PDA

Просмотр полной версии : nasrin script of virus



nasrin
20.03.2008, 12:30
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
Hook kernel32.dll:CreateProcessA (99) blocked
Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
Hook kernel32.dll:CreateProcessW (103) blocked
Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AA66->61F041FC
Hook kernel32.dll:FreeLibrary (241) blocked
Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B357->61F040FB
Hook kernel32.dll:GetModuleFileNameA (372) blocked
Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B25D->61F041A0
Hook kernel32.dll:GetModuleFileNameW (373) blocked
Function kernel32.dll:GetProcAddress (408) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC28->61F04648
Hook kernel32.dll:GetProcAddress (408) blocked
Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F
Hook kernel32.dll:LoadLibraryA (578) blocked
>>> Functions LoadLibraryA - preventing the AVZ process from being intercepted by address replacement !!)
Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF
Hook kernel32.dll:LoadLibraryExA (579) blocked
>>> Functions LoadLibraryExA - preventing the AVZ process from being intercepted by address replacement !!)
Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A
Hook kernel32.dll:LoadLibraryExW (580) blocked
Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ACD3->61F03D0C
Hook kernel32.dll:LoadLibraryW (581) blocked
IAT modification detected: GetModuleFileNameW - 009A0010<>7C80B25D
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=0846E0)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055B6E0
KiST = 85C09978 (297)
>>> Attention, KiST table is moved ! (80503734(284)->85C09978(297))
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: the extended monitoring driver (AVZPM) is not installed
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\prremote.dll --> Suspicion for a Keylogger or Trojan DLL
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\prremote.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\FSSync.dll --> Suspicion for a Keylogger or Trojan DLL
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\FSSync.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\AVPGS.PPL --> Suspicion for a Keylogger or Trojan DLL
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\AVPGS.PPL>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\prloader.dll --> Suspicion for a Keylogger or Trojan DLL
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\prloader.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\prkernel.ppl --> Suspicion for a Keylogger or Trojan DLL
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\prkernel.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\pxstub.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\pxstub.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\params.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\params.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\dtreg.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\dtreg.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\nfio.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\nfio.ppl>>> Behavioral analysis:
1. Reacts to events: keyboard
2. Writes data to file: \documents and settings\all users\desktop\kaspersky lab tool\report\000d_scan_objects_eventlog.rpt
Neural net: checking error
c:\documents and settings\all users\desktop\kaspersky lab tool\fsdrvplg.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\fsdrvplg.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\mkavio.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\mkavio.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\tempfile.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\tempfile.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\tm.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\tm.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\bl.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\bl.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\wmihlpr.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\wmihlpr.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\regmap.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\regmap.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\crpthlpr.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\crpthlpr.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\winreg.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\winreg.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\report.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\report.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\thpimpl.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\thpimpl.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\avs.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\avs.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\avpmgr.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\avpmgr.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\wdiskio.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\wdiskio.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\avlib.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\avlib.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\vmarea.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\vmarea.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\avspm.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\avspm.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\avp3info.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\avp3info.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\ods.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\ods.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\buffer.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\buffer.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\memscan.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\memscan.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\prutil.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\prutil.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\memmodsc.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\memmodsc.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\avp1.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\avp1.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\l_llio.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\l_llio.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\avp_iont.dll --> Suspicion for a Keylogger or Trojan DLL
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\avp_iont.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\btdisk.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\btdisk.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\ichk2.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\ichk2.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\sfdb.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\sfdb.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\filemap.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\filemap.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\hashcont.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\hashcont.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\hccmp.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\hccmp.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\uniarc.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\uniarc.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\minizip.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\minizip.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\cab.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\cab.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\arj.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\arj.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\rar.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\rar.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\lha.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\lha.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\dmap.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\dmap.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\iwgen.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\iwgen.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\ntfsstrm.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\ntfsstrm.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\stenum2.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\stenum2.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\hashmd5.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\hashmd5.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\inifile.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\inifile.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\btimages.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\btimages.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\avzscan.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\avzscan.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\avzkrnl.dll --> Suspicion for a Keylogger or Trojan DLL
C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\avzkrnl.dll>>> Behavioral analysis:
1. Reacts to events: keyboard, all events
Neural net: checking error
c:\documents and settings\all users\desktop\kaspersky lab tool\basegui.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\basegui.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\prseqio.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\prseqio.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\inflate.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\inflate.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\mdmap.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\mdmap.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\unstored.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\unstored.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
c:\documents and settings\all users\desktop\kaspersky lab tool\unlzx.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\documents and settings\all users\desktop\kaspersky lab tool\unlzx.ppl>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
non-standard Winlogon\Shell key, hidden startup suspected "explorer.exe, xmss.exe"
>> Services: potentially dangerous service allowed RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed TermService (Terminal Services)
>> Services: potentially dangerous service allowed SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
System Analysis in progress

Rene-gad
20.03.2008, 12:35
@nasrin
Please make 3 logfiles as described: http://virusinfo.info/showthread.php?t=9184