Показано с 1 по 7 из 7.

Computer infected! Flash Drives, Autorun, etc disabled!

  1. #1
    Junior Member Репутация
    Регистрация
    21.01.2009
    Сообщений
    6
    Вес репутации
    33

    Computer infected! Flash Drives, Autorun, etc disabled!

    My computer appears to be infected pretty badly and has been for awhile! I would be grateful if this wonderful forum helped me out! It would be greatly appreciated!

    <AVZ_CollectSysInfo>
    --------------------
    Start time: 1/20/2009 3:24:11 PM
    Duration: 00:00:43
    Finish time: 1/20/2009 3:24:54 PM


    <AVZ_CollectSysInfo>
    --------------------
    Time Event
    ---- -----
    1/20/2009 3:24:11 PM Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
    1/20/2009 3:24:11 PM System Restore: enabled
    1/20/2009 3:24:12 PM 1.1 Searching for user-mode API hooks
    1/20/2009 3:24:12 PM Analysis: kernel32.dll, export table found in section .text
    1/20/2009 3:24:12 PM Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
    1/20/2009 3:24:12 PM Hook kernel32.dll:CreateProcessA (99) blocked
    1/20/2009 3:24:12 PM Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
    1/20/2009 3:24:12 PM Hook kernel32.dll:CreateProcessW (103) blocked
    1/20/2009 3:24:12 PM Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ABDE->61F041FC
    1/20/2009 3:24:12 PM Hook kernel32.dll:FreeLibrary (241) blocked
    1/20/2009 3:24:12 PM Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B4CF->61F040FB
    1/20/2009 3:24:12 PM Hook kernel32.dll:GetModuleFileNameA (372) blocked
    1/20/2009 3:24:12 PM Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B3D5->61F041A0
    1/20/2009 3:24:12 PM Hook kernel32.dll:GetModuleFileNameW (373) blocked
    1/20/2009 3:24:12 PM Function kernel32.dll:GetProcAddress (408) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADA0->61F04648
    1/20/2009 3:24:12 PM Hook kernel32.dll:GetProcAddress (408) blocked
    1/20/2009 3:24:12 PM Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F
    1/20/2009 3:24:12 PM Hook kernel32.dll:LoadLibraryA (578) blocked
    1/20/2009 3:24:12 PM >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
    1/20/2009 3:24:12 PM Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF
    1/20/2009 3:24:12 PM Hook kernel32.dll:LoadLibraryExA (579) blocked
    1/20/2009 3:24:12 PM >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
    1/20/2009 3:24:12 PM Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A
    1/20/2009 3:24:12 PM Hook kernel32.dll:LoadLibraryExW (580) blocked
    1/20/2009 3:24:12 PM Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE4B->61F03D0C
    1/20/2009 3:24:12 PM Hook kernel32.dll:LoadLibraryW (581) blocked
    1/20/2009 3:24:12 PM IAT modification detected: LoadLibraryW - 01130010<>7C80AE4B
    1/20/2009 3:24:12 PM Analysis: ntdll.dll, export table found in section .text
    1/20/2009 3:24:12 PM Analysis: user32.dll, export table found in section .text
    1/20/2009 3:24:12 PM Analysis: advapi32.dll, export table found in section .text
    1/20/2009 3:24:12 PM Analysis: ws2_32.dll, export table found in section .text
    1/20/2009 3:24:12 PM Analysis: wininet.dll, export table found in section .text
    1/20/2009 3:24:12 PM Analysis: rasapi32.dll, export table found in section .text
    1/20/2009 3:24:12 PM Analysis: urlmon.dll, export table found in section .text
    1/20/2009 3:24:12 PM Analysis: netapi32.dll, export table found in section .text
    1/20/2009 3:24:12 PM 1.2 Searching for kernel-mode API hooks
    1/20/2009 3:24:12 PM Driver loaded successfully
    1/20/2009 3:24:12 PM SDT found (RVA=08A500)
    1/20/2009 3:24:12 PM Kernel TUKERNEL.EXE found in memory at address 804D7000
    1/20/2009 3:24:12 PM SDT = 80561500
    1/20/2009 3:24:12 PM KiST = 804E48B0 (284)
    1/20/2009 3:24:12 PM Function NtAssignProcessToJobObject (13) intercepted (805A96D4->8A763630), hook not defined
    1/20/2009 3:24:12 PM >>> Function restored successfully !
    1/20/2009 3:24:12 PM >>> Hook code blocked
    1/20/2009 3:24:12 PM Function NtOpenProcess (7A) intercepted (80579084->8A762A60), hook not defined
    1/20/2009 3:24:12 PM >>> Function restored successfully !
    1/20/2009 3:24:12 PM >>> Hook code blocked
    1/20/2009 3:24:12 PM Function NtOpenThread (80) intercepted (805B1334->8A762E80), hook not defined
    1/20/2009 3:24:12 PM >>> Function restored successfully !
