AVZ 4.30 http://z-oleg.com/secur/avz/
| File name | PID | Description | Copyright | MD5 | Information
| c:\program files\lavasoft\ad-aware\aawservice.exe | Script: Quarantine, Delete, BC delete, Terminate 1848 | Ad-Aware Service | Copyright (C) 2008 | ?? | 597.33 kb, rsAh, | created: 5/12/2008 12:38:28 PM, modified: 6/17/2008 7:37:03 PM Command line: "C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe" c:\windows\system32\alg.exe | Script: Quarantine, Delete, BC delete, Terminate 2512 | Application Layer Gateway Service | © Microsoft Corporation. All rights reserved. | ?? | 43.50 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 8/4/2004 8:00:00 AM Command line: C:\WINDOWS\System32\alg.exe c:\program files\panda security\panda internet security 2008\apvxdwin.exe | Script: Quarantine, Delete, BC delete, Terminate 1416 | Platinum permanent protection | © Panda 2007 | ?? | 397.30 kb, rsAh, | created: 11/23/2007 9:30:59 AM, modified: 7/23/2007 7:30:42 PM Command line: "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s c:\program files\panda security\panda internet security 2008\avengine.exe | Script: Quarantine, Delete, BC delete, Terminate 1540 | Enhanced On-Access Anti-Malware Protection. | © Panda Software 2007 | ?? | 94.30 kb, rsAh, | created: 11/23/2007 9:30:11 AM, modified: 7/6/2007 3:14:10 PM Command line: "C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE" c:\documents and settings\barry\desktop\avz4\avz.exe | Script: Quarantine, Delete, BC delete, Terminate 3572 | ???????????? ??????? AVZ | ???????????? ??????? AVZ | ?? | 716.50 kb, rsAh, | created: 6/21/2008 1:00:10 PM, modified: 4/6/2008 5:22:00 PM Command line: "C:\Documents and Settings\Barry\Desktop\avz4\avz.exe" c:\program files\common files\logishrd\lqcvfx\cocimanager.exe | Script: Quarantine, Delete, BC delete, Terminate 3500 | Camera Control Interface | (c) 1996-2007 Logitech. All rights reserved. | ?? | 394.27 kb, rsAh, | created: 7/25/2007 5:02:32 PM, modified: 7/25/2007 5:02:32 PM Command line: "C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe" -Embedding c:\program files\common files\logishrd\lcommgr\communications_helper.exe | Script: Quarantine, Delete, BC delete, Terminate 1616 | | | ?? | 550.77 kb, rsAh, | created: 7/25/2007 5:02:54 PM, modified: 7/25/2007 5:02:54 PM Command line: "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" c:\windows\system32\csrss.exe | Script: Quarantine, Delete, BC delete, Terminate 1024 | Client Server Runtime Process | © Microsoft Corporation. All rights reserved. | ?? | 6.00 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 8/4/2004 8:00:00 AM Command line: C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 c:\windows\system32\ctfmon.exe | Script: Quarantine, Delete, BC delete, Terminate 648 | CTF Loader | © Microsoft Corporation. All rights reserved. | ?? | 15.00 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 8/4/2004 8:00:00 AM Command line: "C:\WINDOWS\system32\ctfmon.exe" c:\windows\explorer.exe | Script: Quarantine, Delete, BC delete, Terminate 492 | Windows Explorer | © Microsoft Corporation. All rights reserved. | ?? | 1009.00 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 6/13/2007 6:23:07 AM Command line: C:\WINDOWS\Explorer.EXE c:\program files\mozilla firefox\firefox.exe | Script: Quarantine, Delete, BC delete, Terminate 3544 | Firefox | Mozilla Corporation | ?? | 7481.11 kb, rsAh, | created: 12/29/2006 10:10:05 AM, modified: 4/17/2008 4:42:15 PM