<AVZ_CollectSysInfo>
--------------------
Start time: 27/09/1430 10:02:12 ص
Duration: 00:00:52
Finish time: 27/09/1430 10:03:04 ص
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
27/09/1430 10:02:13 ص Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
27/09/1430 10:02:13 ص System Restore: enabled
27/09/1430 10:02:13 ص 1.1 Searching for user-mode API hooks
27/09/1430 10:02:13 ص Analysis: kernel32.dll, export table found in section .text
27/09/1430 10:02:13 ص Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
27/09/1430 10:02:13 ص Hook kernel32.dll:CreateProcessA (99) blocked
27/09/1430 10:02:13 ص Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
27/09/1430 10:02:13 ص Hook kernel32.dll:CreateProcessW (103) blocked
27/09/1430 10:02:13 ص Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AA66->61F041FC
27/09/1430 10:02:13 ص Hook kernel32.dll:FreeLibrary (241) blocked
27/09/1430 10:02:13 ص Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B357->61F040FB
27/09/1430 10:02:13 ص Hook kernel32.dll:GetModuleFileNameA (372) blocked
27/09/1430 10:02:13 ص Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B25D->61F041A0
27/09/1430 10:02:13 ص Hook kernel32.dll:GetModuleFileNameW (373) blocked
27/09/1430 10:02:13 ص Function kernel32.dll:GetProcAddress (40 intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC28->61F04648
27/09/1430 10:02:13 ص Hook kernel32.dll:GetProcAddress (40 blocked
27/09/1430 10:02:13 ص Function kernel32.dlloadLibraryA (57 intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F
27/09/1430 10:02:13 ص Hook kernel32.dlloadLibraryA (57 blocked
27/09/1430 10:02:13 ص >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
27/09/1430 10:02:13 ص Function kernel32.dlloadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF
27/09/1430 10:02:13 ص Hook kernel32.dlloadLibraryExA (579) blocked
27/09/1430 10:02:13 ص >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
27/09/1430 10:02:13 ص Function kernel32.dlloadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A
27/09/1430 10:02:13 ص Hook kernel32.dlloadLibraryExW (580) blocked
27/09/1430 10:02:13 ص Function kernel32.dlloadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ACD3->61F03D0C
27/09/1430 10:02:13 ص Hook kernel32.dlloadLibraryW (581) blocked
27/09/1430 10:02:13 ص IAT modification detected: LoadLibraryW - 00E20010<>7C80ACD3
27/09/1430 10:02:13 ص IAT address restored: LoadLibraryW
27/09/1430 10:02:13 ص IAT modification detected: GetModuleFileNameW - 00E2003A<>7C80B25D
27/09/1430 10:02:13 ص IAT address restored: GetModuleFileNameW
27/09/1430 10:02:13 ص IAT modification detected: GetModuleFileNameA - 00E20064<>7C80B357
27/09/1430 10:02:13 ص IAT address restored: GetModuleFileNameA
27/09/1430 10:02:13 ص IAT modification detected: CreateProcessA - 00E200B8<>7C802367
27/09/1430 10:02:13 ص IAT address restored: CreateProcessA
27/09/1430 10:02:13 ص IAT modification detected: LoadLibraryA - 00E2010C<>7C801D77
27/09/1430 10:02:13 ص IAT address restored: LoadLibraryA
27/09/1430 10:02:13 ص IAT modification detected: GetProcAddress - 00E20136<>7C80AC28
27/09/1430 10:02:13 ص IAT address restored: GetProcAddress
27/09/1430 10:02:13 ص IAT modification detected: FreeLibrary - 00E20160<>7C80AA66
27/09/1430 10:02:13 ص IAT address restored: FreeLibrary
27/09/1430 10:02:13 ص IAT modification detected: CreateFileA - 00436F87<>7C801A24
27/09/1430 10:02:13 ص IAT address restored: CreateFileA
27/09/1430 10:02:13 ص IAT modification detected: CreateFileW - 00436FB9<>7C810976
27/09/1430 10:02:13 ص IAT address restored: CreateFileW