    1/20/2009 3:24:12 PM >>> Hook code blocked
    1/20/2009 3:24:12 PM Function NtSuspendProcess (FD) intercepted (80635B0B->8A763460), hook not defined
    1/20/2009 3:24:12 PM >>> Function restored successfully !
    1/20/2009 3:24:12 PM >>> Hook code blocked
    1/20/2009 3:24:12 PM Function NtSuspendThread (FE) intercepted (80635A27->8A763280), hook not defined
    1/20/2009 3:24:12 PM >>> Function restored successfully !
    1/20/2009 3:24:12 PM >>> Hook code blocked
    1/20/2009 3:24:12 PM Function NtTerminateProcess (101) intercepted (8058C39D->8A762C90), hook not defined
    1/20/2009 3:24:12 PM >>> Function restored successfully !
    1/20/2009 3:24:12 PM >>> Hook code blocked
    1/20/2009 3:24:12 PM Function NtTerminateThread (102) intercepted (805845F0->8A7630B0), hook not defined
    1/20/2009 3:24:12 PM >>> Function restored successfully !
    1/20/2009 3:24:12 PM >>> Hook code blocked
    1/20/2009 3:24:13 PM Functions checked: 284, intercepted: 7, restored: 7
    1/20/2009 3:24:13 PM 1.3 Checking IDT and SYSENTER
    1/20/2009 3:24:13 PM Analysis for CPU 1
    1/20/2009 3:24:13 PM Analysis for CPU 2
    1/20/2009 3:24:13 PM Analysis for CPU 3
    1/20/2009 3:24:13 PM Analysis for CPU 4
    1/20/2009 3:24:13 PM Checking IDT and SYSENTER - complete
    1/20/2009 3:24:13 PM 1.4 Searching for masking processes and drivers
    1/20/2009 3:24:13 PM Checking not performed: extended monitoring driver (AVZPM) is not installed
    1/20/2009 3:24:13 PM Driver loaded successfully
    1/20/2009 3:24:13 PM 1.5 Checking of IRP handlers
    1/20/2009 3:24:13 PM Checking - complete
    1/20/2009 3:24:14 PM C:\WINDOWS\system32\wbsys.dll --> Suspicion for Keylogger or Trojan DLL
    1/20/2009 3:24:14 PM C:\WINDOWS\system32\wbsys.dll>>> Behavioral analysis
    1/20/2009 3:24:14 PM Behaviour typical for keyloggers not detected
    1/20/2009 3:24:14 PM C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll --> Suspicion for Keylogger or Trojan DLL
    1/20/2009 3:24:14 PM C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll>>> Behavioral analysis
    1/20/2009 3:24:14 PM 1. Reacts to events: keyboard
    1/20/2009 3:24:14 PM 2. Determines the window which has input focus
    1/20/2009 3:24:14 PM C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
    1/20/2009 3:24:14 PM C:\Program Files\WinPatrol\PATROLPRO.DLL --> Suspicion for Keylogger or Trojan DLL
    1/20/2009 3:24:14 PM C:\Program Files\WinPatrol\PATROLPRO.DLL>>> Behavioral analysis
    1/20/2009 3:24:14 PM Behaviour typical for keyloggers not detected
    1/20/2009 3:24:14 PM C:\Program Files\Stardock\IconPackager\iprepair.dll --> Suspicion for Keylogger or Trojan DLL
    1/20/2009 3:24:14 PM C:\Program Files\Stardock\IconPackager\iprepair.dll>>> Behavioral analysis
    1/20/2009 3:24:14 PM Behaviour typical for keyloggers not detected
    1/20/2009 3:24:14 PM Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
    1/20/2009 3:24:24 PM Latent loading of libraries through AppInit_DLLs suspected: "wbsys.dll"
    1/20/2009 3:24:25 PM >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
    1/20/2009 3:24:25 PM >> Services: potentially dangerous service allowed: Alerter (Alerter)
    1/20/2009 3:24:25 PM >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
    1/20/2009 3:24:25 PM >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
    1/20/2009 3:24:25 PM > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    1/20/2009 3:24:25 PM >> Security: disk drives' autorun is enabled
    1/20/2009 3:24:25 PM >> Security: anonymous user access is enabled
    1/20/2009 3:24:28 PM >> Disable HDD autorun
    1/20/2009 3:24:28 PM >> Disable autorun from network drives
    1/20/2009 3:24:28 PM >> Disable CD/DVD autorun
    1/20/2009 3:24:28 PM >> Disable removable media autorun
    1/20/2009 3:24:29 PM System Analysis in progress
    1/20/2009 3:24:54 PM System Analysis - complete
    1/20/2009 3:24:54 PM Delete file:C:\Documents and Settings\LEO\Desktop\Virus Removal Tool\is-GJMMG\LOG\avptool_syscheck.htm
    1/20/2009 3:24:54 PM Delete file:C:\Documents and Settings\LEO\Desktop\Virus Removal Tool\is-GJMMG\LOG\avptool_syscheck.xml
    1/20/2009 3:24:54 PM Deleting service/driver: utiyodu4
    1/20/2009 3:24:54 PM Delete file:C:\WINDOWS\system32\Drivers\utiyodu4.sys
    1/20/2009 3:24:54 PM Deleting service/driver: ujiyodu4
    1/20/2009 3:24:54 PM Script executed without errors