Command line: "C:\Program Files\Mozilla Firefox\firefox.exe" c:\program files\java\jre1.6.0_05\bin\jusched.exe | Script: Quarantine, Delete, BC delete, Terminate 1788 | Java(TM) Platform SE binary | Copyright © 2004 | ?? | 141.39 kb, rsAh, | created: 4/18/2008 6:47:26 AM, modified: 2/22/2008 4:25:21 AM Command line: "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" c:\windows\system32\lsass.exe | Script: Quarantine, Delete, BC delete, Terminate 1104 | LSA Shell (Export Version) | © Microsoft Corporation. All rights reserved. | ?? | 13.00 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 8/4/2004 8:00:00 AM Command line: C:\WINDOWS\system32\lsass.exe c:\program files\common files\logishrd\lvcomser\lvcomser.exe | Script: Quarantine, Delete, BC delete, Terminate 1668 | Logitech Video COM Service | (c) 1996-2007 Logitech. All rights reserved. | ?? | 182.52 kb, rsAh, | created: 7/20/2007 1:38:54 AM, modified: 7/20/2007 1:38:54 AM Command line: "C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe" c:\program files\common files\microsoft shared\vs7debug\mdm.exe | Script: Quarantine, Delete, BC delete, Terminate 1916 | Machine Debug Manager | © Microsoft Corporation. All rights reserved. | ?? | 314.57 kb, rsAh, | created: 6/20/2003 12:25:00 AM, modified: 6/20/2003 12:25:00 AM Command line: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" c:\program files\panda security\panda internet security 2008\pavbckpt.exe | Script: Quarantine, Delete, BC delete, Terminate 3216 | PavBckPT Aplicación | © Panda Software 2007 | ?? | 109.30 kb, rsAh, | created: 11/23/2007 9:30:44 AM, modified: 7/26/2007 8:47:30 AM Command line: "C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe" C:\Program Files\Panda Security\Panda Internet Security 2008\ c:\program files\panda security\panda internet security 2008\pavfnsvr.exe | Script: Quarantine, Delete, BC delete, Terminate 280 | Panda Function Service | © Panda 2007 | ?? | 169.30 kb, rsAh, | created: 11/23/2007 9:30:37 AM, modified: 7/12/2007 12:47:26 PM Command line: "C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe" c:\program files\common files\panda software\pavshld\pavprsrv.exe | Script: Quarantine, Delete, BC delete, Terminate 1476 | Panda Process Protection Service | Copyright © Panda Software International 2007 | ?? | 61.55 kb, rsAh, | created: 11/23/2007 9:22:14 AM, modified: 6/14/2007 11:38:02 AM Command line: "C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe" c:\program files\panda security\panda internet security 2008\pavsrv51.exe | Script: Quarantine, Delete, BC delete, Terminate 1896 | Enhanced On-Access Anti-Malware Service. | © Panda Software 2007 | ?? | 144.80 kb, rsAh, | created: 11/23/2007 9:30:14 AM, modified: 7/16/2007 4:14:22 PM Command line: "C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe" c:\program files\spyware doctor\pctsauxs.exe | Script: Quarantine, Delete, BC delete, Terminate 2564 | PC Tools Auxiliary Service | Copyright 2008 PC Tools. All rights reserved. | ?? | 329.88 kb, rsAh, | created: 5/25/2008 8:41:35 PM, modified: 4/10/2008 3:14:26 PM Command line: "C:\Program Files\Spyware Doctor\pctsAuxs.exe" c:\program files\spyware doctor\pctssvc.exe | Script: Quarantine, Delete, BC delete, Terminate 2780 | PC Tools Security Service | Copyright © 2008 PC Tools. All rights reserved. | ?? | 993.38 kb, rsAh, | created: 5/25/2008 8:41:35 PM, modified: 4/17/2008 2:19:02 PM Command line: "C:\Program Files\Spyware Doctor\pctsSvc.exe" c:\program