Hello
I have recently been having trouble with my PC. Firewall is repeatedly turned off when I reboot - webpages don't load - AVG will not update - and all new links in firefox open in a new tab.
I ran Kapersky and this is the resulting log:
---------Код:<AVZ_CollectSysInfo> -------------------- Start time: 4/6/2009 1:20:06 PM Duration: 00:02:26 Finish time: 4/6/2009 1:22:32 PM <AVZ_CollectSysInfo> -------------------- Time Event ---- ----- 4/6/2009 1:20:08 PM Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3" 4/6/2009 1:20:08 PM System Restore: enabled 4/6/2009 1:20:09 PM 1.1 Searching for user-mode API hooks 4/6/2009 1:20:09 PM Analysis: kernel32.dll, export table found in section .text 4/6/2009 1:20:09 PM Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42 4/6/2009 1:20:09 PM Hook kernel32.dll:CreateProcessA (99) blocked 4/6/2009 1:20:09 PM Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040 4/6/2009 1:20:09 PM Hook kernel32.dll:CreateProcessW (103) blocked 4/6/2009 1:20:09 PM Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC 4/6/2009 1:20:09 PM Hook kernel32.dll:FreeLibrary (241) blocked 4/6/2009 1:20:09 PM Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB 4/6/2009 1:20:09 PM Hook kernel32.dll:GetModuleFileNameA (373) blocked 4/6/2009 1:20:09 PM Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0 4/6/2009 1:20:09 PM Hook kernel32.dll:GetModuleFileNameW (374) blocked 4/6/2009 1:20:09 PM Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648 4/6/2009 1:20:09 PM Hook kernel32.dll:GetProcAddress (409) blocked 4/6/2009 1:20:09 PM Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F 4/6/2009 1:20:09 PM Hook kernel32.dll:LoadLibraryA (581) blocked 4/6/2009 1:20:09 PM >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!) 4/6/2009 1:20:09 PM Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF 4/6/2009 1:20:09 PM Hook kernel32.dll:LoadLibraryExA (582) blocked 4/6/2009 1:20:09 PM >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!) 4/6/2009 1:20:09 PM Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A 4/6/2009 1:20:09 PM Hook kernel32.dll:LoadLibraryExW (583) blocked 4/6/2009 1:20:09 PM Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C 4/6/2009 1:20:09 PM Hook kernel32.dll:LoadLibraryW (584) blocked 4/6/2009 1:20:09 PM IAT modification detected: LoadLibraryW - 00C00010<>7C80AEDB 4/6/2009 1:20:09 PM Analysis: ntdll.dll, export table found in section .text 4/6/2009 1:20:09 PM Analysis: user32.dll, export table found in section .text 4/6/2009 1:20:09 PM Analysis: advapi32.dll, export table found in section .text 4/6/2009 1:20:09 PM Analysis: ws2_32.dll, export table found in section .text 4/6/2009 1:20:09 PM Analysis: wininet.dll, export table found in section .text 4/6/2009 1:20:10 PM Analysis: rasapi32.dll, export table found in section .text 4/6/2009 1:20:10 PM Analysis: urlmon.dll, export table found in section .text 4/6/2009 1:20:10 PM Analysis: netapi32.dll, export table found in section .text 4/6/2009 1:20:11 PM 1.2 Searching for kernel-mode API hooks 4/6/2009 1:20:11 PM Driver loaded successfully 4/6/2009 1:20:11 PM SDT found (RVA=085700) 4/6/2009 1:20:11 PM Kernel ntkrnlpa.exe found in memory at address 804D7000 4/6/2009 1:20:11 PM SDT = 8055C700 4/6/2009 1:20:11 PM KiST = 80504460 (284) 4/6/2009 1:20:12 PM Function NtCreateKey (29) intercepted (80623792->BA0F887E), hook C:\WINDOWS\system32\Drivers\Lbd.sys 4/6/2009 1:20:12 PM >>> Function restored successfully ! 4/6/2009 1:20:12 PM >>> Hook code blocked 4/6/2009 1:20:12 PM Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp 89AD966C 4/6/2009 1:20:12 PM >>> Function restored successfully ! 4/6/2009 1:20:12 PM Function NtFlushInstructionCache (4E) - machine code modification Method of JmpTo. jmp 89AD84D4 4/6/2009 1:20:12 PM >>> Function restored successfully ! 4/6/2009 1:20:12 PM Function NtSetValueKey (F7) intercepted (80621D18->BA0F8C10), hook C:\WINDOWS\system32\Drivers\Lbd.sys 4/6/2009 1:20:12 PM >>> Function restored successfully ! 4/6/2009 1:20:12 PM >>> Hook code blocked 4/6/2009 1:20:12 PM Function IofCallDriver (804EF1A6) - machine code modification Method of JmpTo. jmp 89BA4A63 4/6/2009 1:20:12 PM >>> Function restored successfully ! 4/6/2009 1:20:12 PM Function IofCompleteRequest (804EF236) - machine code modification Method of JmpTo. jmp 89BA4ACB 4/6/2009 1:20:12 PM >>> Function restored successfully ! 4/6/2009 1:20:12 PM Functions checked: 284, intercepted: 2, restored: 6 4/6/2009 1:20:12 PM 1.3 Checking IDT and SYSENTER 4/6/2009 1:20:12 PM Analysis for CPU 1 4/6/2009 1:20:12 PM Analysis for CPU 2 4/6/2009 1:20:12 PM Checking IDT and SYSENTER - complete 4/6/2009 1:20:13 PM 1.4 Searching for masking processes and drivers 4/6/2009 1:20:13 PM Checking not performed: extended monitoring driver (AVZPM) is not installed 4/6/2009 1:20:13 PM Driver loaded successfully 4/6/2009 1:20:13 PM 1.5 Checking of IRP handlers 4/6/2009 1:20:13 PM Checking - complete 4/6/2009 1:20:13 PM C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL --> Suspicion for Keylogger or Trojan DLL 4/6/2009 1:20:13 PM C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL>>> Behavioral analysis 4/6/2009 1:20:13 PM 1. Reacts to events: keyboard, mouse 4/6/2009 1:20:13 PM C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor 4/6/2009 1:20:21 PM Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 4/6/2009 1:20:29 PM >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability) 4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry) 4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: TermService (Terminal Services) 4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service) 4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: Schedule (Task Scheduler) 4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing) 4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager) 4/6/2009 1:20:29 PM > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! 4/6/2009 1:20:29 PM >> Security: disk drives' autorun is enabled 4/6/2009 1:20:29 PM >> Security: administrative shares (C$, D$ ...) are enabled 4/6/2009 1:20:29 PM >> Security: anonymous user access is enabled 4/6/2009 1:20:29 PM >> Security: terminal connections to the PC are allowed 4/6/2009 1:20:29 PM >> Security: sending Remote Assistant queries is enabled 4/6/2009 1:20:32 PM >> Disable CD/DVD autorun 4/6/2009 1:20:33 PM System Analysis in progress 4/6/2009 1:22:32 PM System Analysis - complete 4/6/2009 1:22:32 PM Delete file:C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-F8L9H\LOG\avptool_syscheck.htm 4/6/2009 1:22:32 PM Delete file:C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-F8L9H\LOG\avptool_syscheck.xml 4/6/2009 1:22:32 PM Deleting service/driver: uti3otqy 4/6/2009 1:22:32 PM Delete file:C:\WINDOWS\system32\Drivers\uti3otqy.sys 4/6/2009 1:22:32 PM Deleting service/driver: uji3otqy 4/6/2009 1:22:32 PM Script executed without errors
Thanks in advance for your help!
Ответить с цитированием
