PHP код:
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 04.07.2009 20:46:30
Database loaded: signatures - 230146, NN profile(s) - 2, microprograms of healing - 56, signature database released 03.07.2009 23:05
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 124856
Heuristic analyzer mode: Medium heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Restore: Disabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:CreateProcessA (99) intercepted, method APICodeHijack.JmpTo[1004C66A]
Function kernel32.dll:CreateProcessW (103) intercepted, method APICodeHijack.JmpTo[1004C642]
Function kernel32.dll:CreateRemoteThread (104) intercepted, method APICodeHijack.JmpTo[1004C966]
Function kernel32.dll:DebugActiveProcess (117) intercepted, method APICodeHijack.JmpTo[1004C93E]
Function kernel32.dll:WinExec (897) intercepted, method APICodeHijack.JmpTo[1004C61A]
Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:LdrLoadDll (70) intercepted, method APICodeHijack.JmpTo[1004C916]
Function ntdll.dll:LdrUnloadDll (80) intercepted, method APICodeHijack.JmpTo[1004C8EE]
Function ntdll.dll:NtCreateThread (140) intercepted, method APICodeHijack.JmpTo[1004C70A]
Function ntdll.dll:NtResumeProcess (296) intercepted, method APICodeHijack.JmpTo[1004C7D2]
Function ntdll.dll:NtResumeThread (297) intercepted, method APICodeHijack.JmpTo[1004C7AA]
Function ntdll.dll:NtSetContextThread (304) intercepted, method APICodeHijack.JmpTo[1004C732]
Function ntdll.dll:NtSetValueKey (338) intercepted, method APICodeHijack.JmpTo[1004C8C6]
Function ntdll.dll:NtSuspendProcess (344) intercepted, method APICodeHijack.JmpTo[1004C822]
Function ntdll.dll:NtSuspendThread (345) intercepted, method APICodeHijack.JmpTo[1004C7FA]
Function ntdll.dll:NtTerminateProcess (348) intercepted, method APICodeHijack.JmpTo[1004C872]
Function ntdll.dll:NtWriteVirtualMemory (369) intercepted, method APICodeHijack.JmpTo[1004C89E]
Function ntdll.dll:ZwCreateThread (951) intercepted, method APICodeHijack.JmpTo[1004C70A]
Function ntdll.dll:ZwResumeProcess (1106) intercepted, method APICodeHijack.JmpTo[1004C7D2]
Function ntdll.dll:ZwResumeThread (1107) intercepted, method APICodeHijack.JmpTo[1004C7AA]
Function ntdll.dll:ZwSetContextThread (1114) intercepted, method APICodeHijack.JmpTo[1004C732]
Function ntdll.dll:ZwSetValueKey (1148) intercepted, method APICodeHijack.JmpTo[1004C8C6]
Function ntdll.dll:ZwSuspendProcess (1154) intercepted, method APICodeHijack.JmpTo[1004C822]
Function ntdll.dll:ZwSuspendThread (1155) intercepted, method APICodeHijack.JmpTo[1004C7FA]
Function ntdll.dll:ZwTerminateProcess (1158) intercepted, method APICodeHijack.JmpTo[1004C872]
Function ntdll.dll:ZwWriteVirtualMemory (1179) intercepted, method APICodeHijack.JmpTo[1004C89E]
Analysis: user32.dll, export table found in section .text
Function user32.dll:CallNextHookEx (27) intercepted, method APICodeHijack.JmpTo[1004CD26]
Function user32.dll:ChangeDisplaySettingsExA (34) intercepted, method APICodeHijack.JmpTo[1004C52A]
Function user32.dll:ChangeDisplaySettingsExW (35) intercepted, method APICodeHijack.JmpTo[1004C502]
Function user32.dll:DdeConnect (108) intercepted, method APICodeHijack.JmpTo[1004CCFE]
Function user32.dll:DdeConnectList (109) intercepted, method APICodeHijack.JmpTo[1004CCD6]
Function user32.dll:DdeInitializeA (122) intercepted, method APICodeHijack.JmpTo[1004CCAE]
Function user32.dll:DdeInitializeW (123) intercepted, method APICodeHijack.JmpTo[1004CC86]
Function user32.dll:EndTask (202) intercepted, method APICodeHijack.JmpTo[1004C9B6]
Function user32.dll:ExitWindowsEx (226) intercepted, method APICodeHijack.JmpTo[1004CA56]
Function user32.dll:FindWindowExA (229) intercepted, method APICodeHijack.JmpTo[1004CACE]
Function user32.dll:FindWindowExW (230) intercepted, method APICodeHijack.JmpTo[1004CAA6]
Function user32.dll:PostMessageA (512) intercepted, method APICodeHijack.JmpTo[1004CBBE]
Function user32.dll:PostMessageW (513) intercepted, method APICodeHijack.JmpTo[1004CB96]
