I have finished cleaning up the virus on my pc. After running several virus checkers, I have found no trace of virus anywhere. The problem is after the cleanup, the pc is not able to run a lot of services. The log says the process cannot be run in safe mode but XP has boot up successfully in Normal mode. Here is the Kapersky Virus Removal Tool log after I run Manual Cure. Please take a look and help me if you can.
Thank you very much.
<AVZ_CollectSysInfo>
--------------------
Start time: 09/09/2009 9:30:58 AM
Duration: 00:02:42
Finish time: 09/09/2009 9:33:40 AM
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
09/09/2009 9:31:01 AM Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
09/09/2009 9:31:01 AM System Restore: enabled
09/09/2009 9:31:03 AM 1.1 Searching for user-mode API hooks
09/09/2009 9:31:04 AM Analysis: kernel32.dll, export table found in section .text
09/09/2009 9:31:04 AM Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
09/09/2009 9:31:04 AM Hook kernel32.dll:CreateProcessA (99) blocked
09/09/2009 9:31:04 AM Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
09/09/2009 9:31:04 AM Hook kernel32.dll:CreateProcessW (103) blocked
09/09/2009 9:31:04 AM Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ABEE->61F041FC
09/09/2009 9:31:04 AM Hook kernel32.dll:FreeLibrary (241) blocked
09/09/2009 9:31:04 AM Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B4DF->61F040FB
09/09/2009 9:31:04 AM Hook kernel32.dll:GetModuleFileNameA (372) blocked
09/09/2009 9:31:04 AM Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B3E5->61F041A0
09/09/2009 9:31:04 AM Hook kernel32.dll:GetModuleFileNameW (373) blocked
09/09/2009 9:31:04 AM Function kernel32.dll:GetProcAddress (40intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADB0->61F04648
09/09/2009 9:31:04 AM Hook kernel32.dll:GetProcAddress (40
09/09/2009 9:31:04 AM Function kernel32.dlloadLibraryA (57
09/09/2009 9:31:04 AM Hook kernel32.dll
09/09/2009 9:31:04 AM >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
09/09/2009 9:31:04 AM Function kernel32.dll
09/09/2009 9:31:04 AM Hook kernel32.dll
09/09/2009 9:31:04 AM >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
09/09/2009 9:31:04 AM Function kernel32.dll
09/09/2009 9:31:04 AM Hook kernel32.dll
09/09/2009 9:31:04 AM Function kernel32.dll
09/09/2009 9:31:04 AM Hook kernel32.dll
09/09/2009 9:31:04 AM IAT modification detected: LoadLibraryW - 00CA0010<>7C80AE5B
09/09/2009 9:31:04 AM Analysis: ntdll.dll, export table found in section .text
09/09/2009 9:31:04 AM Analysis: user32.dll, export table found in section .text
09/09/2009 9:31:04 AM Analysis: advapi32.dll, export table found in section .text
09/09/2009 9:31:04 AM Analysis: ws2_32.dll, export table found in section .text
09/09/2009 9:31:04 AM Analysis: wininet.dll, export table found in section .text
09/09/2009 9:31:04 AM Analysis: rasapi32.dll, export table found in section .text
09/09/2009 9:31:04 AM Analysis: urlmon.dll, export table found in section .text
09/09/2009 9:31:05 AM Analysis: netapi32.dll, export table found in section .text
09/09/2009 9:31:05 AM 1.2 Searching for kernel-mode API hooks
09/09/2009 9:31:06 AM Driver loaded successfully
09/09/2009 9:31:06 AM SDT found (RVA=07B400)
09/09/2009 9:31:06 AM Kernel ntkrnlpa.exe found in memory at address 804D7000
09/09/2009 9:31:06 AM SDT = 80552400
09/09/2009 9:31:06 AM KiST = 8050121C (284)
09/09/2009 9:31:07 AM Functions checked: 284, intercepted: 0, restored: 0
09/09/2009 9:31:07 AM 1.3 Checking IDT and SYSENTER
09/09/2009 9:31:07 AM Analysis for CPU 1
09/09/2009 9:31:07 AM Checking IDT and SYSENTER - complete
09/09/2009 9:31:08 AM 1.4 Searching for masking processes and drivers
09/09/2009 9:31:08 AM Checking not performed: extended monitoring driver (AVZPM) is not installed
09/09/2009 9:31:08 AM Driver loaded successfully
09/09/2009 9:31:08 AM 1.5 Checking of IRP handlers
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_CREATE] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_CLOSE] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_WRITE] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_SET_EA] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM \FileSystem\ntfs[IRP_MJ_PNP] = 867D11D8 -> hook not defined
09/09/2009 9:31:08 AM Checking - complete
09/09/2009 9:31:26 AM >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
09/09/2009 9:31:26 AM >> Services: potentially dangerous service allowed: TermService (Terminal Services)
09/09/2009 9:31:26 AM >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
09/09/2009 9:31:26 AM >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
09/09/2009 9:31:26 AM >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
09/09/2009 9:31:26 AM >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
09/09/2009 9:31:26 AM > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
09/09/2009 9:31:26 AM >> Security: disk drives' autorun is enabled
09/09/2009 9:31:26 AM >> Security: administrative shares (C$, D$ ...) are enabled
09/09/2009 9:31:26 AM >> Security: terminal connections to the PC are allowed
09/09/2009 9:31:26 AM >> Security: sending Remote Assistant queries is enabled
09/09/2009 9:31:31 AM >> Disable HDD autorun
09/09/2009 9:31:31 AM >> Disable autorun from network drives
09/09/2009 9:31:31 AM >> Disable CD/DVD autorun
09/09/2009 9:31:31 AM >> Disable removable media autorun
09/09/2009 9:31:31 AM System Analysis in progress
09/09/2009 9:33:40 AM System Analysis - complete
09/09/2009 9:33:40 AM Delete file:C:\Documents and Settings\Ylee\Desktop\Virus Removal Tool\is-T9SJ2\LOG\avptool_syscheck.htm
09/09/2009 9:33:40 AM Delete file:C:\Documents and Settings\Ylee\Desktop\Virus Removal Tool\is-T9SJ2\LOG\avptool_syscheck.xml
09/09/2009 9:33:40 AM Deleting service/driver: utqxnty5
09/09/2009 9:33:40 AM Delete file:C:\WINDOWS\system32\Drivers\utqxnty5.sys
09/09/2009 9:33:40 AM Deleting service/driver: ujqxnty5
09/09/2009 9:33:40 AM Script executed without errors
Ответить с цитированием
