Anonim / 8 lat, 1 miesiąc temu | Download | Plaintext | Odpowiedz |

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
AVZ Antiviral Toolkit log; AVZ version is 4.32
Scanning started at 2009-10-17 19:27:05
Database loaded: signatures - 245017, NN profile(s) - 2, malware removal microprograms - 56, signature database released 16.10.2009 10:16
Heuristic microprograms loaded: 374
PVS microprograms loaded: 9
Digital signatures of system files loaded: 148521
Heuristic analyzer mode: Maximum heuristics mode
Malware removal mode: disabled
Windows version is: 5.1.2600, Dodatek Service Pack 2 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=0846E0)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 8055B6E0
   KiST = 80503734 (284)
Function NtClose (19) intercepted (805BAEB4->B71606B8), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtConnectPort (1F) intercepted (805A2FF4->B7309040), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateFile (25) intercepted (80577E5E->B7305930), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateKey (29) intercepted (80622048->BA6CE514), hook C:\WINDOWS\system32\Drivers\PCTCore.sys, driver recognized as trusted
Function NtCreatePort (2E) intercepted (805A3B10->B7309510), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateProcess (2F) intercepted (805CFA1C->B730F870), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateProcessEx (30) intercepted (805CF966->B730FAA0), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateSection (32) intercepted (805A9DEE->B7312FD0), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateWaitablePort (38) intercepted (805A3B34->B7309600), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtDeleteFile (3E) intercepted (80575A46->B7305F20), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (806224D8->BA6CED00), hook C:\WINDOWS\system32\Drivers\PCTCore.sys, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (806226A8->BA6CEFB8), hook C:\WINDOWS\system32\Drivers\PCTCore.sys, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805BC890->B730F580), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtLoadKey (62) intercepted (80623D78->B73118B0), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtOpenFile (74) intercepted (80578F5C->B7305D70), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (806233DE->BA6CD3FA), hook C:\WINDOWS\system32\Drivers\PCTCore.sys, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (805C9C46->B730F350), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtOpenThread (80) intercepted (805C9ED2->B730F150), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (80620102->B716076E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtRenameKey (C0) intercepted (80621A6E->BA6CF422), hook C:\WINDOWS\system32\Drivers\PCTCore.sys, driver recognized as trusted
Function NtReplaceKey (C1) intercepted (80623C28->B7311CB0), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtRequestWaitReplyPort (C8) intercepted (805A179A->B7308C00), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (80620450->B716072E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtSecureConnectPort (D2) intercepted (805A2788->B7309220), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtSetInformationFile (E0) intercepted (80579DC4->B7306120), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (80620708->BA6CE7D8), hook C:\WINDOWS\system32\Drivers\PCTCore.sys, driver recognized as trusted
Function NtTerminateProcess (101) intercepted (805D1170->B730FCD0), hook C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Functions checked: 284, intercepted: 27, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Analyzing CPU 2
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
 Driver loaded successfully
1.5 Checking IRP handlers
\driver\tcpip[IRP_MJ_CREATE] = B731AC20 -> C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_CLOSE] = B731AC20 -> C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_DEVICE_CONTROL] = B731AC20 -> C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = B731AC20 -> C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_CLEANUP] = B731AC20 -> C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
 Checking - complete
2. Scanning RAM
 Number of processes found: 33
 Number of modules loaded: 514
Scanning RAM - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Gadu-Gadu\ggwhook.dll --> Suspicion for Keylogger or Trojan DLL
C:\Gadu-Gadu\ggwhook.dll>>> Behaviour analysis 
  1. Reacts to events: keyboard
C:\Gadu-Gadu\ggwhook.dll>>> Neural net: file is 0.00% like a typical keyboard/mouse events interceptor
Note: Do NOT delete suspicious files, send them for analysis  (see FAQ for more details),  because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Rejestr zdalny)
>> Services: potentially dangerous service allowed: TermService (Usługi terminalowe)
>> Services: potentially dangerous service allowed: SSDPSRV (Usługa odnajdywania SSDP)
>> Services: potentially dangerous service allowed: Schedule (Harmonogram zadań)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Menedżer sesji pomocy pulpitu zdalnego)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 12873, extracted from archives: 86, malicious software found 0, suspicions - 0
Scanning finished at 2009-10-17 19:31:20
Time of scanning: 00:04:16
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress
System Analysis - complete