Показано с 1 по 2 из 2.

help

  1. 20.02.2009, 11:59 #1
    skizzo_d
    skizzo_d вне форума
    Junior Member Репутация
    Регистрация
    20.02.2009
    Сообщений
    1
    Вес репутации
    56

    help

    20/02/2009 9.02.22 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
    20/02/2009 9.02.22 System Restore: Disabled
    20/02/2009 9.02.23 1.1 Searching for user-mode API hooks
    20/02/2009 9.02.23 Analysis: kernel32.dll, export table found in section .text
    20/02/2009 9.02.23 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
    20/02/2009 9.02.23 Hook kernel32.dll:CreateProcessA (99) blocked
    20/02/2009 9.02.23 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
    20/02/2009 9.02.23 Hook kernel32.dll:CreateProcessW (103) blocked
    20/02/2009 9.02.23 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
    20/02/2009 9.02.23 Hook kernel32.dll:FreeLibrary (241) blocked
    20/02/2009 9.02.23 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
    20/02/2009 9.02.23 Hook kernel32.dll:GetModuleFileNameA (373) blocked
    20/02/2009 9.02.23 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
    20/02/2009 9.02.23 Hook kernel32.dll:GetModuleFileNameW (374) blocked
    20/02/2009 9.02.23 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
    20/02/2009 9.02.23 Hook kernel32.dll:GetProcAddress (409) blocked
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryA (581) blocked
    20/02/2009 9.02.23 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryExA (582) blocked
    20/02/2009 9.02.23 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryExW (583) blocked
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryW (584) blocked
    20/02/2009 9.02.23 IAT modification detected: LoadLibraryW - 00C20010<>7C80AEDB
    20/02/2009 9.02.23 Analysis: ntdll.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: user32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: advapi32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: ws2_32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: wininet.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: rasapi32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: urlmon.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: netapi32.dll, export table found in section .text
    20/02/2009 9.02.25 1.2 Searching for kernel-mode API hooks
    20/02/2009 9.02.25 Driver loaded successfully
    20/02/2009 9.02.25 SDT found (RVA=085700)
    20/02/2009 9.02.25 Kernel ntkrnlpa.exe found in memory at address 804D7000
    20/02/2009 9.02.25 SDT = 8055C700
    20/02/2009 9.02.25 KiST = 80504460 (284)
    20/02/2009 9.02.25 Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp 81BF8F3C
    20/02/2009 9.02.25 >>> Function restored successfully !
    20/02/2009 9.02.25 Function NtFlushInstructionCache (4E) - machine code modification Method of JmpTo. jmp 81BF8E64
    20/02/2009 9.02.25 >>> Function restored successfully !
    20/02/2009 9.02.25 Function NtQueryValueKey (B1) - machine code modification Method of JmpTo. jmp 81C0A12C
    20/02/2009 9.02.25 >>> Function restored successfully !
    20/02/2009 9.02.26 Function IofCallDriver (804EF1A6) - machine code modification Method of JmpTo. jmp 81C1D6DB
    20/02/2009 9.02.26 >>> Function restored successfully !
    20/02/2009 9.02.26 Function IofCompleteRequest (804EF236) - machine code modification Method of JmpTo. jmp 81CAD25B
    20/02/2009 9.02.26 >>> Function restored successfully !
    20/02/2009 9.02.28 Functions checked: 284, intercepted: 0, restored: 5
    20/02/2009 9.02.28 1.3 Checking IDT and SYSENTER
    20/02/2009 9.02.28 Analysis for CPU 1
    20/02/2009 9.02.28 Checking IDT and SYSENTER - complete
    20/02/2009 9.02.29 1.4 Searching for masking processes and drivers
    20/02/2009 9.02.29 Checking not performed: extended monitoring driver (AVZPM) is not installed
    20/02/2009 9.02.29 Driver loaded successfully
    20/02/2009 9.02.29 1.5 Checking of IRP handlers
    20/02/2009 9.02.29 Checking - complete
    20/02/2009 9.02.46 C:\WINDOWS\system32\avgrsstx.dll --> Suspicion for Keylogger or Trojan DLL
    20/02/2009 9.02.46 C:\WINDOWS\system32\avgrsstx.dll>>> Behavioral analysis
    20/02/2009 9.02.46 Behaviour typical for keyloggers not detected
    20/02/2009 9.02.49 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
    20/02/2009 9.03.03 Latent loading of libraries through AppInit_DLLs suspected: "avgrsstx.dll"
    20/02/2009 9.03.04 >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: TermService (Servizi terminal)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: SSDPSRV (Servizio di rilevamento SSDP)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: Schedule (Utilitа di pianificazione)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: mnmsrvc (Condivisione desktop remoto di NetMeeting)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: RDSessMgr (Gestione sessione di assistenza mediante desktop remoto)
    20/02/2009 9.03.04 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    20/02/2009 9.03.04 >> Security: disk drives' autorun is enabled
    20/02/2009 9.03.04 >> Security: administrative shares (C$, D$ ...) are enabled
    20/02/2009 9.03.04 >> Security: anonymous user access is enabled
    20/02/2009 9.03.09 >> Service termination timeout is out of admissible values
    20/02/2009 9.03.10 >> Disable HDD autorun
    20/02/2009 9.03.10 >> Disable autorun from network drives
    20/02/2009 9.03.10 >> Disable CD/DVD autorun
    20/02/2009 9.03.10 >> Disable removable media autorun
    20/02/2009 9.03.10 System Analysis in progress
    20/02/2009 9.05.17 System Analysis - complete
    20/02/2009 9.05.17 Delete file:C:\Documents and Settings\GIOVANNA\Desktop\Virus Removal Tool\is-TQOKV\LOG\avptool_syscheck.htm
    20/02/2009 9.05.17 Delete file:C:\Documents and Settings\GIOVANNA\Desktop\Virus Removal Tool\is-TQOKV\LOG\avptool_syscheck.xml
    20/02/2009 9.05.17 Deleting service/driver: utyxntc3
    20/02/2009 9.05.17 Delete file:C:\WINDOWS\system32\Drivers\utyxntc3.sys
    20/02/2009 9.05.17 Deleting service/driver: ujyxntc3
    20/02/2009 9.05.18 Script executed without errors

