Показано с 1 по 2 из 2.

XP is not loading correctly after virus cleanup

  1. #1
    Junior Member Репутация
    Регистрация
    09.09.2009
    Сообщений
    1
    Вес репутации
    31

    XP is not loading correctly after virus cleanup

    I have finished cleaning up the virus on my pc. After running several virus checkers, I have found no trace of virus anywhere. The problem is after the cleanup, the pc is not able to run a lot of services. The log says the process cannot be run in safe mode but XP has boot up successfully in Normal mode. Here is the Kapersky Virus Removal Tool log after I run Manual Cure. Please take a look and help me if you can.

    Thank you very much.



    <AVZ_CollectSysInfo>
    --------------------
    Start time: 09/09/2009 9:30:58 AM
    Duration: 00:02:42
    Finish time: 09/09/2009 9:33:40 AM

    <AVZ_CollectSysInfo>
    --------------------
    Time Event
    ---- -----
    09/09/2009 9:31:01 AM Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
    09/09/2009 9:31:01 AM System Restore: enabled
    09/09/2009 9:31:03 AM 1.1 Searching for user-mode API hooks
    09/09/2009 9:31:04 AM Analysis: kernel32.dll, export table found in section .text
    09/09/2009 9:31:04 AM Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
    09/09/2009 9:31:04 AM Hook kernel32.dll:CreateProcessA (99) blocked
    09/09/2009 9:31:04 AM Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
    09/09/2009 9:31:04 AM Hook kernel32.dll:CreateProcessW (103) blocked
    09/09/2009 9:31:04 AM Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ABEE->61F041FC
    09/09/2009 9:31:04 AM Hook kernel32.dll:FreeLibrary (241) blocked
    09/09/2009 9:31:04 AM Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B4DF->61F040FB
    09/09/2009 9:31:04 AM Hook kernel32.dll:GetModuleFileNameA (372) blocked
    09/09/2009 9:31:04 AM Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B3E5->61F041A0
    09/09/2009 9:31:04 AM Hook kernel32.dll:GetModuleFileNameW (373) blocked
    09/09/2009 9:31:04 AM Function kernel32.dll:GetProcAddress (40 intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADB0->61F04648
    09/09/2009 9:31:04 AM Hook kernel32.dll:GetProcAddress (40 blocked
    09/09/2009 9:31:04 AM Function kernel32.dlloadLibraryA (57 intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F
    09/09/2009 9:31:04 AM Hook kernel32.dlloadLibraryA (57 blocked
    09/09/2009 9:31:04 AM >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
    09/09/2009 9:31:04 AM Function kernel32.dlloadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF
    09/09/2009 9:31:04 AM Hook kernel32.dlloadLibraryExA (579) blocked
    09/09/2009 9:31:04 AM >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
    09/09/2009 9:31:04 AM Function kernel32.dlloadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A
    09/09/2009 9:31:04 AM Hook kernel32.dlloadLibraryExW (580) blocked
    09/09/2009 9:31:04 AM Function kernel32.dlloadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE5B->61F03D0C
    09/09/2009 9:31:04 AM Hook kernel32.dlloadLibraryW (581) blocked
    09/09/2009 9:31:04 AM IAT modification detected: LoadLibraryW - 00CA0010<>7C80AE5B
    09/09/2009 9:31:04 AM Analysis: ntdll.dll, export table found in section .text
    09/09/2009 9:31:04 AM Analysis: user32.dll, export table found in section .text
    09/09/2009 9:31:04 AM Analysis: advapi32.dll, export table found in section .text
    09/09/2009 9:31:04 AM Analysis: ws2_32.dll, export table found in section .text
    09/09/2009 9:31:04 AM Analysis: wininet.dll, export table found in section .text
    09/09/2009 9:31:04 AM Analysis: rasapi32.dll, export table found in section .text
    09/09/2009 9:31:04 AM Analysis: urlmon.dll, export table found in section .text
    09/09/2009 9:31:05 AM Analysis: netapi32.dll, export table found in section .text
    09/09/2009 9:31:05 AM 1.2 Searching for kernel-mode API hooks
    09/09/2009 9:31:06 AM Driver loaded successfully
    09/09/2009 9:31:06 AM SDT found (RVA=07B400)
    09/09/2009 9:31:06 AM Kernel ntkrnlpa.exe found in memory at address 804D7000
    09/09/2009 9:31:06 AM SDT = 80552400
    09/09/2009 9:31:06 AM KiST = 8050121C (284)
    09/09/2009 9:31:07 AM Functions checked: 284, intercepted: 0, restored: 0
    09/09/2009 9:31:07 AM 1.3 Checking IDT and SYSENTER
    09/09/2009 9:31:07 AM Analysis for CPU 1
    09/09/2009 9:31:07 AM Checking IDT and SYSENTER - complete
    09/09/2009 9:31:08 AM 1.4 Searching for masking processes and drivers
    09/09/2009 9:31:08 AM Checking not performed: extended monitoring driver (AVZPM) is not installed
    09/09/2009 9:31:08 AM Driver loaded successfully
    09/09/2009 9:31:08 AM 1.5 Checking of IRP handlers
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_CREATE] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_CLOSE] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_WRITE] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_SET_EA] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_PNP] = 867D11D8 -> hook not defined
    09/09/2009 9:31:08 AM Checking - complete
    09/09/2009 9:31:26 AM >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
    09/09/2009 9:31:26 AM >> Services: potentially dangerous service allowed: TermService (Terminal Services)
    09/09/2009 9:31:26 AM >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
    09/09/2009 9:31:26 AM >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
    09/09/2009 9:31:26 AM >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
    09/09/2009 9:31:26 AM >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
    09/09/2009 9:31:26 AM > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    09/09/2009 9:31:26 AM >> Security: disk drives' autorun is enabled
    09/09/2009 9:31:26 AM >> Security: administrative shares (C$, D$ ...) are enabled
    09/09/2009 9:31:26 AM >> Security: terminal connections to the PC are allowed
    09/09/2009 9:31:26 AM >> Security: sending Remote Assistant queries is enabled
    09/09/2009 9:31:31 AM >> Disable HDD autorun
    09/09/2009 9:31:31 AM >> Disable autorun from network drives
    09/09/2009 9:31:31 AM >> Disable CD/DVD autorun
    09/09/2009 9:31:31 AM >> Disable removable media autorun
    09/09/2009 9:31:31 AM System Analysis in progress
    09/09/2009 9:33:40 AM System Analysis - complete
    09/09/2009 9:33:40 AM Delete file:C:\Documents and Settings\Ylee\Desktop\Virus Removal Tool\is-T9SJ2\LOG\avptool_syscheck.htm
    09/09/2009 9:33:40 AM Delete file:C:\Documents and Settings\Ylee\Desktop\Virus Removal Tool\is-T9SJ2\LOG\avptool_syscheck.xml
    09/09/2009 9:33:40 AM Deleting service/driver: utqxnty5
    09/09/2009 9:33:40 AM Delete file:C:\WINDOWS\system32\Drivers\utqxnty5.sys
    09/09/2009 9:33:40 AM Deleting service/driver: ujqxnty5
    09/09/2009 9:33:40 AM Script executed without errors

