AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 7/7/2009 9:01:05 PM
Database loaded: signatures - 230644, NN profile(s) - 2, microprograms of healing - 56, signature database released 06.07.2009 21:03
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 125315
Heuristic analyzer mode: Medium heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 80504450 (284)
Function NtAdjustPrivilegesToken (0B) intercepted (805EBB32->B60DD35A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtClose (19) intercepted (805BC4EC->B5EC16B8), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtConnectPort (1F) intercepted (805A45B4->B60DE5EC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateEvent (23) intercepted (8060E602->B60DEB20), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateFile (25) intercepted (80579084->B60DDD58), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateKey (29) intercepted (80623786->B5EC1574), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtCreateMutant (2B) intercepted (80616D52->B60DE9F8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateNamedPipeFile (2C) intercepted (805790BE->B60DBCF6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreatePort (2E) intercepted (805A50D0->B60DE8B4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateSection (32) intercepted (805AB3AE->B60DD0EE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateSemaphore (33) intercepted (80614702->B60DEC52), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateSymbolicLinkObject (34) intercepted (805C39B6->B60E03EE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateThread (35) intercepted (805D0FD4->B60DD866), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateWaitablePort (38) intercepted (805A50F4->B60DE956), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (80623C16->B60DCA0C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (80623DE6->B5EC1A52), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtDeviceIoControlFile (42) intercepted (8057924A->B60DE1FC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805BDFC4->B5EC114C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtEnumerateKey (47) intercepted (80623FC6->B60DCE26), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtEnumerateValueKey (49) intercepted (80624230->B60DCED0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtFsControlFile (54) intercepted (8057927E->B60DDFF6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtLoadDriver (61) intercepted (8058413A->B60DFE86), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtLoadKey (62) intercepted (80625982->B60DC428), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtLoadKey2 (63) intercepted (8062558E->B60DC43A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtNotifyChangeKey (6F) intercepted (8062594C->B60DD01C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenEvent (72) intercepted (8060E702->B60DEBC2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenFile (74) intercepted (8057A182->B60DDAE8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (80624B58->B5EC164E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtOpenMutant (78) intercepted (80616E2A->B60DEA90), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (805CB3FC->B5EC108C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtOpenSection (7D) intercepted (805AA3D2->B60E0418), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenSemaphore (7E) intercepted (806147FC->B60DECF4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenThread (80) intercepted (805CB688->B5EC10F0), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtQueryKey (A0) intercepted (80624E7E->B60DCF7A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryMultipleValueKey (A1) intercepted (806228D4->B60DCBA2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (806219BE->B5EC176E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtQueueApcThread (B4) intercepted (805D1232->B60E0108), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtRenameKey (C0) intercepted (806231A8->B60DCB20), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtReplaceKey (C1) intercepted (80625832->B60DC0AE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtReplyPort (C2) intercepted (805A54D0->B60DF07E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtReplyWaitReceivePort (C3) intercepted (805A6498->B60DEF44), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtRequestWaitReplyPort (C8) intercepted (805A2D5A->B60DFC10), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (8062513E->B5EC172E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtResumeThread (CE) intercepted (805D4976->B60E0840), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSaveKey (CF) intercepted (8062523A->B60DBEB0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSecureConnectPort (D2) intercepted (805A3D48->B60DE2F2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetContextThread (D5) intercepted (805D16F6->B60DD964), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetInformationToken (E6) intercepted (805F9E60->B60DF5D2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetSecurityObject (ED) intercepted (805C05EA->B60DFF80), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetSystemInformation (F0) intercepted (8060F3BA->B60E04A2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (80621D0C->B5EC18AE), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtSuspendProcess (FD) intercepted (805D4A3E->B60E0586), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSuspendThread (FE) intercepted (805D48B0->B60E06B2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSystemDebugControl (FF) intercepted (8061776E->B60DFDB2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtTerminateProcess (101) intercepted (805D299E->B5F7DDF0), hook C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Function NtTerminateThread (102) intercepted (805D2B98->B60DD628), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtWriteVirtualMemory (115) intercepted (805B4394->B60DD7A8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function FsRtlCheckLockForReadAccess (804EAF74) - machine code modification Method of JmpTo. jmp B60D2410 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
Function IoIsOperationSynchronous (804EF902) - machine code modification Method of JmpTo. jmp B60D27CA \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
Functions checked: 284, intercepted: 57, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 8A56C1E8 -> hook not defined
Checking - complete
2. Scanning memory
Number of processes found: 33
Number of modules loaded: 372
Scanning memory - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>>> Security: Internet Explorer allows ActiveX, not marked as safe
>>> Security: block ActiveX not marked as safe in Internet Explorer
>>> Security: Internet Explorer allows unsigned ActiveX elements
>>> Security: Internet Explorer allows automatic queries of ActiveX administrative elements
>>> Security: Internet Explorer allows running files and applications in IFRAME window without asking user
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> Internet Explorer - ActiveX, not marked as safe, are allowed
>> Internet Explorer - signed ActiveX elements are allowed without asking user
>> Internet Explorer -unsigned ActiveX elements are allowed
>> Internet Explorer - automatic queries of ActiveX operating elements are allowed
>> Internet Explorer - running programs and files in IFRAME window is allowed
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 405, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 7/7/2009 9:01:26 PM
Time of scanning: 00:00:22
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address
کد:
برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید
conference