Показано с 1 по 2 из 2.

help

  1. #1
    Junior Member Репутация
    Регистрация
    20.02.2009
    Сообщений
    1
    Вес репутации
    33

    help

    20/02/2009 9.02.22 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
    20/02/2009 9.02.22 System Restore: Disabled
    20/02/2009 9.02.23 1.1 Searching for user-mode API hooks
    20/02/2009 9.02.23 Analysis: kernel32.dll, export table found in section .text
    20/02/2009 9.02.23 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
    20/02/2009 9.02.23 Hook kernel32.dll:CreateProcessA (99) blocked
    20/02/2009 9.02.23 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
    20/02/2009 9.02.23 Hook kernel32.dll:CreateProcessW (103) blocked
    20/02/2009 9.02.23 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
    20/02/2009 9.02.23 Hook kernel32.dll:FreeLibrary (241) blocked
    20/02/2009 9.02.23 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
    20/02/2009 9.02.23 Hook kernel32.dll:GetModuleFileNameA (373) blocked
    20/02/2009 9.02.23 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
    20/02/2009 9.02.23 Hook kernel32.dll:GetModuleFileNameW (374) blocked
    20/02/2009 9.02.23 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
    20/02/2009 9.02.23 Hook kernel32.dll:GetProcAddress (409) blocked
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryA (581) blocked
    20/02/2009 9.02.23 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryExA (582) blocked
    20/02/2009 9.02.23 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryExW (583) blocked
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryW (584) blocked
    20/02/2009 9.02.23 IAT modification detected: LoadLibraryW - 00C20010<>7C80AEDB
    20/02/2009 9.02.23 Analysis: ntdll.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: user32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: advapi32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: ws2_32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: wininet.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: rasapi32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: urlmon.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: netapi32.dll, export table found in section .text
    20/02/2009 9.02.25 1.2 Searching for kernel-mode API hooks
    20/02/2009 9.02.25 Driver loaded successfully
    20/02/2009 9.02.25 SDT found (RVA=085700)
    20/02/2009 9.02.25 Kernel ntkrnlpa.exe found in memory at address 804D7000
    20/02/2009 9.02.25 SDT = 8055C700
    20/02/2009 9.02.25 KiST = 80504460 (284)
    20/02/2009 9.02.25 Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp 81BF8F3C
    20/02/2009 9.02.25 >>> Function restored successfully !
    20/02/2009 9.02.25 Function NtFlushInstructionCache (4E) - machine code modification Method of JmpTo. jmp 81BF8E64
    20/02/2009 9.02.25 >>> Function restored successfully !
    20/02/2009 9.02.25 Function NtQueryValueKey (B1) - machine code modification Method of JmpTo. jmp 81C0A12C
    20/02/2009 9.02.25 >>> Function restored successfully !
    20/02/2009 9.02.26 Function IofCallDriver (804EF1A6) - machine code modification Method of JmpTo. jmp 81C1D6DB
    20/02/2009 9.02.26 >>> Function restored successfully !
    20/02/2009 9.02.26 Function IofCompleteRequest (804EF236) - machine code modification Method of JmpTo. jmp 81CAD25B
    20/02/2009 9.02.26 >>> Function restored successfully !
    20/02/2009 9.02.28 Functions checked: 284, intercepted: 0, restored: 5
    20/02/2009 9.02.28 1.3 Checking IDT and SYSENTER
    20/02/2009 9.02.28 Analysis for CPU 1
    20/02/2009 9.02.28 Checking IDT and SYSENTER - complete
    20/02/2009 9.02.29 1.4 Searching for masking processes and drivers
    20/02/2009 9.02.29 Checking not performed: extended monitoring driver (AVZPM) is not installed
    20/02/2009 9.02.29 Driver loaded successfully
    20/02/2009 9.02.29 1.5 Checking of IRP handlers
    20/02/2009 9.02.29 Checking - complete
    20/02/2009 9.02.46 C:\WINDOWS\system32\avgrsstx.dll --> Suspicion for Keylogger or Trojan DLL
    20/02/2009 9.02.46 C:\WINDOWS\system32\avgrsstx.dll>>> Behavioral analysis
    20/02/2009 9.02.46 Behaviour typical for keyloggers not detected
    20/02/2009 9.02.49 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
    20/02/2009 9.03.03 Latent loading of libraries through AppInit_DLLs suspected: "avgrsstx.dll"
    20/02/2009 9.03.04 >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: TermService (Servizi terminal)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: SSDPSRV (Servizio di rilevamento SSDP)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: Schedule (Utilitа di pianificazione)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: mnmsrvc (Condivisione desktop remoto di NetMeeting)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: RDSessMgr (Gestione sessione di assistenza mediante desktop remoto)
    20/02/2009 9.03.04 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    20/02/2009 9.03.04 >> Security: disk drives' autorun is enabled
    20/02/2009 9.03.04 >> Security: administrative shares (C$, D$ ...) are enabled
    20/02/2009 9.03.04 >> Security: anonymous user access is enabled
    20/02/2009 9.03.09 >> Service termination timeout is out of admissible values
    20/02/2009 9.03.10 >> Disable HDD autorun
    20/02/2009 9.03.10 >> Disable autorun from network drives
    20/02/2009 9.03.10 >> Disable CD/DVD autorun
    20/02/2009 9.03.10 >> Disable removable media autorun
    20/02/2009 9.03.10 System Analysis in progress
    20/02/2009 9.05.17 System Analysis - complete
    20/02/2009 9.05.17 Delete file:C:\Documents and Settings\GIOVANNA\Desktop\Virus Removal Tool\is-TQOKV\LOG\avptool_syscheck.htm
    20/02/2009 9.05.17 Delete file:C:\Documents and Settings\GIOVANNA\Desktop\Virus Removal Tool\is-TQOKV\LOG\avptool_syscheck.xml
    20/02/2009 9.05.17 Deleting service/driver: utyxntc3
    20/02/2009 9.05.17 Delete file:C:\WINDOWS\system32\Drivers\utyxntc3.sys
    20/02/2009 9.05.17 Deleting service/driver: ujyxntc3
    20/02/2009 9.05.18 Script executed without errors

