добрый день, у меня многие страницы начали открываться в коде.
Хром вообще загнулся, щас кое-как через лиcу сюда пробился.
Помогите пожалуйсто
просканировал весь комп АВЗтом, вот что выдал... много краснинького
avz_log
AVZ Antiviral Toolkit log; AVZ version is 4.39
Scanning started at 31.05.2012 12:29:44
Database loaded: signatures - 297616, NN profile(s) - 2, malware removal microprograms - 56, signature database released 20.05.2012 20:01
Heuristic microprograms loaded: 399
PVS microprograms loaded: 9
Digital signatures of system files loaded: 410088
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: disabled
Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Function ws2_32.dll:WSAConnect (33) intercepted, method - APICodeHijack.JmpTo[01BA3D91]
Function ws2_32.dll:connect (4) intercepted, method - APICodeHijack.JmpTo[01BA3D7A]
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 80504450 (284)
Function NtCreateKey (29) intercepted (80623786->B9EA70E0), hook sphk.sys
Function NtEnumerateKey (47) intercepted (80623FC6->B9EC5CA4), hook sphk.sys
Function NtEnumerateValueKey (49) intercepted (80624230->B9EC6032), hook sphk.sys
Function NtNotifyChangeKey (6F) intercepted (8062594C->A8180004), hook D:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
Function NtNotifyChangeMultipleKeys (70) intercepted (8062459C->A81800D4), hook D:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (80624B58->B9EA70C0), hook sphk.sys
Function NtOpenProcess (7A) intercepted (805CB3FC->A817FD76), hook D:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
Function NtQueryKey (A0) intercepted (80624E7E->B9EC610A), hook sphk.sys
Function NtQueryValueKey (B1) intercepted (806219BE->B9EC5F8A), hook sphk.sys
Function NtSetValueKey (F7) intercepted (80621D0C->B9EC619C), hook sphk.sys
Function NtTerminateProcess (101) intercepted (805D299E->A817FE1E), hook D:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
Function NtTerminateThread (102) intercepted (805D2B98->A817FEBA), hook D:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
Function NtWriteVirtualMemory (115) intercepted (805B4394->A817FF56), hook D:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
Functions checked: 284, intercepted: 13, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Analyzing CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
Driver loaded successfully
\FileSystem\ntfs[IRP_MJ_CREATE] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 89C471F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CREATE] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CLOSE] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_WRITE] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_EA] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_EA] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_PNP] = 898AE4D8 -> hook not defined
Checking - complete
2. Scanning RAM
Number of processes found: 35
Number of modules loaded: 317
Scanning RAM - complete
3. Scanning disks
Direct reading: C:\System Volume Information\_restore{F0AE3273-580F-47A0-8434-2AC699B77147}\RP7\A0001335.exe
Direct reading: D:\WINDOWS\system32\drivers\sptd.sys
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
D:\WINDOWS\system32\cdaupcd.dll --> Suspicion for Keylogger or Trojan DLL
D:\WINDOWS\system32\cdaupcd.dll>>> Behaviour analysis
Behaviour typical for keyloggers was not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious software
Checking - disabled by user
7. Heuristic system check
Latent DLL loading through AppInit_DLLs suspected: "D:\WINDOWS\system32\cdaupcd.dll"
Found a call command line interpreter in startup [DR=1] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AlcoholAutomount = ["D:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe" /automount]
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote-Registrierung)
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun is allowed
>> Network drives autorun is allowed
>> Removable media autorun is allowed
Checking - complete
Files scanned: 76677, extracted from archives: 66950, malicious software found 0, suspicions - 0
Scanning finished at 31.05.2012 12:35:17
Time of scanning: 00:05:35
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
Скрыть
пошарился на форуме, сделал анализ вот этой командой:
что выплюнет щас допишуbegin
ShowMessage('Внимание! Перед выполнением скрипта AVZ автоматически закроет все сетевые подключения.' + #13#10 + 'После перезагрузки компьютера подключения к сети будут восстановлены в автоматическом режиме.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
QuarantineFile('C:\Windows\system32\fpbkwfa.dll',' ');
DeleteFile('C:\Windows\system32\fpbkwfa.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
комп перезагрузился, а где анализ посматреть чёт непойму, вот ещё логи нашёл , может это они ?
