 07:57 Driver loaded successfully
    2008-08-27 07:57 SDT found (RVA=083220)
    2008-08-27 07:57 Kernel ntoskrnl.exe found in memory at address 804D7000
    2008-08-27 07:57 SDT = 8055A220
    2008-08-27 07:57 KiST = 804E26A8 (284)
    2008-08-27 07:57 Function NtClose (19) intercepted (805678DD->F224D61, hook F:\WINDOWS\System32\Drivers\aswSP.SYS
    2008-08-27 07:57 >>> Function restored successfully !
    2008-08-27 07:57 >>> Hook code blocked
    2008-08-27 07:57 Function NtConnectPort (1F) intercepted (805879EB->F239A040), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:57 >>> Function restored successfully !
    2008-08-27 07:57 >>> Hook code blocked
    2008-08-27 07:58 Function NtCreateFile (25) intercepted (8056CDC0->F2396930), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtCreateKey (29) intercepted (8057065D->F224D4D4), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtCreatePort (2E) intercepted (805975B1->F239A510), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtCreateProcess (2F) intercepted (805B135A->F23A0870), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtCreateProcessEx (30) intercepted (8057FC60->F23A0AA0), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtCreateSection (32) intercepted (805652B3->ED267700), hook F:\WINDOWS\system32\drivers\mbam.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtCreateWaitablePort (3 intercepted (805DB124->F239A600), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtDeleteFile (3E) intercepted (805D800B->F2396F20), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtDeleteKey (3F) intercepted (805952BE->F23A26E0), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtDeleteValueKey (41) intercepted (80592D50->F224D9B2), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtDuplicateObject (44) intercepted (805715E0->F23A0580), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtLoadDriver (61) intercepted (805A3AF1->F23943F0), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtLoadKey (62) intercepted (805AED5D->F23A28B0), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtMapViewOfSection (6C) intercepted (80573B61->F23A4270), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtOpenFile (74) intercepted (8056CD5B->F2396D70), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtOpenKey (77) intercepted (80568D59->F224D5AE), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtOpenProcess (7A) intercepted (805717C7->F23A0350), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtOpenThread (80) intercepted (8058A1BD->F23A0150), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtQueryValueKey (B1) intercepted (8056A1F1->F224D6CE), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtRenameKey (C0) intercepted (8064E79E->F23A3250), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtReplaceKey (C1) intercepted (8064F0FA->F23A2CB0), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtRequestWaitReplyPort (C intercepted (80576CE6->F2399C00), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtRestoreKey (CC) intercepted (8064EC91->F224D68E), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtSecureConnectPort (D2) intercepted (8058F4DE->F239A220), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtSetInformationFile (E0) intercepted (8057494A->F2397120), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtSetSystemInformation (F0) intercepted (805A7BDD->F23941C0), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtSetValueKey (F7) intercepted (80572889->F224D80E), hook F:\WINDOWS\System32\Drivers\aswSP.SYS
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtTerminateProcess (101) intercepted (805822E0->F23A0CD0), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Function NtUnloadDriver (106) intercepted (80619BD6->F23945F0), hook F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 >>> Function restored successfully !
    2008-08-27 07:58 >>> Hook code blocked
    2008-08-27 07:58 Functions checked: 284, intercepted: 31, restored: 31
    2008-08-27 07:58 1.3 Checking IDT and SYSENTER
    2008-08-27 07:58 Analysis for CPU 1
    2008-08-27 07:58 Checking IDT and SYSENTER - complete
    2008-08-27 07:58 1.4 Searching for masking processes and drivers
    2008-08-27 07:58 Checking not performed: extended monitoring driver (AVZPM) is not installed
    2008-08-27 07:58 Driver loaded successfully
    2008-08-27 07:58 1.5 Checking of IRP handlers
    2008-08-27 07:58 \driver\tcpip[IRP_MJ_CREATE] = F23ABC20 -> F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 \driver\tcpip[IRP_MJ_CLOSE] = F23ABC20 -> F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 \driver\tcpip[IRP_MJ_DEVICE_CONTROL] = F23ABC20 -> F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 \driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = F23ABC20 -> F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 \driver\tcpip[IRP_MJ_CLEANUP] = F23ABC20 -> F:\WINDOWS\System32\vsdatant.sys
    2008-08-27 07:58 Checking - complete
    2008-08-27 07:59 F:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll --> Suspicion for Keylogger or Trojan DLL
    2008-08-27 07:59 F:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll>>> Behavioral analysis
    2008-08-27 07:59 Behaviour typical for keyloggers not detected
    2008-08-27 07:59 F:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll --> Suspicion for Keylogger or Trojan DLL
    2008-08-27 07:59 F:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll>>> Behavioral analysis
    2008-08-27 07:59 Behaviour typical for keyloggers not detected
    2008-08-27 07:59 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
    2008-08-27 07:59 >> Services: potentially dangerous service allowed: TermService (Serviзos de terminal)
    2008-08-27 07:59 >> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)
    2008-08-27 07:59 >> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessгo de ajuda de бrea de trabalho remota)
    2008-08-27 07:59 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    2008-08-27 07:59 >> Security: disk drives' autorun is enabled
    2008-08-27 07:59 >> Security: administrative shares (C$, D$ ...) are enabled
    2008-08-27 07:59 >> Security: anonymous user access is enabled
    2008-08-27 07:59 >> Security: sending Remote Assistant queries is enabled
    2008-08-27 07:59 >> Abnormal SCR files association
    2008-08-27 07:59 >> Abnormal REG files association
    2008-08-27 07:59 >> Service termination timeout is out of admissible values
    2008-08-27 07:59 >> Disable HDD autorun
    2008-08-27 07:59 >> Disable autorun from network drives
    2008-08-27 07:59 >> Disable CD/DVD autorun
    2008-08-27 07:59 >> Disable removable media autorun
    2008-08-27 07:59 System Analysis in progress
    2008-08-27 08:03 System Analysis - complete
    2008-08-27 08:03 Delete file:F:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-128IM\LOG\avptool_syscheck.htm
    2008-08-27 08:03 Delete file:F:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-128IM\LOG\avptool_syscheck.xml
    2008-08-27 08:03 Deleting service/driver: utizmtu5
    2008-08-27 08:03 Delete file:F:\WINDOWS\system32\Drivers\utizmtu5.sys
    2008-08-27 08:03 Deleting service/driver: ujizmtu5
    2008-08-27 08:03 Script executed without errors

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для RiC
    Регистрация
    22.04.2005
    Сообщений
    1,988
    Вес репутации
    544
    It only part of log, search full logfile in avptool_syscheck.zip archive, look like example this (http://virusinfo.info/showpost.php?p=274559&postcount=1)

  3. #3
    Junior Member Репутация
    Регистрация
    27.08.2008
    Сообщений
    2
    Вес репутации
    31
    thanks RIC i go see this link

  4. #4
    Junior Member Репутация
    Регистрация
    09.05.2009
    Сообщений
    18
    Вес репутации
    28
    Post your log in http://virusinfo.info/forumdisplay.php?f=84 for help. Thanks

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00572 seconds with 19 queries