Показано с 1 по 2 из 2.

3eshooooooo :D

  1. #1
    Junior Member Репутация
    Регистрация
    07.12.2008
    Сообщений
    1
    Вес репутации
    30

    3eshooooooo :D

    07/12/2008 09:28:15 г Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
    07/12/2008 09:28:15 г System Restore: Disabled
    07/12/2008 09:28:15 г >> Danger ! Process masking detected
    07/12/2008 09:28:15 г >>>> Process masking detected 436 MPK.exe
    07/12/2008 09:28:16 г 1.1 Searching for user-mode API hooks
    07/12/2008 09:28:17 г Analysis: kernel32.dll, export table found in section .text
    07/12/2008 09:28:17 г Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
    07/12/2008 09:28:17 г Hook kernel32.dll:CreateProcessA (99) blocked
    07/12/2008 09:28:17 г Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
    07/12/2008 09:28:17 г Hook kernel32.dll:CreateProcessW (103) blocked
    07/12/2008 09:28:17 г Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ABDE->61F041FC
    07/12/2008 09:28:17 г Hook kernel32.dll:FreeLibrary (241) blocked
    07/12/2008 09:28:17 г Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B4CF->61F040FB
    07/12/2008 09:28:17 г Hook kernel32.dll:GetModuleFileNameA (372) blocked
    07/12/2008 09:28:17 г Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B3D5->61F041A0
    07/12/2008 09:28:17 г Hook kernel32.dll:GetModuleFileNameW (373) blocked
    07/12/2008 09:28:17 г Function kernel32.dll:GetProcAddress (40 intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADA0->61F04648
    07/12/2008 09:28:17 г Hook kernel32.dll:GetProcAddress (40 blocked
    07/12/2008 09:28:17 г Function kernel32.dlloadLibraryA (57 intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F
    07/12/2008 09:28:17 г Hook kernel32.dlloadLibraryA (57 blocked
    07/12/2008 09:28:17 г >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
    07/12/2008 09:28:17 г Function kernel32.dlloadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF
    07/12/2008 09:28:17 г Hook kernel32.dlloadLibraryExA (579) blocked
    07/12/2008 09:28:17 г >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
    07/12/2008 09:28:17 г Function kernel32.dlloadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A
    07/12/2008 09:28:17 г Hook kernel32.dlloadLibraryExW (580) blocked
    07/12/2008 09:28:17 г Function kernel32.dlloadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE4B->61F03D0C
    07/12/2008 09:28:17 г Hook kernel32.dlloadLibraryW (581) blocked
    07/12/2008 09:28:17 г IAT modification detected: LoadLibraryW - 01160010<>7C80AE4B
    07/12/2008 09:28:17 г Analysis: ntdll.dll, export table found in section .text
    07/12/2008 09:28:17 г Function ntdll.dll:NtQuerySystemInformation (263) intercepted, method APICodeHijack.JmpTo[00EE0002]
    07/12/2008 09:28:17 г >>> Rootkit code in function NtQuerySystemInformation blocked
    07/12/2008 09:28:17 г Analysis: user32.dll, export table found in section .text
    07/12/2008 09:28:17 г Analysis: advapi32.dll, export table found in section .text
    07/12/2008 09:28:17 г Analysis: ws2_32.dll, export table found in section .text
    07/12/2008 09:28:17 г Analysis: wininet.dll, export table found in section .text
    07/12/2008 09:28:17 г Analysis: rasapi32.dll, export table found in section .text
    07/12/2008 09:28:17 г Analysis: urlmon.dll, export table found in section .text
    07/12/2008 09:28:17 г Analysis: netapi32.dll, export table found in section .text
    07/12/2008 09:28:18 г >> Danger ! Process masking detected
    07/12/2008 09:28:32 г >>>> Suspicion for process masking 436 c:\windows\system32\mpk\mpk.exe
    07/12/2008 09:28:32 г 1.2 Searching for kernel-mode API hooks
    07/12/2008 09:28:32 г Driver loaded successfully
    07/12/2008 09:28:32 г SDT found (RVA=0846E0)
    07/12/2008 09:28:32 г Kernel ntkrnlpa.exe found in memory at address 804D7000
    07/12/2008 09:28:32 г SDT = 8055B6E0
    07/12/2008 09:28:32 г KiST = 80503960 (284)
    07/12/2008 09:28:32 г Function NtCreateKey (29) intercepted (80622110->F73BF0B0), hook C:\WINDOWS\system32\Drivers\sptd.sys
    07/12/2008 09:28:32 г >>> Function restored successfully !
    07/12/2008 09:28:32 г >>> Hook code blocked
    07/12/2008 09:28:32 г Function NtEnumerateKey (47) intercepted (80622950->F73C3D1C), hook C:\WINDOWS\system32\Drivers\sptd.sys
    07/12/2008 09:28:32 г >>> Function restored successfully !
    07/12/2008 09:28:32 г >>> Hook code blocked
    07/12/2008 09:28:32 г Function NtEnumerateValueKey (49) intercepted (80622BBA->F73C40BC), hook C:\WINDOWS\system32\Drivers\sptd.sys
    07/12/2008 09:28:32 г >>> Function restored successfully !
    07/12/2008 09:28:32 г >>> Hook code blocked
    07/12/2008 09:28:32 г Function NtOpenKey (77) intercepted (806234A6->F73BF090), hook C:\WINDOWS\system32\Drivers\sptd.sys
    07/12/2008 09:28:32 г >>> Function restored successfully !
    07/12/2008 09:28:32 г >>> Hook code blocked
    07/12/2008 09:28:32 г Function NtQueryKey (A0) intercepted (806237CA->F73C4194), hook C:\WINDOWS\system32\Drivers\sptd.sys
    07/12/2008 09:28:32 г >>> Function restored successfully !
    07/12/2008 09:28:32 г >>> Hook code blocked
