-
Junior Member
- Вес репутации
- 56
help
20/02/2009 9.02.22 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
20/02/2009 9.02.22 System Restore: Disabled
20/02/2009 9.02.23 1.1 Searching for user-mode API hooks
20/02/2009 9.02.23 Analysis: kernel32.dll, export table found in section .text
20/02/2009 9.02.23 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
20/02/2009 9.02.23 Hook kernel32.dll:CreateProcessA (99) blocked
20/02/2009 9.02.23 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
20/02/2009 9.02.23 Hook kernel32.dll:CreateProcessW (103) blocked
20/02/2009 9.02.23 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
20/02/2009 9.02.23 Hook kernel32.dll:FreeLibrary (241) blocked
20/02/2009 9.02.23 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
20/02/2009 9.02.23 Hook kernel32.dll:GetModuleFileNameA (373) blocked
20/02/2009 9.02.23 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
20/02/2009 9.02.23 Hook kernel32.dll:GetModuleFileNameW (374) blocked
20/02/2009 9.02.23 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
20/02/2009 9.02.23 Hook kernel32.dll:GetProcAddress (409) blocked
20/02/2009 9.02.23 Function kernel32.dlloadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
20/02/2009 9.02.23 Hook kernel32.dlloadLibraryA (581) blocked
20/02/2009 9.02.23 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
20/02/2009 9.02.23 Function kernel32.dlloadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
20/02/2009 9.02.23 Hook kernel32.dlloadLibraryExA (582) blocked
20/02/2009 9.02.23 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
20/02/2009 9.02.23 Function kernel32.dlloadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
20/02/2009 9.02.23 Hook kernel32.dlloadLibraryExW (583) blocked
20/02/2009 9.02.23 Function kernel32.dlloadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
20/02/2009 9.02.23 Hook kernel32.dlloadLibraryW (584) blocked
20/02/2009 9.02.23 IAT modification detected: LoadLibraryW - 00C20010<>7C80AEDB
20/02/2009 9.02.23 Analysis: ntdll.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: user32.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: advapi32.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: ws2_32.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: wininet.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: rasapi32.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: urlmon.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: netapi32.dll, export table found in section .text
20/02/2009 9.02.25 1.2 Searching for kernel-mode API hooks
20/02/2009 9.02.25 Driver loaded successfully
20/02/2009 9.02.25 SDT found (RVA=085700)
20/02/2009 9.02.25 Kernel ntkrnlpa.exe found in memory at address 804D7000
20/02/2009 9.02.25 SDT = 8055C700
20/02/2009 9.02.25 KiST = 80504460 (284)
20/02/2009 9.02.25 Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp 81BF8F3C
20/02/2009 9.02.25 >>> Function restored successfully !
20/02/2009 9.02.25 Function NtFlushInstructionCache (4E) - machine code modification Method of JmpTo. jmp 81BF8E64
20/02/2009 9.02.25 >>> Function restored successfully !
20/02/2009 9.02.25 Function NtQueryValueKey (B1) - machine code modification Method of JmpTo. jmp 81C0A12C
20/02/2009 9.02.25 >>> Function restored successfully !
20/02/2009 9.02.26 Function IofCallDriver (804EF1A6) - machine code modification Method of JmpTo. jmp 81C1D6DB
20/02/2009 9.02.26 >>> Function restored successfully !
20/02/2009 9.02.26 Function IofCompleteRequest (804EF236) - machine code modification Method of JmpTo. jmp 81CAD25B
20/02/2009 9.02.26 >>> Function restored successfully !
