Показано с 1 по 2 из 2.

Results of my Scan

  1. #1
    Junior Member Репутация
    Регистрация
    06.04.2009
    Сообщений
    3
    Вес репутации
    55

    Results of my Scan

    Hello

    I have recently been having trouble with my PC. Firewall is repeatedly turned off when I reboot - webpages don't load - AVG will not update - and all new links in firefox open in a new tab.

    I ran Kapersky and this is the resulting log:

    Код:
    <AVZ_CollectSysInfo>
    --------------------
    Start time:    4/6/2009 1:20:06 PM
    Duration:    00:02:26
    Finish time:    4/6/2009 1:22:32 PM
    
    
    <AVZ_CollectSysInfo>
    --------------------
    Time    Event
    ----    -----
    4/6/2009 1:20:08 PM    Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
    4/6/2009 1:20:08 PM    System Restore: enabled
    4/6/2009 1:20:09 PM    1.1 Searching for user-mode API hooks
    4/6/2009 1:20:09 PM     Analysis: kernel32.dll, export table found in section .text
    4/6/2009 1:20:09 PM    Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
    4/6/2009 1:20:09 PM    Hook kernel32.dll:CreateProcessA (99) blocked
    4/6/2009 1:20:09 PM    Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
    4/6/2009 1:20:09 PM    Hook kernel32.dll:CreateProcessW (103) blocked
    4/6/2009 1:20:09 PM    Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
    4/6/2009 1:20:09 PM    Hook kernel32.dll:FreeLibrary (241) blocked
    4/6/2009 1:20:09 PM    Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
    4/6/2009 1:20:09 PM    Hook kernel32.dll:GetModuleFileNameA (373) blocked
    4/6/2009 1:20:09 PM    Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
    4/6/2009 1:20:09 PM    Hook kernel32.dll:GetModuleFileNameW (374) blocked
    4/6/2009 1:20:09 PM    Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
    4/6/2009 1:20:09 PM    Hook kernel32.dll:GetProcAddress (409) blocked
    4/6/2009 1:20:09 PM    Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
    4/6/2009 1:20:09 PM    Hook kernel32.dll:LoadLibraryA (581) blocked
    4/6/2009 1:20:09 PM     >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement  !!)
    4/6/2009 1:20:09 PM    Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
    4/6/2009 1:20:09 PM    Hook kernel32.dll:LoadLibraryExA (582) blocked
    4/6/2009 1:20:09 PM     >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
    4/6/2009 1:20:09 PM    Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
    4/6/2009 1:20:09 PM    Hook kernel32.dll:LoadLibraryExW (583) blocked
    4/6/2009 1:20:09 PM    Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
    4/6/2009 1:20:09 PM    Hook kernel32.dll:LoadLibraryW (584) blocked
    4/6/2009 1:20:09 PM    IAT modification detected: LoadLibraryW - 00C00010<>7C80AEDB
    4/6/2009 1:20:09 PM     Analysis: ntdll.dll, export table found in section .text
    4/6/2009 1:20:09 PM     Analysis: user32.dll, export table found in section .text
    4/6/2009 1:20:09 PM     Analysis: advapi32.dll, export table found in section .text
    4/6/2009 1:20:09 PM     Analysis: ws2_32.dll, export table found in section .text
    4/6/2009 1:20:09 PM     Analysis: wininet.dll, export table found in section .text
    4/6/2009 1:20:10 PM     Analysis: rasapi32.dll, export table found in section .text
    4/6/2009 1:20:10 PM     Analysis: urlmon.dll, export table found in section .text
    4/6/2009 1:20:10 PM     Analysis: netapi32.dll, export table found in section .text
    4/6/2009 1:20:11 PM    1.2 Searching for kernel-mode API hooks
    4/6/2009 1:20:11 PM     Driver loaded successfully
    4/6/2009 1:20:11 PM     SDT found (RVA=085700)
    4/6/2009 1:20:11 PM     Kernel ntkrnlpa.exe found in memory at address 804D7000
    4/6/2009 1:20:11 PM       SDT = 8055C700
    4/6/2009 1:20:11 PM       KiST = 80504460 (284)
    4/6/2009 1:20:12 PM    Function NtCreateKey (29) intercepted (80623792->BA0F887E), hook C:\WINDOWS\system32\Drivers\Lbd.sys
    4/6/2009 1:20:12 PM    >>> Function restored successfully !
    4/6/2009 1:20:12 PM    >>> Hook code blocked
    4/6/2009 1:20:12 PM    Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp 89AD966C
    4/6/2009 1:20:12 PM    >>> Function restored successfully !
    4/6/2009 1:20:12 PM    Function NtFlushInstructionCache (4E) - machine code modification Method of JmpTo. jmp 89AD84D4
    4/6/2009 1:20:12 PM    >>> Function restored successfully !