    *********

    <AVZ_CollectSysInfo>
    --------------------
    Start time: 20/02/2009 9.02.21
    Duration: 00.02.57
    Finish time: 20/02/2009 9.05.18


    <AVZ_CollectSysInfo>
    --------------------
    Time Event
    ---- -----
    20/02/2009 9.02.22 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
    20/02/2009 9.02.22 System Restore: Disabled
    20/02/2009 9.02.23 1.1 Searching for user-mode API hooks
    20/02/2009 9.02.23 Analysis: kernel32.dll, export table found in section .text
    20/02/2009 9.02.23 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
    20/02/2009 9.02.23 Hook kernel32.dll:CreateProcessA (99) blocked
    20/02/2009 9.02.23 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
    20/02/2009 9.02.23 Hook kernel32.dll:CreateProcessW (103) blocked
    20/02/2009 9.02.23 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
    20/02/2009 9.02.23 Hook kernel32.dll:FreeLibrary (241) blocked
    20/02/2009 9.02.23 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
    20/02/2009 9.02.23 Hook kernel32.dll:GetModuleFileNameA (373) blocked
    20/02/2009 9.02.23 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
    20/02/2009 9.02.23 Hook kernel32.dll:GetModuleFileNameW (374) blocked
    20/02/2009 9.02.23 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
    20/02/2009 9.02.23 Hook kernel32.dll:GetProcAddress (409) blocked
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryA (581) blocked
    20/02/2009 9.02.23 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryExA (582) blocked
    20/02/2009 9.02.23 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryExW (583) blocked
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryW (584) blocked
    20/02/2009 9.02.23 IAT modification detected: LoadLibraryW - 00C20010<>7C80AEDB
    20/02/2009 9.02.23 Analysis: ntdll.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: user32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: advapi32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: ws2_32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: wininet.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: rasapi32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: urlmon.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: netapi32.dll, export table found in section .text
    20/02/2009 9.02.25 1.2 Searching for kernel-mode API hooks
    20/02/2009 9.02.25 Driver loaded successfully
    20/02/2009 9.02.25 SDT found (RVA=085700)
    20/02/2009 9.02.25 Kernel ntkrnlpa.exe found in memory at address 804D7000
    20/02/2009 9.02.25 SDT = 8055C700
    20/02/2009 9.02.25 KiST = 80504460 (284)
    20/02/2009 9.02.25 Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp 81BF8F3C
    20/02/2009 9.02.25 >>> Function restored successfully !
    20/02/2009 9.02.25 Function NtFlushInstructionCache (4E) - machine code modification Method of JmpTo. jmp 81BF8E64
    20/02/2009 9.02.25 >>> Function restored successfully !
    20/02/2009 9.02.25 Function NtQueryValueKey (B1) - machine code modification Method of JmpTo. jmp 81C0A12C
    20/02/2009 9.02.25 >>> Function restored successfully !