20/02/2009 9.02.28 Functions checked: 284, intercepted: 0, restored: 5
20/02/2009 9.02.28 1.3 Checking IDT and SYSENTER
20/02/2009 9.02.28 Analysis for CPU 1
20/02/2009 9.02.28 Checking IDT and SYSENTER - complete
20/02/2009 9.02.29 1.4 Searching for masking processes and drivers
20/02/2009 9.02.29 Checking not performed: extended monitoring driver (AVZPM) is not installed
20/02/2009 9.02.29 Driver loaded successfully
20/02/2009 9.02.29 1.5 Checking of IRP handlers
20/02/2009 9.02.29 Checking - complete
20/02/2009 9.02.46 C:\WINDOWS\system32\avgrsstx.dll --> Suspicion for Keylogger or Trojan DLL
20/02/2009 9.02.46 C:\WINDOWS\system32\avgrsstx.dll>>> Behavioral analysis
20/02/2009 9.02.46 Behaviour typical for keyloggers not detected
20/02/2009 9.02.49 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
20/02/2009 9.03.03 Latent loading of libraries through AppInit_DLLs suspected: "avgrsstx.dll"
20/02/2009 9.03.04 >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: TermService (Servizi terminal)
20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: SSDPSRV (Servizio di rilevamento SSDP)
20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: Schedule (Utilitа di pianificazione)
20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: mnmsrvc (Condivisione desktop remoto di NetMeeting)
20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: RDSessMgr (Gestione sessione di assistenza mediante desktop remoto)
20/02/2009 9.03.04 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
20/02/2009 9.03.04 >> Security: disk drives' autorun is enabled
20/02/2009 9.03.04 >> Security: administrative shares (C$, D$ ...) are enabled
20/02/2009 9.03.04 >> Security: anonymous user access is enabled
20/02/2009 9.03.09 >> Service termination timeout is out of admissible values
20/02/2009 9.03.10 >> Disable HDD autorun
20/02/2009 9.03.10 >> Disable autorun from network drives
20/02/2009 9.03.10 >> Disable CD/DVD autorun
20/02/2009 9.03.10 >> Disable removable media autorun
20/02/2009 9.03.10 System Analysis in progress
20/02/2009 9.05.17 System Analysis - complete
20/02/2009 9.05.17 Delete file:C:\Documents and Settings\GIOVANNA\Desktop\Virus Removal Tool\is-TQOKV\LOG\avptool_syscheck.htm
20/02/2009 9.05.17 Delete file:C:\Documents and Settings\GIOVANNA\Desktop\Virus Removal Tool\is-TQOKV\LOG\avptool_syscheck.xml
20/02/2009 9.05.17 Deleting service/driver: utyxntc3
20/02/2009 9.05.17 Delete file:C:\WINDOWS\system32\Drivers\utyxntc3.sys
20/02/2009 9.05.17 Deleting service/driver: ujyxntc3
20/02/2009 9.05.18 Script executed without errors
*********
<AVZ_CollectSysInfo>
--------------------
Start time: 20/02/2009 9.02.21
Duration: 00.02.57
Finish time: 20/02/2009 9.05.18
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
20/02/2009 9.02.22 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
20/02/2009 9.02.22 System Restore: Disabled
20/02/2009 9.02.23 1.1 Searching for user-mode API hooks
20/02/2009 9.02.23 Analysis: kernel32.dll, export table found in section .text
20/02/2009 9.02.23 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
20/02/2009 9.02.23 Hook kernel32.dll:CreateProcessA (99) blocked
20/02/2009 9.02.23 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
20/02/2009 9.02.23 Hook kernel32.dll:CreateProcessW (103) blocked
20/02/2009 9.02.23 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
20/02/2009 9.02.23 Hook kernel32.dll:FreeLibrary (241) blocked
20/02/2009 9.02.23 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
20/02/2009 9.02.23 Hook kernel32.dll:GetModuleFileNameA (373) blocked
20/02/2009 9.02.23 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
20/02/2009 9.02.23 Hook kernel32.dll:GetModuleFileNameW (374) blocked
20/02/2009 9.02.23 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
20/02/2009 9.02.23 Hook kernel32.dll:GetProcAddress (409) blocked
20/02/2009 9.02.23 Function kernel32.dlloadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
20/02/2009 9.02.23 Hook kernel32.dlloadLibraryA (581) blocked
20/02/2009 9.02.23 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
20/02/2009 9.02.23 Function kernel32.dlloadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
20/02/2009 9.02.23 Hook kernel32.dlloadLibraryExA (582) blocked
20/02/2009 9.02.23 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
20/02/2009 9.02.23 Function kernel32.dlloadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
20/02/2009 9.02.23 Hook kernel32.dlloadLibraryExW (583) blocked
20/02/2009 9.02.23 Function kernel32.dlloadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
20/02/2009 9.02.23 Hook kernel32.dlloadLibraryW (584) blocked
20/02/2009 9.02.23 IAT modification detected: LoadLibraryW - 00C20010<>7C80AEDB
20/02/2009 9.02.23 Analysis: ntdll.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: user32.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: advapi32.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: ws2_32.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: wininet.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: rasapi32.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: urlmon.dll, export table found in section .text
20/02/2009 9.02.24 Analysis: netapi32.dll, export table found in section .text
20/02/2009 9.02.25 1.2 Searching for kernel-mode API hooks
20/02/2009 9.02.25 Driver loaded successfully
20/02/2009 9.02.25 SDT found (RVA=085700)
20/02/2009 9.02.25 Kernel ntkrnlpa.exe found in memory at address 804D7000
20/02/2009 9.02.25 SDT = 8055C700
20/02/2009 9.02.25 KiST = 80504460 (284)
20/02/2009 9.02.25 Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp 81BF8F3C
20/02/2009 9.02.25 >>> Function restored successfully !