files\spyware doctor\pctstray.exe | Script: Quarantine, Delete, BC delete, Terminate 2020 | PC Tools Tray Application | Copyright © 2008 PC Tools. All rights reserved. | ?? | 1081.88 kb, rsAh, | created: 5/25/2008 8:41:34 PM, modified: 4/10/2008 3:14:30 PM Command line: "C:\Program Files\Spyware Doctor\pctsTray.exe" c:\program files\panda security\panda internet security 2008\psctrls.exe | Script: Quarantine, Delete, BC delete, Terminate 680 | Panda Software Controler | © Panda 2007 | ?? | 165.30 kb, rsAh, | created: 11/23/2007 9:31:49 AM, modified: 7/12/2007 12:47:30 PM Command line: "C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe" c:\program files\panda security\panda internet security 2008\firewall\pshost.exe | Script: Quarantine, Delete, BC delete, Terminate 140 | Panda Host Service | Copyright © 2007 Panda Software | ?? | 221.55 kb, rsAh, | created: 11/23/2007 9:30:23 AM, modified: 4/4/2007 12:45:08 PM Command line: "c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE" c:\program files\panda security\panda internet security 2008\psimsvc.exe | Script: Quarantine, Delete, BC delete, Terminate 2156 | Panda Interface Manager Service | © Panda Software 2007 | ?? | 106.05 kb, rsAh, | created: 11/23/2007 9:30:53 AM, modified: 5/24/2007 11:31:26 AM Command line: "C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe" c:\program files\panda security\panda internet security 2008\antispam\pskmssvc.exe | Script: Quarantine, Delete, BC delete, Terminate 1232 | Anti-malware protection service library executable | © Panda Software 2007 | ?? | 65.55 kb, rsAh, | created: 11/23/2007 9:30:32 AM, modified: 1/15/2007 3:42:16 PM Command line: "C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe" c:\program files\logitech\quickcam\quickcam.exe | Script: Quarantine, Delete, BC delete, Terminate 1760 | | | ?? | 1980.27 kb, rsAh, | created: 7/25/2007 5:06:30 PM, modified: 7/25/2007 5:06:30 PM Command line: "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide c:\windows\runservice.exe | Script: Quarantine, Delete, BC delete, Terminate 224 | | | ?? | 2.50 kb, rsAh, | created: 3/18/2007 11:31:50 AM, modified: 3/18/2007 11:31:50 AM Command line: C:\WINDOWS\runservice.exe c:\windows\system32\services.exe | Script: Quarantine, Delete, BC delete, Terminate 1092 | Services and Controller app | © Microsoft Corporation. All rights reserved. | ?? | 105.50 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 8/4/2004 8:00:00 AM Command line: C:\WINDOWS\system32\services.exe c:\windows\system32\spoolsv.exe | Script: Quarantine, Delete, BC delete, Terminate 632 | Spooler SubSystem App | © Microsoft Corporation. All rights reserved. | ?? | 56.50 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 6/10/2005 7:53:32 PM Command line: C:\WINDOWS\system32\spoolsv.exe c:\program files\panda security\panda internet security 2008\srvload.exe | Script: Quarantine, Delete, BC delete, Terminate 2040 | Panda AntiSpam Trainer | © Panda Software 2008 | ?? | 89.30 kb, rsAh, | created: 11/23/2007 9:30:18 AM, modified: 6/20/2007 1:32:28 PM Command line: C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE c:\windows\system32\svchost.exe | Script: Quarantine, Delete, BC delete, Terminate 1468 | Generic Host Process for Win32 Services | © Microsoft Corporation. All rights reserved. | ?? | 14.00 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 8/4/2004 8:00:00 AM Command line: C:\WINDOWS\system32\svchost.exe -k netsvcs