Results of system analysis

LSP settings checked. No errors detected

127.0.0.1       localhost

AVZ Antiviral Toolkit log; AVZ version is 4.29
Scanning started at 2/10/2008 10:06:39 AM
Database loaded: signatures - 149090, NN profile(s) - 2, microprograms of healing - 55, signature database released 09.02.2008 22:28
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 68697
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.0.2195, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
 >>>> Probable masking of executable file's name 1340 superantispyware.exe, real name - SUPERAntiSpywar
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=080820)
 Kernel ntoskrnl.exe found in memory at address 80400000
   SDT = 80480820
   KiST = 80472128 (248)
Function NtConnectPort (1B) intercepted (804C5930->BE9E8E60), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateFile (20) intercepted (804A6FB2->BE9E5820), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateKey (23) intercepted (80511CAA->BE9F0690), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreatePort (28) intercepted (804C642C->BE9E91F0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateProcess (29) intercepted (804E20C4->BE9EF480), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateSection (2B) intercepted (804CAF6A->BE9F2CE0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateWaitablePort (31) intercepted (804C644A->BE9E92D0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtDeleteFile (34) intercepted (804A0D36->BE9E5EA0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtDeleteKey (35) intercepted (8051206E->BE9F16A0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtDeleteValueKey (37) intercepted (8051228A->BE9F12E0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtDuplicateObject (3A) intercepted (804D6002->BE9EF1F0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtLoadKey (56) intercepted (805140B0->BE9F19E0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtOpenFile (64) intercepted (804A8256->BE9E5CF0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtOpenProcess (6A) intercepted (804DE984->BE9EEF40), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtOpenThread (6F) intercepted (804DEC44->BE9EED60), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtReplaceKey (A9) intercepted (80514564->BE9F1CD0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtRequestWaitReplyPort (B0) intercepted (804C4D48->BE9E8B00), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtRestoreKey (B4) intercepted (80513A56->BE9F1F80), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtSecureConnectPort (B8) intercepted (80433698->BE9E9010), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtSetInformationFile (C2) intercepted (804A91FA->BE9E6010), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtSetValueKey (D7) intercepted (80513DF4->BE9F0E67), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtTerminateProcess (E0) intercepted (804E312C->BE9EF8E0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Functions checked: 248, intercepted: 22, restored: 0
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
2. Scanning memory
 Number of processes found: 29
Analyzer: process under analysis is 552 C:\WINNT\system32\LEXBCES.EXE
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 628 C:\WINNT\system32\LEXPPS.EXE
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1296 C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1316 C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 1324 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
 Number of modules loaded: 281
Scanning memory - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
 Checking disabled by user
7. Heuristic system check
>>> C:\Program Files\WildTangent\Apps\CDA\CDALogger0402.dll HSC: suspicion for Spy.WindTangent
>>> C:\WINNT\wt\webdriver\4.1.1\webdriver.dll HSC: suspicion for Spy.WindTangent
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Messenger (Messenger)
>> Services: potentially dangerous service allowed: Alerter (Alerter)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>>> Security: Internet Explorer allows automatic queries of ActiveX administrative elements
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  Internet Explorer - automatic queries of ActiveX operating elements are allowed
Checking - complete
Files scanned: 310, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 2/10/2008 10:07:21 AM
Time of scanning: 00:00:44
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress


Script commands
 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
BootCleaner - import list of deleted files
Registry cleanup after deleting files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service RemoteRegistry (Remote Registry Service)
Performance tweaking: disable service TlntSvr (Telnet)
Performance tweaking: disable service Messenger (Messenger)
Performance tweaking: disable service Alerter (Alerter)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: block automatic queries of ActiveX administrative elements in Internet Explorer
Security: prevent terminal connections to the PC
Security: disable sending Remote Assistant queries

File list