Function user32.dll:SendInput (571) intercepted, method APICodeHijack.JmpTo[1004CA7E]
Function user32.dll:SendMessageA (572) intercepted, method APICodeHijack.JmpTo[1004CC5E]
Function user32.dll:SendMessageCallbackA (573) intercepted, method APICodeHijack.JmpTo[1004CB1E]
Function user32.dll:SendMessageCallbackW (574) intercepted, method APICodeHijack.JmpTo[1004CAF6]
Function user32.dll:SendMessageTimeoutA (575) intercepted, method APICodeHijack.JmpTo[1004CB6E]
Function user32.dll:SendMessageTimeoutW (576) intercepted, method APICodeHijack.JmpTo[1004CB46]
Function user32.dll:SendMessageW (577) intercepted, method APICodeHijack.JmpTo[1004CC36]
Function user32.dll:SendNotifyMessageA (578) intercepted, method APICodeHijack.JmpTo[1004CC0E]
Function user32.dll:SendNotifyMessageW (579) intercepted, method APICodeHijack.JmpTo[1004CBE6]
Function user32.dll:SetForegroundWindow (600) intercepted, method APICodeHijack.JmpTo[1004CA2E]
Function user32.dll:SetWinEventHook (639) intercepted, method APICodeHijack.JmpTo[1004C98E]
Function user32.dll:SetWindowPos (644) intercepted, method APICodeHijack.JmpTo[1004C9DE]
Function user32.dll:SetWindowsHookExA (651) intercepted, method APICodeHijack.JmpTo[1004CD76]
Function user32.dll:SetWindowsHookExW (652) intercepted, method APICodeHijack.JmpTo[1004CD4E]
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=082700)
Kernel ntoskrnl.exe found in memory at address 804D7000
SDT = 80559700
KiST = 804E26A8 (284)
Function NtAssignProcessToJobObject (13) intercepted (805A1C40->F5FF28B0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtClose (19) intercepted (80566DC9->F5FE4BE0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtCreateFile (25) intercepted (8056FC78->F5FE21E0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtCreateKey (29) intercepted (8056E829->F5FE8FB0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtCreatePagingFile (2D) intercepted (805BAFD8->F84EEC70), hook C:\WINDOWS\system32\Drivers\Vax347b.sys, driver recognized as trusted
Function NtCreateProcess (2F) intercepted (805B0B34->F5FF0120), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtCreateProcessEx (30) intercepted (80581F0E->F5FF07F0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtCreateSection (32) intercepted (8056469B->F5FE14A0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtCreateSymbolicLinkObject (34) intercepted (805A0CF9->F5FE8DB0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtCreateThread (35) intercepted (8057C52B->F6153FA0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\FILTNT.SYS, driver recognized as trusted
Function NtDeleteFile (3E) intercepted (805D7427->F5FE7F80), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (805951C2->F5FEA200), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (80593B38->F5FEE570), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtEnumerateKey (47) intercepted (8056EF30->F84EF4FE), hook C:\WINDOWS\system32\Drivers\Vax347b.sys, driver recognized as trusted
Function NtEnumerateValueKey (49) intercepted (8057FC04->F84FAD50), hook C:\WINDOWS\system32\Drivers\Vax347b.sys, driver recognized as trusted
Function NtLoadDriver (61) intercepted (805A410A->F5FEEF20), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtMakeTemporaryObject (69) intercepted (805A11B7->F5FE8700), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtOpenFile (74) intercepted (8056FC13->F5FE3AD0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtOpenKey (77) intercepted (80567D7B->F5FE9BE0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (80572D86->F5FF0ED0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtOpenSection (7D) intercepted (8057678B->F5FE1BA0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtOpenThread (80) intercepted (8058C892->81BA1E80), hook not defined