c:\windows\system32\svchost.exe | Script: Quarantine, Delete, BC delete, Terminate 1708 | Generic Host Process for Win32 Services | © Microsoft Corporation. All rights reserved. | ?? | 14.00 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 8/4/2004 8:00:00 AM Command line: C:\WINDOWS\system32\svchost.exe -k NetworkService c:\windows\system32\svchost.exe | Script: Quarantine, Delete, BC delete, Terminate 964 | Generic Host Process for Win32 Services | © Microsoft Corporation. All rights reserved. | ?? | 14.00 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 8/4/2004 8:00:00 AM Command line: C:\WINDOWS\system32\svchost.exe -k LocalService c:\windows\system32\svchost.exe | Script: Quarantine, Delete, BC delete, Terminate 1268 | Generic Host Process for Win32 Services | © Microsoft Corporation. All rights reserved. | ?? | 14.00 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 8/4/2004 8:00:00 AM Command line: C:\WINDOWS\system32\svchost -k DcomLaunch c:\windows\system32\svchost.exe | Script: Quarantine, Delete, BC delete, Terminate 1344 | Generic Host Process for Win32 Services | © Microsoft Corporation. All rights reserved. | ?? | 14.00 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 8/4/2004 8:00:00 AM Command line: C:\WINDOWS\system32\svchost -k rpcss c:\windows\system32\svchost.exe | Script: Quarantine, Delete, BC delete, Terminate 4004 | Generic Host Process for Win32 Services | © Microsoft Corporation. All rights reserved. | ?? | 14.00 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 8/4/2004 8:00:00 AM Command line: C:\WINDOWS\system32\svchost.exe -k imgsvc c:\program files\spybot - search & destroy\teatimer.exe | Script: Quarantine, Delete, BC delete, Terminate 752 | System settings protector | © 2000-2008 Safer Networking Limited. Alle Rechte vorbehalten. | ?? | 2048.33 kb, RSAH, | created: 6/17/2008 7:17:32 PM, modified: 1/28/2008 11:43:40 AM Command line: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" c:\program files\panda security\panda internet security 2008\tpsrv.exe | Script: Quarantine, Delete, BC delete, Terminate 1496 | TPSrv Application | © Panda Software 2007 | ?? | 395.30 kb, rsAh, | created: 11/23/2007 9:30:38 AM, modified: 7/2/2007 1:14:38 PM Command line: "C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe" c:\program files\panda security\panda internet security 2008\webproxy.exe | Script: Quarantine, Delete, BC delete, Terminate 2396 | Internet resident proxy | © Panda Software 2007 | ?? | 81.55 kb, rsAh, | created: 11/23/2007 9:30:19 AM, modified: 6/7/2007 5:29:22 PM Command line: "C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe" oso_XGCGLR c:\windows\system32\winlogon.exe | Script: Quarantine, Delete, BC delete, Terminate 1048 | Windows NT Logon Application | © Microsoft Corporation. All rights reserved. | ?? | 490.50 kb, rsAh, | created: 8/4/2004 8:00:00 AM, modified: 8/4/2004 8:00:00 AM Command line: winlogon.exe Detected:43, recognized as trusted 19
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\WINDOWS\system32\Drivers\APPFLT.SYS | Script: Quarantine, Delete, BC delete F7A9B000 | 010000 (65536) | Panda APPFLT | Copyright © 2007, Panda Software
| C:\WINDOWS\system32\drivers\av5flt.sys | Script: Quarantine, Delete, BC delete A975A000 | 017000 (94208) |
| C:\WINDOWS\system32\Drivers\cercsr6.sys | Script: Quarantine, Delete, BC delete F8702000 | 008000 (32768) | DELL CERC SATA1.5/6ch Miniport Driver | Copyright 2003 Adaptec, Inc. All rights reserved.
