Показано с 1 по 2 из 2.

report

  1. #1
    Junior Member Репутация
    Регистрация
    16.09.2009
    Сообщений
    1
    Вес репутации
    31

    report

    <AVZ_CollectSysInfo>
    --------------------
    Start time: 27/09/1430 10:02:12 ص
    Duration: 00:00:52
    Finish time: 27/09/1430 10:03:04 ص


    <AVZ_CollectSysInfo>
    --------------------
    Time Event
    ---- -----
    27/09/1430 10:02:13 ص Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
    27/09/1430 10:02:13 ص System Restore: enabled
    27/09/1430 10:02:13 ص 1.1 Searching for user-mode API hooks
    27/09/1430 10:02:13 ص Analysis: kernel32.dll, export table found in section .text
    27/09/1430 10:02:13 ص Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
    27/09/1430 10:02:13 ص Hook kernel32.dll:CreateProcessA (99) blocked
    27/09/1430 10:02:13 ص Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
    27/09/1430 10:02:13 ص Hook kernel32.dll:CreateProcessW (103) blocked
    27/09/1430 10:02:13 ص Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AA66->61F041FC
    27/09/1430 10:02:13 ص Hook kernel32.dll:FreeLibrary (241) blocked
    27/09/1430 10:02:13 ص Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B357->61F040FB
    27/09/1430 10:02:13 ص Hook kernel32.dll:GetModuleFileNameA (372) blocked
    27/09/1430 10:02:13 ص Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B25D->61F041A0
    27/09/1430 10:02:13 ص Hook kernel32.dll:GetModuleFileNameW (373) blocked
    27/09/1430 10:02:13 ص Function kernel32.dll:GetProcAddress (40 intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC28->61F04648
    27/09/1430 10:02:13 ص Hook kernel32.dll:GetProcAddress (40 blocked
    27/09/1430 10:02:13 ص Function kernel32.dlloadLibraryA (57 intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F
    27/09/1430 10:02:13 ص Hook kernel32.dlloadLibraryA (57 blocked
    27/09/1430 10:02:13 ص >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
    27/09/1430 10:02:13 ص Function kernel32.dlloadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF
    27/09/1430 10:02:13 ص Hook kernel32.dlloadLibraryExA (579) blocked
    27/09/1430 10:02:13 ص >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
    27/09/1430 10:02:13 ص Function kernel32.dlloadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A
    27/09/1430 10:02:13 ص Hook kernel32.dlloadLibraryExW (580) blocked
    27/09/1430 10:02:13 ص Function kernel32.dlloadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ACD3->61F03D0C
    27/09/1430 10:02:13 ص Hook kernel32.dlloadLibraryW (581) blocked
    27/09/1430 10:02:13 ص IAT modification detected: LoadLibraryW - 00E20010<>7C80ACD3
    27/09/1430 10:02:13 ص IAT address restored: LoadLibraryW
    27/09/1430 10:02:13 ص IAT modification detected: GetModuleFileNameW - 00E2003A<>7C80B25D
    27/09/1430 10:02:13 ص IAT address restored: GetModuleFileNameW
    27/09/1430 10:02:13 ص IAT modification detected: GetModuleFileNameA - 00E20064<>7C80B357
    27/09/1430 10:02:13 ص IAT address restored: GetModuleFileNameA
    27/09/1430 10:02:13 ص IAT modification detected: CreateProcessA - 00E200B8<>7C802367
    27/09/1430 10:02:13 ص IAT address restored: CreateProcessA
    27/09/1430 10:02:13 ص IAT modification detected: LoadLibraryA - 00E2010C<>7C801D77
    27/09/1430 10:02:13 ص IAT address restored: LoadLibraryA
    27/09/1430 10:02:13 ص IAT modification detected: GetProcAddress - 00E20136<>7C80AC28
    27/09/1430 10:02:13 ص IAT address restored: GetProcAddress
    27/09/1430 10:02:13 ص IAT modification detected: FreeLibrary - 00E20160<>7C80AA66
    27/09/1430 10:02:13 ص IAT address restored: FreeLibrary
    27/09/1430 10:02:13 ص IAT modification detected: CreateFileA - 00436F87<>7C801A24
    27/09/1430 10:02:13 ص IAT address restored: CreateFileA
    27/09/1430 10:02:13 ص IAT modification detected: CreateFileW - 00436FB9<>7C810976