Function NtProtectVirtualMemory (89) intercepted (80573135->F5FF3670), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtQueryDirectoryFile (91) intercepted (80573595->F5FE5010), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtQueryKey (A0) intercepted (8056EC39->F5FEAB90), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (8056B183->F5FEB1F0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtReplaceKey (C1) intercepted (8064D62A->F5FEC2C0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (8064C148->F5FEDF00), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtSaveKey (CF) intercepted (8064C1EF->F5FED230), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtSaveKeyEx (D0) intercepted (8064C287->F5FED890), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtSetInformationFile (E0) intercepted (80576F1C->F5FE61A0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtSetSystemPowerState (F1) intercepted (80665927->F84FA4F0), hook C:\WINDOWS\system32\Drivers\Vax347b.sys, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (80573D0D->F5FEB870), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtSuspendProcess (FD) intercepted (8062E099->81BA2460), hook not defined
Function NtSuspendThread (FE) intercepted (805DFAA8->81BA2280), hook not defined
Function NtTerminateProcess (101) intercepted (805847CC->F6154910), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\FILTNT.SYS, driver recognized as trusted
Function NtTerminateThread (102) intercepted (8057BC44->F5FF20B0), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtUnloadDriver (106) intercepted (806187E0->F5FEF460), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Function NtWriteVirtualMemory (115) intercepted (8057A717->F5FF2F00), hook C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS, driver recognized as trusted
Functions checked: 284, intercepted: 39, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
>>> Danger - possible CPU address substitution[1].IDT[06] = [F354183B] C:\WINDOWS\system32\drivers\HaspNT.sys, driver recognized as trusted
>>> Danger - possible CPU address substitution[1].IDT[0E] = [F3541780] C:\WINDOWS\system32\drivers\HaspNT.sys, driver recognized as trusted
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 25
Number of modules loaded: 279
Scanning memory - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Удаленный реестр)
>> Services: potentially dangerous service allowed: TermService (Службы терминалов)
>> Services: potentially dangerous service allowed: SSDPSRV (Служба обнаружения SSDP)
>> Services: potentially dangerous service allowed: Schedule (Планировщик заданий)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Диспетчер сеанса справки для удаленного рабочего стола)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
>> Abnormal SCR files association
Checking - complete
Files scanned: 304, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 04.07.2009 20:47:01
Time of scanning: 00:00:34
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Automatic Quarantining in progress
File quarantined succesfully (C:\WINDOWS\system32\ventmon.dll)
Quarantine file: failed (error), attempt of direct disk reading (.sys)
Quarantine file (direct disk reading) "%S" - failed (error)
File quarantined succesfully (C:\WINDOWS\system32\DRIVERS\kvpndrv.sys)
File quarantined succesfully (C:\Program Files\Sable\WINNT\startnt.bat)
File quarantined succesfully (C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm)
Quarantine file: failed (error), attempt of direct disk reading (rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4})
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (System)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (mscoree.dll)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (mscoree.dll)
Quarantine file (direct disk reading) "%S" - failed (error)
Quarantine file: failed (error), attempt of direct disk reading (mscoree.dll)
Quarantine file (direct disk reading) "%S" - failed (error)
File quarantined succesfully (C:\WINDOWS\system32\ALSNDMGR.CPL)
Automatic Quarantining - complete
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete