Показано с 1 по 2 из 2.

my systeme analysis please help me

  1. #1
    Junior Member Репутация
    Регистрация
    03.10.2009
    Сообщений
    1
    Вес репутации
    31

    my systeme analysis please help me

    <AVZ_CollectSysInfo>
    --------------------
    Start time: 03/10/2009 09:19:14
    Duration: 00:06:19
    Finish time: 03/10/2009 09:25:33


    <AVZ_CollectSysInfo>
    --------------------
    Time Event
    ---- -----
    03/10/2009 09:19:24 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
    03/10/2009 09:19:24 System Restore: enabled
    03/10/2009 09:19:28 1.1 Searching for user-mode API hooks
    03/10/2009 09:19:29 Analysis: kernel32.dll, export table found in section .text
    03/10/2009 09:19:29 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
    03/10/2009 09:19:29 Hook kernel32.dll:CreateProcessA (99) blocked
    03/10/2009 09:19:29 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
    03/10/2009 09:19:29 Hook kernel32.dll:CreateProcessW (103) blocked
    03/10/2009 09:19:29 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC7E->61F041FC
    03/10/2009 09:19:29 Hook kernel32.dll:FreeLibrary (241) blocked
    03/10/2009 09:19:29 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B56F->61F040FB
    03/10/2009 09:19:29 Hook kernel32.dll:GetModuleFileNameA (373) blocked
    03/10/2009 09:19:29 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B475->61F041A0
    03/10/2009 09:19:29 Hook kernel32.dll:GetModuleFileNameW (374) blocked
    03/10/2009 09:19:29 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE40->61F04648
    03/10/2009 09:19:29 Hook kernel32.dll:GetProcAddress (409) blocked
    03/10/2009 09:19:29 Function kernel32.dlloadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
    03/10/2009 09:19:29 Hook kernel32.dlloadLibraryA (581) blocked
    03/10/2009 09:19:29 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
    03/10/2009 09:19:29 Function kernel32.dlloadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
    03/10/2009 09:19:29 Hook kernel32.dlloadLibraryExA (582) blocked
    03/10/2009 09:19:29 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
    03/10/2009 09:19:29 Function kernel32.dlloadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
    03/10/2009 09:19:29 Hook kernel32.dlloadLibraryExW (583) blocked
    03/10/2009 09:19:29 Function kernel32.dlloadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEEB->61F03D0C
    03/10/2009 09:19:29 Hook kernel32.dlloadLibraryW (584) blocked
    03/10/2009 09:19:29 IAT modification detected: LoadLibraryW - 00380010<>7C80AEEB
    03/10/2009 09:19:29 Analysis: ntdll.dll, export table found in section .text
    03/10/2009 09:19:29 Analysis: user32.dll, export table found in section .text
    03/10/2009 09:19:29 Analysis: advapi32.dll, export table found in section .text
    03/10/2009 09:19:29 Analysis: ws2_32.dll, export table found in section .text
    03/10/2009 09:19:29 Analysis: wininet.dll, export table found in section .text
    03/10/2009 09:19:30 Analysis: rasapi32.dll, export table found in section .text
    03/10/2009 09:19:30 Analysis: urlmon.dll, export table found in section .text
    03/10/2009 09:19:30 Analysis: netapi32.dll, export table found in section .text
    03/10/2009 09:19:32 1.2 Searching for kernel-mode API hooks
    03/10/2009 09:19:43 Driver loaded successfully
    03/10/2009 09:19:43 SDT found (RVA=083220)
    03/10/2009 09:19:43 Kernel ntoskrnl.exe found in memory at address 804D7000
    03/10/2009 09:19:43 SDT = 8055A220
    03/10/2009 09:19:43 KiST = 804E26A8 (284)
    03/10/2009 09:19:47 Function NtAdjustPrivilegesToken (0B) intercepted (8058D0AD->F66DE36E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:47 >>> Function restored successfully !
    03/10/2009 09:19:47 >>> Hook code blocked
    03/10/2009 09:19:47 Function NtClose (19) intercepted (805678DD->F66DEA86), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:47 >>> Function restored successfully !
    03/10/2009 09:19:47 >>> Hook code blocked
    03/10/2009 09:19:47 Function NtConnectPort (1F) intercepted (805879F7->F66DF60C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:47 >>> Function restored successfully !
    03/10/2009 09:19:47 >>> Hook code blocked
    03/10/2009 09:19:47 Function NtCreateEvent (23) intercepted (8056D57A->F66DFB40), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:47 >>> Function restored successfully !
    03/10/2009 09:19:47 >>> Hook code blocked
    03/10/2009 09:19:47 Function NtCreateFile (25) intercepted (8056CDC0->F66DED7, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:47 >>> Function restored successfully !
    03/10/2009 09:19:47 >>> Hook code blocked
    03/10/2009 09:19:47 Function NtCreateKey (29) intercepted (8057065D->F66DD460), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtCreateMutant (2B) intercepted (80578037->F66DFA1, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtCreateNamedPipeFile (2C) intercepted (80583F4B->F66DCD0A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtCreatePort (2E) intercepted (805975C1->F66DF8D4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtCreateSection (32) intercepted (805652B3->F66DE102), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtCreateSemaphore (33) intercepted (8057243B->F66DFC72), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtCreateSymbolicLinkObject (34) intercepted (8059F519->F66E140E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtCreateThread (35) intercepted (8058E64B->F66DE886), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtCreateWaitablePort (3 intercepted (805DB134->F66DF976), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtDeleteKey (3F) intercepted (805952CA->F66DDA20), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtDeleteValueKey (41) intercepted (80592D5C->F66DDCF, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtDeviceIoControlFile (42) intercepted (8058EFB9->F66DF21C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtDuplicateObject (44) intercepted (805715E0->F66E1980), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtEnumerateKey (47) intercepted (80570D64->F66DDE3A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtEnumerateValueKey (49) intercepted (80590677->F66DDEE4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtFsControlFile (54) intercepted (8057AAB5->F66DF016), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtLoadDriver (61) intercepted (805A3B01->F66E0EA6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtLoadKey (62) intercepted (805AED6D->F66DD43C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:48 Function NtLoadKey2 (63) intercepted (805AEBAA->F66DD44E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:48 >>> Function restored successfully !
    03/10/2009 09:19:48 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtNotifyChangeKey (6F) intercepted (8058A699->F66DE030), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtOpenEvent (72) intercepted (8057DCE7->F66DFBE2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtOpenFile (74) intercepted (8056CD5B->F66DEB0, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtOpenKey (77) intercepted (80568D59->F66DD604), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtOpenMutant (7 intercepted (805780E5->F66DFAB0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtOpenProcess (7A) intercepted (805717C7->F66DE56E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtOpenSection (7D) intercepted (80570FD7->F66E143, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtOpenSemaphore (7E) intercepted (8059EFD5->F66DFD14), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtOpenThread (80) intercepted (8058A1C9->F66DE492), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtQueryKey (A0) intercepted (80570A6D->F66DDF8E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtQueryMultipleValueKey (A1) intercepted (8064E300->F66DDBB6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtQueryValueKey (B1) intercepted (8056A1F2->F66DD8BC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:49 Function NtQueueApcThread (B4) intercepted (80591097->F66E112, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:49 >>> Function restored successfully !