| C:\WINDOWS\system32\DRIVERS\COMFiltr.sys | Script: Quarantine, Delete, BC delete F87CA000 | 007000 (28672) | COMFiltr | © Panda Software 2006
| C:\WINDOWS\system32\Drivers\cpoint.sys | Script: Quarantine, Delete, BC delete F887A000 | 005000 (20480) | cPoint | Copyright © Panda Software 2005
| C:\WINDOWS\system32\Drivers\DSAFLT.SYS | Script: Quarantine, Delete, BC delete F7AAB000 | 00B000 (45056) | © Panda Software 2006
| C:\WINDOWS\System32\Drivers\dump_atapi.sys | Script: Quarantine, Delete, BC delete AA6A8000 | 018000 (98304) |
| C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS | Script: Quarantine, Delete, BC delete F89E8000 | 002000 (8192) |
| C:\WINDOWS\system32\Drivers\fnetmon.SYS | Script: Quarantine, Delete, BC delete F891A000 | 004000 (16384) | Panda FNetMon | Copyright © 2007, Panda Software
| C:\WINDOWS\system32\Drivers\IDSFLT.SYS | Script: Quarantine, Delete, BC delete AAD19000 | 02E000 (188416) | Intrusion Detection System | © Panda Software 2006
| C:\WINDOWS\system32\Drivers\ikfilesec.sys | Script: Quarantine, Delete, BC delete F84C2000 | 00E000 (57344) | File Security Device Driver | Copyright (c) PCTools Research Pty Ltd. 2006
| C:\WINDOWS\system32\drivers\iksysflt.sys | Script: Quarantine, Delete, BC delete AAFAB000 | 015000 (86016) | System Filter Device Driver | Copyright (c) PCTools Research Pty Ltd. 2006
| C:\WINDOWS\system32\drivers\iksyssec.sys | Script: Quarantine, Delete, BC delete AAF94000 | 017000 (94208) | System Security Device Driver | Copyright (c) PCTools Research Pty Ltd. 2006
| C:\WINDOWS\system32\drivers\KCOM.SYS | Script: Quarantine, Delete, BC delete F86B2000 | 00E000 (57344) |
| C:\WINDOWS\system32\Drivers\mchInjDrv.sys | Script: Quarantine, Delete, BC delete F8B83000 | 001000 (4096) |
| C:\WINDOWS\system32\Drivers\NETFLTDI.SYS | Script: Quarantine, Delete, BC delete AAE9C000 | 01F000 (126976) | Panda TDI Filter | Copyright © 2007, Panda Software
| C:\WINDOWS\system32\DRIVERS\PavProc.sys | Script: Quarantine, Delete, BC delete A9C99000 | 02B000 (176128) | Panda Process Protection driver | © Panda Software 2007
| C:\WINDOWS\system32\PavSRK.sys | Script: Quarantine, Delete, BC delete F874A000 | 008000 (32768) |
| C:\WINDOWS\system32\PavTPK.sys | Script: Quarantine, Delete, BC delete F7A3B000 | 00B000 (45056) |
| C:\WINDOWS\system32\drivers\pctfw2.sys | Script: Quarantine, Delete, BC delete AAEE3000 | 026000 (155648) | PC Tools TDI Driver | Copyright (C) 2006
| C:\WINDOWS\system32\Drivers\ShlDrv51.sys | Script: Quarantine, Delete, BC delete F882A000 | 008000 (32768) | PandaShield driver | Copyright © Panda Software International 2007
| C:\WINDOWS\system32\Drivers\SMSFLT.SYS | Script: Quarantine, Delete, BC delete F8822000 | 008000 (32768) | © Panda Software 2006
| C:\WINDOWS\system32\drivers\symlcbrd.sys | Script: Quarantine, Delete, BC delete F8732000 | 006000 (24576) | Symantec Core Component | Copyright (C) 2003
| C:\WINDOWS\system32\Drivers\WNMFLT.SYS | Script: Quarantine, Delete, BC delete F881A000 | 006000 (24576) | © Panda Software 2006
| Modules detected - 143, recognized as trusted - 119
| | ||||||||||||||
| Service | Description | Status | File | Group | Dependencies
| APPFLT | Driver: Unload, Delete, Disable App Filter Plugin | Running | C:\WINDOWS\system32\Drivers\APPFLT.SYS | Script: Quarantine, Delete, BC delete | +TDI