    4/6/2009 1:20:12 PM    Function NtSetValueKey (F7) intercepted (80621D18->BA0F8C10), hook C:\WINDOWS\system32\Drivers\Lbd.sys
    4/6/2009 1:20:12 PM    >>> Function restored successfully !
    4/6/2009 1:20:12 PM    >>> Hook code blocked
    4/6/2009 1:20:12 PM    Function IofCallDriver (804EF1A6) - machine code modification Method of JmpTo. jmp 89BA4A63 
    4/6/2009 1:20:12 PM    >>> Function restored successfully !
    4/6/2009 1:20:12 PM    Function IofCompleteRequest (804EF236) - machine code modification Method of JmpTo. jmp 89BA4ACB 
    4/6/2009 1:20:12 PM    >>> Function restored successfully !
    4/6/2009 1:20:12 PM    Functions checked: 284, intercepted: 2, restored: 6
    4/6/2009 1:20:12 PM    1.3 Checking IDT and SYSENTER
    4/6/2009 1:20:12 PM     Analysis for CPU 1
    4/6/2009 1:20:12 PM     Analysis for CPU 2
    4/6/2009 1:20:12 PM     Checking IDT and SYSENTER - complete
    4/6/2009 1:20:13 PM    1.4 Searching for masking processes and drivers
    4/6/2009 1:20:13 PM     Checking not performed: extended monitoring driver (AVZPM) is not installed
    4/6/2009 1:20:13 PM     Driver loaded successfully
    4/6/2009 1:20:13 PM    1.5 Checking of IRP handlers
    4/6/2009 1:20:13 PM     Checking - complete
    4/6/2009 1:20:13 PM    C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL --> Suspicion for Keylogger or Trojan DLL
    4/6/2009 1:20:13 PM    C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL>>> Behavioral analysis 
    4/6/2009 1:20:13 PM      1. Reacts to events: keyboard, mouse
    4/6/2009 1:20:13 PM    C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
    4/6/2009 1:20:21 PM    Note: Do NOT delete suspicious files, send them for analysis  (see FAQ for more details),  because there are lots of useful hooking DLLs
    4/6/2009 1:20:29 PM    >>> C:\autorun.inf HSC: suspicion for  hidden autorun (high degree of probability)
    4/6/2009 1:20:29 PM    >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
    4/6/2009 1:20:29 PM    >> Services: potentially dangerous service allowed: TermService (Terminal Services)
    4/6/2009 1:20:29 PM    >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
    4/6/2009 1:20:29 PM    >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
    4/6/2009 1:20:29 PM    >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
    4/6/2009 1:20:29 PM    >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
    4/6/2009 1:20:29 PM    > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    4/6/2009 1:20:29 PM    >> Security: disk drives' autorun is enabled
    4/6/2009 1:20:29 PM    >> Security: administrative shares (C$, D$ ...) are enabled
    4/6/2009 1:20:29 PM    >> Security: anonymous user access is enabled
    4/6/2009 1:20:29 PM    >> Security: terminal connections to the PC are allowed
    4/6/2009 1:20:29 PM    >> Security: sending Remote Assistant queries is enabled
    4/6/2009 1:20:32 PM     >>  Disable CD/DVD autorun
    4/6/2009 1:20:33 PM    System Analysis in progress
    4/6/2009 1:22:32 PM    System Analysis - complete
    4/6/2009 1:22:32 PM    Delete file:C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-F8L9H\LOG\avptool_syscheck.htm
    4/6/2009 1:22:32 PM    Delete file:C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-F8L9H\LOG\avptool_syscheck.xml
    4/6/2009 1:22:32 PM    Deleting service/driver: uti3otqy
    4/6/2009 1:22:32 PM    Delete file:C:\WINDOWS\system32\Drivers\uti3otqy.sys
    4/6/2009 1:22:32 PM    Deleting service/driver: uji3otqy
    4/6/2009 1:22:32 PM    Script executed without errors
    ---------

    Thanks in advance for your help!

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023

Похожие темы

  1. APVtool scan results
    От jrn312 в разделе Malware Removal Service
    Ответов: 0
    Последнее сообщение: 19.09.2010, 00:53
  2. results of my virus scan
    От Keithbris0 в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 09.08.2010, 10:07
  3. Scan results yo
    От Cruders в разделе Malware Removal Service
    Ответов: 2
    Последнее сообщение: 24.03.2010, 11:50
  4. Scan Results
    От Jilowa в разделе Viruses, Adware, Spyware, Hijackers
    Ответов: 1
    Последнее сообщение: 16.03.2009, 18:28
  5. scan results
    От biancamatsch в разделе Custom descriptions of malware
    Ответов: 1
    Последнее сообщение: 09.03.2008, 06:53

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00480 seconds with 17 queries