AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 7/7/2009 9:01:05 PM
Database loaded: signatures - 230644, NN profile(s) - 2, microprograms of healing - 56, signature database released 06.07.2009 21:03
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 125315
Heuristic analyzer mode: Medium heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 80504450 (284)
Function NtAdjustPrivilegesToken (0B) intercepted (805EBB32->B60DD35A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtClose (19) intercepted (805BC4EC->B5EC16B8), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtConnectPort (1F) intercepted (805A45B4->B60DE5EC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateEvent (23) intercepted (8060E602->B60DEB20), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateFile (25) intercepted (80579084->B60DDD58), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateKey (29) intercepted (80623786->B5EC1574), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtCreateMutant (2B) intercepted (80616D52->B60DE9F8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateNamedPipeFile (2C) intercepted (805790BE->B60DBCF6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreatePort (2E) intercepted (805A50D0->B60DE8B4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateSection (32) intercepted (805AB3AE->B60DD0EE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateSemaphore (33) intercepted (80614702->B60DEC52), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateSymbolicLinkObject (34) intercepted (805C39B6->B60E03EE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateThread (35) intercepted (805D0FD4->B60DD866), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtCreateWaitablePort (38) intercepted (805A50F4->B60DE956), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (80623C16->B60DCA0C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (80623DE6->B5EC1A52), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtDeviceIoControlFile (42) intercepted (8057924A->B60DE1FC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805BDFC4->B5EC114C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtEnumerateKey (47) intercepted (80623FC6->B60DCE26), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtEnumerateValueKey (49) intercepted (80624230->B60DCED0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtFsControlFile (54) intercepted (8057927E->B60DDFF6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtLoadDriver (61) intercepted (8058413A->B60DFE86), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtLoadKey (62) intercepted (80625982->B60DC428), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtLoadKey2 (63) intercepted (8062558E->B60DC43A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtNotifyChangeKey (6F) intercepted (8062594C->B60DD01C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenEvent (72) intercepted (8060E702->B60DEBC2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenFile (74) intercepted (8057A182->B60DDAE8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (80624B58->B5EC164E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtOpenMutant (78) intercepted (80616E2A->B60DEA90), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (805CB3FC->B5EC108C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtOpenSection (7D) intercepted (805AA3D2->B60E0418), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenSemaphore (7E) intercepted (806147FC->B60DECF4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtOpenThread (80) intercepted (805CB688->B5EC10F0), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtQueryKey (A0) intercepted (80624E7E->B60DCF7A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryMultipleValueKey (A1) intercepted (806228D4->B60DCBA2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (806219BE->B5EC176E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtQueueApcThread (B4) intercepted (805D1232->B60E0108), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtRenameKey (C0) intercepted (806231A8->B60DCB20), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtReplaceKey (C1) intercepted (80625832->B60DC0AE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtReplyPort (C2) intercepted (805A54D0->B60DF07E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtReplyWaitReceivePort (C3) intercepted (805A6498->B60DEF44), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtRequestWaitReplyPort (C8) intercepted (805A2D5A->B60DFC10), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (8062513E->B5EC172E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtResumeThread (CE) intercepted (805D4976->B60E0840), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSaveKey (CF) intercepted (8062523A->B60DBEB0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSecureConnectPort (D2) intercepted (805A3D48->B60DE2F2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetContextThread (D5) intercepted (805D16F6->B60DD964), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetInformationToken (E6) intercepted (805F9E60->B60DF5D2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetSecurityObject (ED) intercepted (805C05EA->B60DFF80), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetSystemInformation (F0) intercepted (8060F3BA->B60E04A2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (80621D0C->B5EC18AE), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtSuspendProcess (FD) intercepted (805D4A3E->B60E0586), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSuspendThread (FE) intercepted (805D48B0->B60E06B2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtSystemDebugControl (FF) intercepted (8061776E->B60DFDB2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtTerminateProcess (101) intercepted (805D299E->B5F7DDF0), hook C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Function NtTerminateThread (102) intercepted (805D2B98->B60DD628), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function NtWriteVirtualMemory (115) intercepted (805B4394->B60DD7A8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
Function FsRtlCheckLockForReadAccess (804EAF74) - machine code modification Method of JmpTo. jmp B60D2410 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
Function IoIsOperationSynchronous (804EF902) - machine code modification Method of JmpTo. jmp B60D27CA \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
Functions checked: 284, intercepted: 57, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8A56C1E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 8A56C1E8 -> hook not defined
Checking - complete
2. Scanning memory
Number of processes found: 33
Number of modules loaded: 372
Scanning memory - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>>> Security: Internet Explorer allows ActiveX, not marked as safe
>>> Security: block ActiveX not marked as safe in Internet Explorer
>>> Security: Internet Explorer allows unsigned ActiveX elements
>>> Security: Internet Explorer allows automatic queries of ActiveX administrative elements
>>> Security: Internet Explorer allows running files and applications in IFRAME window without asking user
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> Internet Explorer - ActiveX, not marked as safe, are allowed
>> Internet Explorer - signed ActiveX elements are allowed without asking user
>> Internet Explorer -unsigned ActiveX elements are allowed
>> Internet Explorer - automatic queries of ActiveX operating elements are allowed
>> Internet Explorer - running programs and files in IFRAME window is allowed
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 405, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 7/7/2009 9:01:26 PM
Time of scanning: 00:00:22
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address
کد:
برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید
conference
آکوستیک ، فوم شانه تخم مرغی، صداگیر ماینر ، یونولیت
مشکل عجیبی به نام Z-Connection
.gif "N Aggressive (14)")
محتوای مخفی: AVZ Antiviral Toolkit log
.gif "N Aggressive (11)")
قوانين ايجاد تاپيک در انجمن
جواب بصورت نقل قول
نوشته شده توسط hamed4393
.gif "N Aggressive (19)")
.gif "N Aggressive (27)")
.gif "N Aggressive (16)")