20/02/2009 9.02.25 Function NtFlushInstructionCache (4E) - machine code modification Method of JmpTo. jmp 81BF8E64
20/02/2009 9.02.25 >>> Function restored successfully !
20/02/2009 9.02.25 Function NtQueryValueKey (B1) - machine code modification Method of JmpTo. jmp 81C0A12C
20/02/2009 9.02.25 >>> Function restored successfully !
20/02/2009 9.02.26 Function IofCallDriver (804EF1A6) - machine code modification Method of JmpTo. jmp 81C1D6DB
20/02/2009 9.02.26 >>> Function restored successfully !
20/02/2009 9.02.26 Function IofCompleteRequest (804EF236) - machine code modification Method of JmpTo. jmp 81CAD25B
20/02/2009 9.02.26 >>> Function restored successfully !
20/02/2009 9.02.28 Functions checked: 284, intercepted: 0, restored: 5
20/02/2009 9.02.28 1.3 Checking IDT and SYSENTER
20/02/2009 9.02.28 Analysis for CPU 1
20/02/2009 9.02.28 Checking IDT and SYSENTER - complete
20/02/2009 9.02.29 1.4 Searching for masking processes and drivers
20/02/2009 9.02.29 Checking not performed: extended monitoring driver (AVZPM) is not installed
20/02/2009 9.02.29 Driver loaded successfully
20/02/2009 9.02.29 1.5 Checking of IRP handlers
20/02/2009 9.02.29 Checking - complete
20/02/2009 9.02.46 C:\WINDOWS\system32\avgrsstx.dll --> Suspicion for Keylogger or Trojan DLL
20/02/2009 9.02.46 C:\WINDOWS\system32\avgrsstx.dll>>> Behavioral analysis
20/02/2009 9.02.46 Behaviour typical for keyloggers not detected
20/02/2009 9.02.49 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
20/02/2009 9.03.03 Latent loading of libraries through AppInit_DLLs suspected: "avgrsstx.dll"
20/02/2009 9.03.04 >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: TermService (Servizi terminal)
20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: SSDPSRV (Servizio di rilevamento SSDP)
20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: Schedule (Utilitа di pianificazione)
20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: mnmsrvc (Condivisione desktop remoto di NetMeeting)
20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: RDSessMgr (Gestione sessione di assistenza mediante desktop remoto)
20/02/2009 9.03.04 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
20/02/2009 9.03.04 >> Security: disk drives' autorun is enabled
20/02/2009 9.03.04 >> Security: administrative shares (C$, D$ ...) are enabled
20/02/2009 9.03.04 >> Security: anonymous user access is enabled
20/02/2009 9.03.09 >> Service termination timeout is out of admissible values
20/02/2009 9.03.10 >> Disable HDD autorun
20/02/2009 9.03.10 >> Disable autorun from network drives
20/02/2009 9.03.10 >> Disable CD/DVD autorun
20/02/2009 9.03.10 >> Disable removable media autorun
20/02/2009 9.03.10 System Analysis in progress
20/02/2009 9.05.17 System Analysis - complete
20/02/2009 9.05.17 Delete file:C:\Documents and Settings\GIOVANNA\Desktop\Virus Removal Tool\is-TQOKV\LOG\avptool_syscheck.htm
20/02/2009 9.05.17 Delete file:C:\Documents and Settings\GIOVANNA\Desktop\Virus Removal Tool\is-TQOKV\LOG\avptool_syscheck.xml
20/02/2009 9.05.17 Deleting service/driver: utyxntc3
20/02/2009 9.05.17 Delete file:C:\WINDOWS\system32\Drivers\utyxntc3.sys
20/02/2009 9.05.17 Deleting service/driver: ujyxntc3
20/02/2009 9.05.18 Script executed without errors
-
-
Ваши права в разделе
- Вы не можете создавать новые темы
- Вы не можете отвечать в темах
- Вы не можете прикреплять вложения
- Вы не можете редактировать свои сообщения
-
Правила форума
Page generated in 0.01457 seconds with 16 queries