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для Numb
    Регистрация
    04.10.2005
    Сообщений
    2,118
    Вес репутации
    847
    Hello.
    I'm sorry, but I ought to say that the log you've posted isn't the required log. Please look for avptool_syscheck.zip file (it must be in the folder with the Kapersky Virus Removal Tool or in its "log" subfolder) and attach it to your post here.
    You should also check the mode your computer starts. Press "Start" button, then "run" - type "msconfig" command (you should type it without quotes of course) and press "enter". In the first bookmark there you can set the startup mode. Make sure that normal startup is checked there. If no, check it, press "ok" and try to restart.

Похожие темы

  1. IE8 Browser not working correctly (заявка №107758)
    От CyberHelper в разделе Отчеты сервиса лечения VirusInfo
    Ответов: 1
    Последнее сообщение: 21.09.2011, 05:00
  2. Display propertis does not work correctly (заявка №52900)
    От CyberHelper в разделе Отчеты сервиса лечения VirusInfo
    Ответов: 1
    Последнее сообщение: 07.02.2011, 17:59
  3. Error loading tftp.nfo
    От _Vic_ в разделе Помогите!
    Ответов: 7
    Последнее сообщение: 18.11.2009, 08:01
  4. Hard drives don't open correctly
    От fik666 в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 03.11.2008, 10:43
  5. How to remove Symantec products correctly
    От NickGolovko в разделе FAQ
    Ответов: 0
    Последнее сообщение: 03.08.2007, 06:25

Метки для этой темы

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00870 seconds with 16 queries