    27/09/1430 10:02:13 ص IAT address restored: CreateFileW
    27/09/1430 10:02:13 ص Analysis: ntdll.dll, export table found in section .text
    27/09/1430 10:02:13 ص Analysis: user32.dll, export table found in section .text
    27/09/1430 10:02:13 ص Analysis: advapi32.dll, export table found in section .text
    27/09/1430 10:02:13 ص Analysis: ws2_32.dll, export table found in section .text
    27/09/1430 10:02:13 ص Analysis: wininet.dll, export table found in section .text
    27/09/1430 10:02:13 ص Analysis: rasapi32.dll, export table found in section .text
    27/09/1430 10:02:13 ص Analysis: urlmon.dll, export table found in section .text
    27/09/1430 10:02:13 ص Analysis: netapi32.dll, export table found in section .text
    27/09/1430 10:02:14 ص 1.2 Searching for kernel-mode API hooks
    27/09/1430 10:02:14 ص Driver loaded successfully
    27/09/1430 10:02:14 ص SDT found (RVA=082B80)
    27/09/1430 10:02:14 ص Kernel ntoskrnl.exe found in memory at address 804D7000
    27/09/1430 10:02:14 ص SDT = 80559B80
    27/09/1430 10:02:14 ص KiST = 804E2D20 (284)
    27/09/1430 10:02:16 ص Functions checked: 284, intercepted: 0, restored: 0
    27/09/1430 10:02:16 ص 1.3 Checking IDT and SYSENTER
    27/09/1430 10:02:16 ص Analysis for CPU 1
    27/09/1430 10:02:16 ص Checking IDT and SYSENTER - complete
    27/09/1430 10:02:16 ص 1.4 Searching for masking processes and drivers
    27/09/1430 10:02:16 ص Checking not performed: extended monitoring driver (AVZPM) is not installed
    27/09/1430 10:02:16 ص Driver loaded successfully
    27/09/1430 10:02:16 ص 1.5 Checking of IRP handlers
    27/09/1430 10:02:16 ص Checking - complete
    27/09/1430 10:02:34 ص >>> E:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
    27/09/1430 10:02:34 ص >>> F:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
    27/09/1430 10:02:34 ص >>> G:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
    27/09/1430 10:02:34 ص >>> H:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
    27/09/1430 10:02:34 ص >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
    27/09/1430 10:02:34 ص >> Services: potentially dangerous service allowed: TermService (Terminal Services)
    27/09/1430 10:02:34 ص >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
    27/09/1430 10:02:34 ص >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
    27/09/1430 10:02:34 ص >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
    27/09/1430 10:02:34 ص >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
    27/09/1430 10:02:34 ص > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    27/09/1430 10:02:34 ص >> Security: disk drives' autorun is enabled
    27/09/1430 10:02:34 ص >> Security: administrative shares (C$, D$ ...) are enabled
    27/09/1430 10:02:35 ص >> Security: anonymous user access is enabled
    27/09/1430 10:02:35 ص >> Security: sending Remote Assistant queries is enabled
    27/09/1430 10:02:40 ص >> Disable HDD autorun
    27/09/1430 10:02:40 ص >> Disable autorun from network drives
    27/09/1430 10:02:41 ص >> Disable CD/DVD autorun
    27/09/1430 10:02:41 ص >> Disable removable media autorun
    27/09/1430 10:02:41 ص >> Windows Update is disabled
    27/09/1430 10:02:41 ص System Analysis in progress
    27/09/1430 10:03:04 ص System Analysis - complete
    27/09/1430 10:03:04 ص Delete file:C:\Documents and Settings\Famaly\Desktop\Virus Removal Tool\is-13VTL\LOG\avptool_syscheck.htm
    27/09/1430 10:03:04 ص Delete file:C:\Documents and Settings\Famaly\Desktop\Virus Removal Tool\is-13VTL\LOG\avptool_syscheck.xml
    27/09/1430 10:03:04 ص Deleting service/driver: utmymjk3
    27/09/1430 10:03:04 ص Delete file:C:\WINDOWS\system32\Drivers\utmymjk3.sys
    27/09/1430 10:03:04 ص Deleting service/driver: ujmymjk3
    27/09/1430 10:03:04 ص Script executed without errors