  2. #2

  3. #3
    Junior Member Репутация
    Регистрация
    21.01.2009
    Сообщений
    6
    Вес репутации
    33
    I apologize, this Russian text confuses me, but I found the English setting on the forum's bottom, so I can read this all now.

    Attached logfile.zip
    Вложения Вложения

  4. #4
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    971
    Hi!
    just one file(if it steal exist) i would like to see :
    Please unload all you antivirus, antyspyware and execute this script in avptool:
    Код:
    begin
     QuarantineFile('C:\DOCUME~1\LEO\LOCALS~1\Temp\QPLIEVXV.exe','');
    end.
    in sub-folder of avptool a quarantine will be created, zip it with password virus and send by http://virusinfo.info/upload_virus_eng.php?tid=37882

    You have a lot of antispyware- in my opinion it is not giving you an extra protection- it just may bring you some new bugs
    Also you should update your system, sp3 and other security updates, go to windows update site

    Did you run an automatic scan with avptool in safe mode? If not, do it now and tell us what it will find.

  5. #5
    Junior Member Репутация
    Регистрация
    21.01.2009
    Сообщений
    6
    Вес репутации
    33
    File no longer exists, due to nothing being quarantined. The file was part of RookitRevealer program, which is legit.

    I cannot update to sp3, due to game compatibility issues if updated to sp3.


    I will need to run the scan later, because school work is pinning me down.

    Добавлено через 1 минуту

    Also, in the log it says some CD stuff is disabled.

    Can you write me a fix or tell me a way to enable all of the CD drives and stuff? It would be greatly appreciated.
    Последний раз редактировалось FPSFan; 22.01.2009 в 00:24. Причина: Добавлено

  6. #6
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    971
    On the contrary, in log i see that "CD drives and stuff "are enabled. So, what do you want to fix? In my opinion and opinion of avptool they must be disabled, but it is up to you
    Again, your main problem is to much "anti" and sp3 missing.

  7. #7
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для RiC
    Регистрация
    22.04.2005
    Сообщений
    1,988
    Вес репутации
    548
    Helped at Geekstogo - http://www.geekstogo.com/forum/I-Thi...843.html&st=15

    Topic closed.

Похожие темы

  1. не удаляется с Flash autorun.inf
    От MTF в разделе Помогите!
    Ответов: 4
    Последнее сообщение: 30.06.2011, 10:46
  2. Ответов: 1
    Последнее сообщение: 15.01.2011, 03:00
  3. Ответов: 10
    Последнее сообщение: 27.07.2010, 22:27
  4. Ответов: 8
    Последнее сообщение: 01.06.2010, 06:56
  5. autorun на flash
    От Demon340 в разделе Помогите!
    Ответов: 8
    Последнее сообщение: 06.03.2010, 19:03

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00050 seconds with 17 queries