27/09/1430 10:02:13 ص Analysis: ntdll.dll, export table found in section .text
27/09/1430 10:02:13 ص Analysis: user32.dll, export table found in section .text
27/09/1430 10:02:13 ص Analysis: advapi32.dll, export table found in section .text
27/09/1430 10:02:13 ص Analysis: ws2_32.dll, export table found in section .text
27/09/1430 10:02:13 ص Analysis: wininet.dll, export table found in section .text
27/09/1430 10:02:13 ص Analysis: rasapi32.dll, export table found in section .text
27/09/1430 10:02:13 ص Analysis: urlmon.dll, export table found in section .text
27/09/1430 10:02:13 ص Analysis: netapi32.dll, export table found in section .text
27/09/1430 10:02:14 ص 1.2 Searching for kernel-mode API hooks
27/09/1430 10:02:14 ص Driver loaded successfully
27/09/1430 10:02:14 ص SDT found (RVA=082B80)
27/09/1430 10:02:14 ص Kernel ntoskrnl.exe found in memory at address 804D7000
27/09/1430 10:02:14 ص SDT = 80559B80
27/09/1430 10:02:14 ص KiST = 804E2D20 (284)
27/09/1430 10:02:16 ص Functions checked: 284, intercepted: 0, restored: 0
27/09/1430 10:02:16 ص 1.3 Checking IDT and SYSENTER
27/09/1430 10:02:16 ص Analysis for CPU 1
27/09/1430 10:02:16 ص Checking IDT and SYSENTER - complete
27/09/1430 10:02:16 ص 1.4 Searching for masking processes and drivers
27/09/1430 10:02:16 ص Checking not performed: extended monitoring driver (AVZPM) is not installed
27/09/1430 10:02:16 ص Driver loaded successfully
27/09/1430 10:02:16 ص 1.5 Checking of IRP handlers
27/09/1430 10:02:16 ص Checking - complete
27/09/1430 10:02:34 ص >>> E:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
27/09/1430 10:02:34 ص >>> F:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
27/09/1430 10:02:34 ص >>> G:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
27/09/1430 10:02:34 ص >>> H:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
27/09/1430 10:02:34 ص >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
27/09/1430 10:02:34 ص >> Services: potentially dangerous service allowed: TermService (Terminal Services)
27/09/1430 10:02:34 ص >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
27/09/1430 10:02:34 ص >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
27/09/1430 10:02:34 ص >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
27/09/1430 10:02:34 ص >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
27/09/1430 10:02:34 ص > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
27/09/1430 10:02:34 ص >> Security: disk drives' autorun is enabled
27/09/1430 10:02:34 ص >> Security: administrative shares (C$, D$ ...) are enabled
27/09/1430 10:02:35 ص >> Security: anonymous user access is enabled
27/09/1430 10:02:35 ص >> Security: sending Remote Assistant queries is enabled
27/09/1430 10:02:40 ص >> Disable HDD autorun
27/09/1430 10:02:40 ص >> Disable autorun from network drives
27/09/1430 10:02:41 ص >> Disable CD/DVD autorun
27/09/1430 10:02:41 ص >> Disable removable media autorun
27/09/1430 10:02:41 ص >> Windows Update is disabled
27/09/1430 10:02:41 ص System Analysis in progress
27/09/1430 10:03:04 ص System Analysis - complete
27/09/1430 10:03:04 ص Delete file:C:\Documents and Settings\Famaly\Desktop\Virus Removal Tool\is-13VTL\LOG\avptool_syscheck.htm
27/09/1430 10:03:04 ص Delete file:C:\Documents and Settings\Famaly\Desktop\Virus Removal Tool\is-13VTL\LOG\avptool_syscheck.xml
27/09/1430 10:03:04 ص Deleting service/driver: utmymjk3
27/09/1430 10:03:04 ص Delete file:C:\WINDOWS\system32\Drivers\utmymjk3.sys
27/09/1430 10:03:04 ص Deleting service/driver: ujmymjk3
27/09/1430 10:03:04 ص Script executed without errors