    03/10/2009 09:19:49 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtRenameKey (C0) intercepted (8064E77C->F66DDB34), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtReplaceKey (C1) intercepted (8064F0DC->F66DD0C2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtReplyPort (C2) intercepted (8057CCE4->F66E009E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtReplyWaitReceivePort (C3) intercepted (8056B82E->F66DFF64), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtRequestWaitReplyPort (C intercepted (80576CE6->F66E0C30), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtRestoreKey (CC) intercepted (8064EC71->F66DD224), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtResumeThread (CE) intercepted (8058ECBE->F66E1860), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtSaveKey (CF) intercepted (8064ED72->F66DCEC4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtSecureConnectPort (D2) intercepted (8058F4EA->F66DF312), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtSetContextThread (D5) intercepted (8062DD17->F66DE984), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtSetInformationToken (E6) intercepted (805A8700->F66E05F2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtSetSecurityObject (ED) intercepted (8059B1AB->F66E0FA0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtSetSystemInformation (F0) intercepted (805A7BED->F66E14C2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtSetValueKey (F7) intercepted (80572889->F66DD744), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:50 >>> Function restored successfully !
    03/10/2009 09:19:50 >>> Hook code blocked
    03/10/2009 09:19:50 Function NtSuspendProcess (FD) intercepted (8062F8F9->F66E15A6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:51 >>> Function restored successfully !
    03/10/2009 09:19:51 >>> Hook code blocked
    03/10/2009 09:19:51 Function NtSuspendThread (FE) intercepted (805E046E->F66E16D2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:51 >>> Function restored successfully !
    03/10/2009 09:19:51 >>> Hook code blocked
    03/10/2009 09:19:51 Function NtSystemDebugControl (FF) intercepted (80649CD9->F66E0DD2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:51 >>> Function restored successfully !
    03/10/2009 09:19:51 >>> Hook code blocked
    03/10/2009 09:19:51 Function NtTerminateProcess (101) intercepted (805822EC->F66DE6EA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:51 >>> Function restored successfully !
    03/10/2009 09:19:51 >>> Hook code blocked
    03/10/2009 09:19:51 Function NtTerminateThread (102) intercepted (8057B88F->F66DE63C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:51 >>> Function restored successfully !
    03/10/2009 09:19:51 >>> Hook code blocked
    03/10/2009 09:19:51 Function NtWriteVirtualMemory (115) intercepted (8057E42A->F66DE7C, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:51 >>> Function restored successfully !
    03/10/2009 09:19:51 >>> Hook code blocked
    03/10/2009 09:19:51 Function FsRtlCheckLockForReadAccess (80512919) - machine code modification Method of JmpTo. jmp F66D3424 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:51 >>> Function restored successfully !
    03/10/2009 09:19:52 Function IoIsOperationSynchronous (804E875A) - machine code modification Method of JmpTo. jmp F66D37DE \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
    03/10/2009 09:19:52 >>> Function restored successfully !
    03/10/2009 09:19:55 Functions checked: 284, intercepted: 57, restored: 59
    03/10/2009 09:19:55 1.3 Checking IDT and SYSENTER
    03/10/2009 09:19:55 Analysis for CPU 1
    03/10/2009 09:19:55 Checking IDT and SYSENTER - complete
    03/10/2009 09:19:57 1.4 Searching for masking processes and drivers
    03/10/2009 09:19:57 Checking not performed: extended monitoring driver (AVZPM) is not installed
    03/10/2009 09:19:57 Driver loaded successfully
    03/10/2009 09:19:57 1.5 Checking of IRP handlers
    03/10/2009 09:19:57 Checking - complete
    03/10/2009 09:19:59 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCP80.dll --> Suspicion for Keylogger or Trojan DLL
    03/10/2009 09:19:59 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCP80.dll>>> Behavioral analysis
    03/10/2009 09:19:59 Behaviour typical for keyloggers not detected
    03/10/2009 09:19:59 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll --> Suspicion for Keylogger or Trojan DLL
    03/10/2009 09:19:59 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll>>> Behavioral analysis
    03/10/2009 09:19:59 Behaviour typical for keyloggers not detected
    03/10/2009 0905 C:\PROGRA~1\MYWEBS~1\bar\1.bin\f3hkstub.dll --> Suspicion for Keylogger or Trojan DLL