    *********

    <AVZ_CollectSysInfo>
    --------------------
    Start time: 20/02/2009 9.02.21
    Duration: 00.02.57
    Finish time: 20/02/2009 9.05.18


    <AVZ_CollectSysInfo>
    --------------------
    Time Event
    ---- -----
    20/02/2009 9.02.22 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
    20/02/2009 9.02.22 System Restore: Disabled
    20/02/2009 9.02.23 1.1 Searching for user-mode API hooks
    20/02/2009 9.02.23 Analysis: kernel32.dll, export table found in section .text
    20/02/2009 9.02.23 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
    20/02/2009 9.02.23 Hook kernel32.dll:CreateProcessA (99) blocked
    20/02/2009 9.02.23 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
    20/02/2009 9.02.23 Hook kernel32.dll:CreateProcessW (103) blocked
    20/02/2009 9.02.23 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
    20/02/2009 9.02.23 Hook kernel32.dll:FreeLibrary (241) blocked
    20/02/2009 9.02.23 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
    20/02/2009 9.02.23 Hook kernel32.dll:GetModuleFileNameA (373) blocked
    20/02/2009 9.02.23 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
    20/02/2009 9.02.23 Hook kernel32.dll:GetModuleFileNameW (374) blocked
    20/02/2009 9.02.23 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
    20/02/2009 9.02.23 Hook kernel32.dll:GetProcAddress (409) blocked
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryA (581) blocked
    20/02/2009 9.02.23 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryExA (582) blocked
    20/02/2009 9.02.23 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryExW (583) blocked
    20/02/2009 9.02.23 Function kernel32.dlloadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
    20/02/2009 9.02.23 Hook kernel32.dlloadLibraryW (584) blocked
    20/02/2009 9.02.23 IAT modification detected: LoadLibraryW - 00C20010<>7C80AEDB
    20/02/2009 9.02.23 Analysis: ntdll.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: user32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: advapi32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: ws2_32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: wininet.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: rasapi32.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: urlmon.dll, export table found in section .text
    20/02/2009 9.02.24 Analysis: netapi32.dll, export table found in section .text
    20/02/2009 9.02.25 1.2 Searching for kernel-mode API hooks
    20/02/2009 9.02.25 Driver loaded successfully
    20/02/2009 9.02.25 SDT found (RVA=085700)
    20/02/2009 9.02.25 Kernel ntkrnlpa.exe found in memory at address 804D7000
    20/02/2009 9.02.25 SDT = 8055C700
    20/02/2009 9.02.25 KiST = 80504460 (284)
    20/02/2009 9.02.25 Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp 81BF8F3C
    20/02/2009 9.02.25 >>> Function restored successfully !
    20/02/2009 9.02.25 Function NtFlushInstructionCache (4E) - machine code modification Method of JmpTo. jmp 81BF8E64
    20/02/2009 9.02.25 >>> Function restored successfully !
    20/02/2009 9.02.25 Function NtQueryValueKey (B1) - machine code modification Method of JmpTo. jmp 81C0A12C
    20/02/2009 9.02.25 >>> Function restored successfully !
    20/02/2009 9.02.26 Function IofCallDriver (804EF1A6) - machine code modification Method of JmpTo. jmp 81C1D6DB
    20/02/2009 9.02.26 >>> Function restored successfully !
    20/02/2009 9.02.26 Function IofCompleteRequest (804EF236) - machine code modification Method of JmpTo. jmp 81CAD25B