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для Numb
    Регистрация
    04.10.2005
    Сообщений
    2,118
    Вес репутации
    848
    While executing the script, please, turn off your internet connection and disable any antivirus monitors.
    Execute the script:
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     TerminateProcessByName('c:\docume~1\famaly\locals~1\temp\winffheds.exe');
     TerminateProcessByName('c:\docume~1\famaly\locals~1\temp\w59fc2.exe');
     SetServiceStart('asc3360pr', 4);
     StopService('asc3360pr');
     QuarantineFile('H:\autorun.inf','');
     QuarantineFile('G:\autorun.inf','');
     QuarantineFile('F:\autorun.inf','');
     QuarantineFile('E:\autorun.inf','');
     QuarantineFile('C:\WINDOWS\system32\drivers\ikmmmk.sys','');
     QuarantineFile('C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll','');
     QuarantineFile('C:\WINDOWS\system32\wshatm32.dll','');
     QuarantineFile('c:\windows\zssnp211.exe','');
     QuarantineFile('c:\docume~1\famaly\locals~1\temp\winffheds.exe','');
     QuarantineFile('c:\docume~1\famaly\locals~1\temp\w59fc2.exe','');
     QuarantineFile('c:\windows\domino.exe','');
     DeleteFile('c:\docume~1\famaly\locals~1\temp\w59fc2.exe');
     BC_DeleteFile('c:\docume~1\famaly\locals~1\temp\w59fc2.exe');
     DeleteFile('c:\docume~1\famaly\locals~1\temp\winffheds.exe');
     BC_DeleteFile('c:\docume~1\famaly\locals~1\temp\winffheds.exe');
     DeleteFile('C:\WINDOWS\system32\drivers\ikmmmk.sys');
     BC_DeleteFile('C:\WINDOWS\system32\drivers\ikmmmk.sys');
     DeleteFile('C:\WINDOWS\system32\wshatm32.dll');
     BC_DeleteFile('C:\WINDOWS\system32\wshatm32.dll');
     DeleteFile('E:\autorun.inf');
     BC_DeleteFile('E:\autorun.inf');
     DeleteFile('F:\autorun.inf');
     BC_DeleteFile('F:\autorun.inf');
     DeleteFile('G:\autorun.inf');
     BC_DeleteFile('G:\autorun.inf');
     DeleteFile('H:\autorun.inf');
     BC_DeleteFile('H:\autorun.inf');
     DelBHO('{CD54F7AC-5FFF-425D-AB46-15C3C9417971}');
     DeleteService('asc3360pr');
     BC_DeleteSvc('asc3360pr');
    BC_ImportquarantineList;
    BC_Activate;
    ExecuteSysClean;
    RebootWindows(true);
    end.
    After restart, upload quarantine via the link http://virusinfo.info/upload_virus_eng.php?tid=54938 and make new logs.

Похожие темы

  1. Report
    От Shelly в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 01.11.2009, 16:51
  2. report
    От wwrish в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 27.08.2009, 20:42
  3. report
    От fabio marques в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 26.08.2009, 09:00
  4. AVZ Report
    От srigyre в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 10.06.2009, 10:09
  5. Report
    От miloth2001 в разделе Malware Removal Service
    Ответов: 2
    Последнее сообщение: 14.03.2009, 14:33

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00715 seconds with 16 queries