    07/12/2008 09:28:32 г Function NtQueryValueKey (B1) intercepted (806201CA->F73C4014), hook C:\WINDOWS\system32\Drivers\sptd.sys
    07/12/2008 09:28:32 г >>> Function restored successfully !
    07/12/2008 09:28:32 г >>> Hook code blocked
    07/12/2008 09:28:32 г Function NtSetValueKey (F7) intercepted (806207D0->F73C4226), hook C:\WINDOWS\system32\Drivers\sptd.sys
    07/12/2008 09:28:32 г >>> Function restored successfully !
    07/12/2008 09:28:32 г >>> Hook code blocked
    07/12/2008 09:28:33 г Functions checked: 284, intercepted: 7, restored: 7
    07/12/2008 09:28:33 г 1.3 Checking IDT and SYSENTER
    07/12/2008 09:28:33 г Analysis for CPU 1
    07/12/2008 09:28:34 г >>> Danger - possible CPU address substitution[1].IDT[06] = [F65B316D] C:\WINDOWS\system32\drivers\Haspnt.sys, driver recognized as trusted
    07/12/2008 09:28:34 г >>> Danger - possible CPU address substitution[1].IDT[0E] = [F65B2FC2] C:\WINDOWS\system32\drivers\Haspnt.sys, driver recognized as trusted
    07/12/2008 09:28:34 г Analysis for CPU 2
    07/12/2008 09:28:34 г >>> Danger - possible CPU address substitution[2].IDT[06] = [F65B316D] C:\WINDOWS\system32\drivers\Haspnt.sys, driver recognized as trusted
    07/12/2008 09:28:34 г >>> Danger - possible CPU address substitution[2].IDT[0E] = [F65B2FC2] C:\WINDOWS\system32\drivers\Haspnt.sys, driver recognized as trusted
    07/12/2008 09:28:34 г Checking IDT and SYSENTER - complete
    07/12/2008 09:28:35 г 1.4 Searching for masking processes and drivers
    07/12/2008 09:28:35 г Checking not performed: extended monitoring driver (AVZPM) is not installed
    07/12/2008 09:28:35 г Driver loaded successfully
    07/12/2008 09:28:35 г 1.5 Checking of IRP handlers
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_CREATE] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_CLOSE] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_WRITE] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_SET_EA] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_PNP] = 865761D8 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_CREATE] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_CLOSE] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_WRITE] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_QUERY_EA] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_SET_EA] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_PNP] = 85DA4990 -> hook not defined
    07/12/2008 09:28:35 г Checking - complete
    07/12/2008 09:28:36 г C:\WINDOWS\system32\MPK\MPK.dll --> Suspicion for Keylogger or Trojan DLL
    07/12/2008 09:28:36 г C:\WINDOWS\system32\MPK\MPK.dll>>> Behavioral analysis
    07/12/2008 09:28:36 г 1. Reacts to events: keyboard
    07/12/2008 09:28:36 г 2. Sends data to process: 436 C:\WINDOWS\system32\MPK\MPK.exe (window = "101")
    07/12/2008 09:28:36 г 3. Sends data to process: 436 C:\WINDOWS\system32\MPK\MPK.exe (window = "106")
    07/12/2008 09:28:36 г C:\WINDOWS\system32\MPK\MPK.dll>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
    07/12/2008 09:28:41 г Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
    07/12/2008 09:29:01 г Latent loading of libraries through AppInit_DLLs suspected: "wbsys.dll"
    07/12/2008 09:29:02 г >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
    07/12/2008 09:29:02 г >> Services: potentially dangerous service allowed: TermService (Terminal Services)
    07/12/2008 09:29:02 г >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
    07/12/2008 09:29:02 г >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
    07/12/2008 09:29:02 г >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
    07/12/2008 09:29:02 г >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
    07/12/2008 09:29:02 г > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    07/12/2008 09:29:02 г >> Security: disk drives' autorun is enabled
    07/12/2008 09:29:02 г >> Security: administrative shares (C$, D$ ...) are enabled
    07/12/2008 09:29:02 г >> Security: anonymous user access is enabled
    07/12/2008 09:29:03 г >> Security: sending Remote Assistant queries is enabled
    07/12/2008 09:29:04 г >> Abnormal SCR files association
    07/12/2008 09:29:10 г >> Service termination timeout is out of admissible values
    07/12/2008 09:29:10 г >> Disable HDD autorun
    07/12/2008 09:29:10 г >> Disable autorun from network drives
    07/12/2008 09:29:11 г >> Disable CD/DVD autorun
    07/12/2008 09:29:11 г >> Disable removable media autorun
    07/12/2008 09:29:11 г System Analysis in progress
    07/12/2008 09:30:26 г System Analysis - complete
    07/12/2008 09:30:26 г Delete file:C:\Documents and Settings\s\Desktop\Virus Removal Tool\is-8LPGP\LOG\avptool_syscheck.htm
    07/12/2008 09:30:26 г Delete file:C:\Documents and Settings\s\Desktop\Virus Removal Tool\is-8LPGP\LOG\avptool_syscheck.xml
    07/12/2008 09:30:26 г Deleting service/driver: utm3mtq4
    07/12/2008 09:30:26 г Delete file:C:\WINDOWS\system32\Drivers\utm3mtq4.sys
    07/12/2008 09:30:26 г Deleting service/driver: ujm3mtq4
    07/12/2008 09:30:26 г Script executed without errors

  2. #2

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.01415 seconds with 18 queries