    20/02/2009 9.02.26 >>> Function restored successfully !
    20/02/2009 9.02.28 Functions checked: 284, intercepted: 0, restored: 5
    20/02/2009 9.02.28 1.3 Checking IDT and SYSENTER
    20/02/2009 9.02.28 Analysis for CPU 1
    20/02/2009 9.02.28 Checking IDT and SYSENTER - complete
    20/02/2009 9.02.29 1.4 Searching for masking processes and drivers
    20/02/2009 9.02.29 Checking not performed: extended monitoring driver (AVZPM) is not installed
    20/02/2009 9.02.29 Driver loaded successfully
    20/02/2009 9.02.29 1.5 Checking of IRP handlers
    20/02/2009 9.02.29 Checking - complete
    20/02/2009 9.02.46 C:\WINDOWS\system32\avgrsstx.dll --> Suspicion for Keylogger or Trojan DLL
    20/02/2009 9.02.46 C:\WINDOWS\system32\avgrsstx.dll>>> Behavioral analysis
    20/02/2009 9.02.46 Behaviour typical for keyloggers not detected
    20/02/2009 9.02.49 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
    20/02/2009 9.03.03 Latent loading of libraries through AppInit_DLLs suspected: "avgrsstx.dll"
    20/02/2009 9.03.04 >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: TermService (Servizi terminal)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: SSDPSRV (Servizio di rilevamento SSDP)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: Schedule (Utilitа di pianificazione)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: mnmsrvc (Condivisione desktop remoto di NetMeeting)
    20/02/2009 9.03.04 >> Services: potentially dangerous service allowed: RDSessMgr (Gestione sessione di assistenza mediante desktop remoto)
    20/02/2009 9.03.04 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    20/02/2009 9.03.04 >> Security: disk drives' autorun is enabled
    20/02/2009 9.03.04 >> Security: administrative shares (C$, D$ ...) are enabled
    20/02/2009 9.03.04 >> Security: anonymous user access is enabled
    20/02/2009 9.03.09 >> Service termination timeout is out of admissible values
    20/02/2009 9.03.10 >> Disable HDD autorun
    20/02/2009 9.03.10 >> Disable autorun from network drives
    20/02/2009 9.03.10 >> Disable CD/DVD autorun
    20/02/2009 9.03.10 >> Disable removable media autorun
    20/02/2009 9.03.10 System Analysis in progress
    20/02/2009 9.05.17 System Analysis - complete
    20/02/2009 9.05.17 Delete file:C:\Documents and Settings\GIOVANNA\Desktop\Virus Removal Tool\is-TQOKV\LOG\avptool_syscheck.htm
    20/02/2009 9.05.17 Delete file:C:\Documents and Settings\GIOVANNA\Desktop\Virus Removal Tool\is-TQOKV\LOG\avptool_syscheck.xml
    20/02/2009 9.05.17 Deleting service/driver: utyxntc3
    20/02/2009 9.05.17 Delete file:C:\WINDOWS\system32\Drivers\utyxntc3.sys
    20/02/2009 9.05.17 Deleting service/driver: ujyxntc3
    20/02/2009 9.05.18 Script executed without errors


    Ответить с цитированием Ответить с цитированием
  2. 20.02.2009, 12:18 #2
    drongo
    drongo вне форума
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,164
    Вес репутации
    994
    logs should be attached. http://virusinfo.info/faq.php?faq=vb...b3_attachments

    Read more carefully: http://virusinfo.info/showthread.php?t=9184
    *Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
    *MyFirefox Portable
    special avz @ rapidshare.com
    md5: 2091925798B7909E010E3F7E328C5F0D
    Ответить с цитированием Ответить с цитированием
« Предыдущая тема | Следующая тема »

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  

Правила форума

Page generated in 0.01457 seconds with 16 queries