Скрытый текст
AVZ Antiviral Toolkit log; AVZ version is 4.39
Scanning started at 31.05.2012 12:29:44
Database loaded: signatures - 297616, NN profile(s) - 2, malware removal microprograms - 56, signature database released 20.05.2012 20:01
Heuristic microprograms loaded: 399
PVS microprograms loaded: 9
Digital signatures of system files loaded: 410088
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: disabled
Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Function ws2_32.dll:WSAConnect (33) intercepted, method - APICodeHijack.JmpTo[01BA3D91]
Function ws2_32.dll:connect (4) intercepted, method - APICodeHijack.JmpTo[01BA3D7A]
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 80504450 (284)
Function NtCreateKey (29) intercepted (80623786->B9EA70E0), hook sphk.sys
Function NtEnumerateKey (47) intercepted (80623FC6->B9EC5CA4), hook sphk.sys
Function NtEnumerateValueKey (49) intercepted (80624230->B9EC6032), hook sphk.sys
Function NtNotifyChangeKey (6F) intercepted (8062594C->A8180004), hook D:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
Function NtNotifyChangeMultipleKeys (70) intercepted (8062459C->A81800D4), hook D:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (80624B58->B9EA70C0), hook sphk.sys
Function NtOpenProcess (7A) intercepted (805CB3FC->A817FD76), hook D:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
Function NtQueryKey (A0) intercepted (80624E7E->B9EC610A), hook sphk.sys
Function NtQueryValueKey (B1) intercepted (806219BE->B9EC5F8A), hook sphk.sys
Function NtSetValueKey (F7) intercepted (80621D0C->B9EC619C), hook sphk.sys
Function NtTerminateProcess (101) intercepted (805D299E->A817FE1E), hook D:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
Function NtTerminateThread (102) intercepted (805D2B98->A817FEBA), hook D:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
Function NtWriteVirtualMemory (115) intercepted (805B4394->A817FF56), hook D:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
Functions checked: 284, intercepted: 13, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Analyzing CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
Driver loaded successfully
\FileSystem\ntfs[IRP_MJ_CREATE] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 89C471F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 89C471F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CREATE] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CLOSE] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_WRITE] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_EA] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_EA] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 898AE4D8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_PNP] = 898AE4D8 -> hook not defined
Checking - complete
2. Scanning RAM
Number of processes found: 35
Number of modules loaded: 317
Scanning RAM - complete
3. Scanning disks
Direct reading: C:\System Volume Information\_restore{F0AE3273-580F-47A0-8434-2AC699B77147}\RP7\A0001335.exe
Direct reading: D:\WINDOWS\system32\drivers\sptd.sys
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
D:\WINDOWS\system32\cdaupcd.dll --> Suspicion for Keylogger or Trojan DLL
D:\WINDOWS\system32\cdaupcd.dll>>> Behaviour analysis
Behaviour typical for keyloggers was not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious software
Checking - disabled by user
7. Heuristic system check
Latent DLL loading through AppInit_DLLs suspected: "D:\WINDOWS\system32\cdaupcd.dll"
Found a call command line interpreter in startup [DR=1] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AlcoholAutomount = ["D:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe" /automount]
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote-Registrierung)
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun is allowed
>> Network drives autorun is allowed
>> Removable media autorun is allowed
Checking - complete
Files scanned: 76677, extracted from archives: 66950, malicious software found 0, suspicions - 0
Scanning finished at 31.05.2012 12:35:17
Time of scanning: 00:05:35
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
Скрыть