    03/10/2009 0905 C:\PROGRA~1\MYWEBS~1\bar\1.bin\f3hkstub.dll>>> Behavioral analysis
    03/10/2009 0905 1. Reacts to events: keyboard
    03/10/2009 0905 C:\PROGRA~1\MYWEBS~1\bar\1.bin\f3hkstub.dll>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
    03/10/2009 0905 C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoestb.dll --> Suspicion for Keylogger or Trojan DLL
    03/10/2009 0905 C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoestb.dll>>> Behavioral analysis
    03/10/2009 0905 Behaviour typical for keyloggers not detected
    03/10/2009 0908 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
    03/10/2009 0919 >>> C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL HSC: suspicion for Spy.MyWay, AdvWare.GoWebSite (high degree of probability)
    03/10/2009 0919 >>> C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL HSC: suspicion for Spy.MyWebSearch (high degree of probability)
    03/10/2009 0919 >>> C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL HSC: suspicion for Spy.MyWebSearch
    03/10/2009 0920 >>> C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL HSC: suspicion for Spy.MyWebSearch
    03/10/2009 0935 Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll"
    03/10/2009 0937 >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
    03/10/2009 0937 >>> D:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
    03/10/2009 0937 >> Services: potentially dangerous service allowed: RemoteRegistry (Accиs а distance au Registre)
    03/10/2009 0937 >> Services: potentially dangerous service allowed: TermService (Services Terminal Server)
    03/10/2009 0937 >> Services: potentially dangerous service allowed: SSDPSRV (Service de dйcouvertes SSDP)
    03/10/2009 0937 >> Services: potentially dangerous service allowed: Schedule (Planificateur de tвches)
    03/10/2009 0937 >> Services: potentially dangerous service allowed: mnmsrvc (Partage de Bureau а distance NetMeeting)
    03/10/2009 0937 >> Services: potentially dangerous service allowed: RDSessMgr (Gestionnaire de session d'aide sur le Bureau а distance)
    03/10/2009 0937 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    03/10/2009 0937 >> Security: disk drives' autorun is enabled
    03/10/2009 0938 >> Security: anonymous user access is enabled
    03/10/2009 0938 >> Security: terminal connections to the PC are allowed
    03/10/2009 0938 >> Security: sending Remote Assistant queries is enabled
    03/10/2009 0938 >> Security: automatic logon is enabled
    03/10/2009 0947 >> Explorer - folder properties access blocked
    03/10/2009 0948 >> Disable HDD autorun
    03/10/2009 0948 >> Disable autorun from network drives
    03/10/2009 0948 >> Disable CD/DVD autorun
    03/10/2009 0948 >> Disable removable media autorun
    03/10/2009 0948 System Analysis in progress
    03/10/2009 09:25:32 System Analysis - complete
    03/10/2009 09:25:32 Delete file:C:\Documents and Settings\Administrateur\Bureau\Virus Removal Tool\is-QRJVT\LOG\avptool_syscheck.htm
    03/10/2009 09:25:32 Delete file:C:\Documents and Settings\Administrateur\Bureau\Virus Removal Tool\is-QRJVT\LOG\avptool_syscheck.xml
    03/10/2009 09:25:33 Deleting service/driver: ute4ndyy
    03/10/2009 09:25:33 Delete file:C:\WINDOWS\system32\Drivers\ute4ndyy.sys
    03/10/2009 09:25:33 Deleting service/driver: uje4ndyy
    03/10/2009 09:25:33 Script executed without errors

  2. #2
    VIP Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для Aleksandra
    Регистрация
    13.01.2007
    Сообщений
    7,712
    Вес репутации
    2833
    Please read the rules here http://virusinfo.info/showthread.php?t=9184
    Сердце решает кого любить... Судьба решает с кем быть...

Похожие темы

  1. System Analysis
    От Steven W в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 16.06.2010, 08:59
  2. System Analysis
    От djeet8002 в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 14.06.2010, 23:32
  3. request for analysis
    От bradconrad17 в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 25.06.2009, 11:38
  4. analysis
    От storage в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 20.02.2009, 12:03
  5. Security analysis
    От steva67 в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 28.11.2008, 18:21

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.01478 seconds with 16 queries