    20/02/2009 9.02.26 Function IofCallDriver (804EF1A6) - machine code modification Method of JmpTo. jmp 81C1D6DB
    20/02/2009 9.02.26 >>> Function restored successfully !
    20/02/2009 9.02.26 Function IofCompleteRequest (804EF236) - machine code modification Method of JmpTo. jmp 81CAD25B
    20/02/2009 9.02.26 >>> Function restored successfully !
    20/02/2009 9.02.28 Functions checked: 284, intercepted: 0, restored: 5
    20/02/2009 9.02.28 1.3 Checking IDT and SYSENTER
    20/02/2009 9.02.28 Analysis for CPU 1
    20/02/2009 9.02.28 Checking IDT and SYSENTER - complete
    20/02/2009 9.02.29 1.4 Searching for masking processes and drivers
    20/02/2009 9.02.29 Checking not performed: extended monitoring driver (AVZPM) is not installed
    20/02/2009 9.02.29 Driver loaded successfully
    20/02/2009 9.02.29 1.5 Checking of IRP handlers
    20/02/2009 9.02.29 Checking - complete
    20/02/2009 9.02.46 C:\WINDOWS\system32\avgrsstx.dll --> Suspicion for Keylogger or Trojan DLL
    20/02/2009 9.02.46 C:\WINDOWS\system32\avgrsstx.dll>>> Behavioral analysis
    20/02/2009 9.02.46 Behaviour typical for keyloggers not detected
    20/02/2009 9.02.49 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
    20/02/2009 9.03.03 Latent loading of libraries through AppInit_DLLs suspected: "avgrsstx.dll"
    20/02/2009 9.03.04 >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: TermService (Servizi terminal)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: SSDPSRV (Servizio di rilevamento SSDP)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: Schedule (Utilitа di pianificazione)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: mnmsrvc (Condivisione desktop remoto di NetMeeting)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: RDSessMgr (Gestione sessione di assistenza mediante desktop remoto)
    20/02/2009 9.03.04 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    20/02/2009 9.03.04 >> Security: disk drives' autorun is enabled
    20/02/2009 9.03.04 >> Security: administrative shares (C$, D$ ...) are enabled
    20/02/2009 9.03.04 >> Security: anonymous user access is enabled
    20/02/2009 9.03.09 >> Service termination timeout is out of admissible values
    20/02/2009 9.03.10 >> Disable HDD autorun
    20/02/2009 9.03.10 >> Disable autorun from network drives
    20/02/2009 9.03.10 >> Disable CD/DVD autorun
    20/02/2009 9.03.10 >> Disable removable media autorun
    20/02/2009 9.03.10 System Analysis in progress
    20/02/2009 9.05.17 System Analysis - complete
    20/02/2009 9.05.17 Delete file:C:\Documents and Settings\GIOVANNA\Desktop\Virus Removal Tool\is-TQOKV\LOG\avptool_syscheck.htm
    20/02/2009 9.05.17 Delete file:C:\Documents and Settings\GIOVANNA\Desktop\Virus Removal Tool\is-TQOKV\LOG\avptool_syscheck.xml
    20/02/2009 9.05.17 Deleting service/driver: utyxntc3
    20/02/2009 9.05.17 Delete file:C:\WINDOWS\system32\Drivers\utyxntc3.sys
    20/02/2009 9.05.17 Deleting service/driver: ujyxntc3
    20/02/2009 9.05.18 Script executed without errors



  2. #2

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00080 seconds with 15 queries