| AvFlt | Driver: Unload, Delete, Disable Antivirus Filter Driver | Running | C:\WINDOWS\system32\drivers\av5flt.sys | Script: Quarantine, Delete, BC delete |
| ComFiltr | Driver: Unload, Delete, Disable Panda Anti-Dialer | Running | C:\WINDOWS\system32\DRIVERS\COMFiltr.sys | Script: Quarantine, Delete, BC delete |
| cpoint | Driver: Unload, Delete, Disable Panda CPoint Driver | Running | C:\WINDOWS\system32\Drivers\cpoint.sys | Script: Quarantine, Delete, BC delete TDI |
| DSAFLT | Driver: Unload, Delete, Disable DSA Filter Plugin | Running | C:\WINDOWS\system32\Drivers\DSAFLT.SYS | Script: Quarantine, Delete, BC delete | NETIMFLT
| FNETMON | Driver: Unload, Delete, Disable NetMon Filter Plugin | Running | C:\WINDOWS\system32\Drivers\fnetmon.SYS | Script: Quarantine, Delete, BC delete | +TDI
| IDSFLT | Driver: Unload, Delete, Disable Ids Filter Plugin | Running | C:\WINDOWS\system32\Drivers\IDSFLT.SYS | Script: Quarantine, Delete, BC delete | NETIMFLT
| IKFileSec | Driver: Unload, Delete, Disable File Security Driver | Running | C:\WINDOWS\system32\drivers\ikfilesec.sys | Script: Quarantine, Delete, BC delete FSFilter Anti-Virus | FltMgr
| IKSysFlt | Driver: Unload, Delete, Disable System Filter Driver | Running | C:\WINDOWS\system32\drivers\iksysflt.sys | Script: Quarantine, Delete, BC delete Boot Bus Extender |
| IKSysSec | Driver: Unload, Delete, Disable System Security Driver | Running | C:\WINDOWS\system32\drivers\iksyssec.sys | Script: Quarantine, Delete, BC delete Boot Bus Extender | IKSysFlt
| NETFLTDI | Driver: Unload, Delete, Disable Panda Net Driver [TDI Layer] | Running | C:\WINDOWS\system32\Drivers\NETFLTDI.SYS | Script: Quarantine, Delete, BC delete PNP_TDI | TCPIP
| PavProc | Driver: Unload, Delete, Disable Panda Process Protection Driver | Running | C:\WINDOWS\system32\DRIVERS\PavProc.sys | Script: Quarantine, Delete, BC delete |
| PavSRK.sys | Driver: Unload, Delete, Disable PavSRK.sys | Running | C:\WINDOWS\system32\PavSRK.sys | Script: Quarantine, Delete, BC delete |
| PavTPK.sys | Driver: Unload, Delete, Disable PavTPK.sys | Running | C:\WINDOWS\system32\PavTPK.sys | Script: Quarantine, Delete, BC delete |
| pctfw2 | Driver: Unload, Delete, Disable pctfw2 | Running | C:\WINDOWS\system32\drivers\pctfw2.sys | Script: Quarantine, Delete, BC delete PNP_TDI | Tcpip
| ShldDrv | Driver: Unload, Delete, Disable Panda File Shield Driver | Running | C:\WINDOWS\system32\Drivers\ShlDrv51.sys | Script: Quarantine, Delete, BC delete |
| SMSFLT | Driver: Unload, Delete, Disable SMS Filter Plugin | Running | C:\WINDOWS\system32\Drivers\SMSFLT.SYS | Script: Quarantine, Delete, BC delete | NETIMFLT
| WNMFLT | Driver: Unload, Delete, Disable Wifi Monitor Filter Plugin | Running | C:\WINDOWS\system32\Drivers\WNMFLT.SYS | Script: Quarantine, Delete, BC delete | NETIMFLT
| sym_hi | Driver: Unload, Delete, Disable sym_hi | Not started | sym_hi.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| sym_u3 | Driver: Unload, Delete, Disable sym_u3 | Not started | sym_u3.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| symlcbrd | Driver: Unload, Delete, Disable symlcbrd | Running | C:\WINDOWS\system32\drivers\symlcbrd.sys | Script: Quarantine, Delete, BC delete |
| Abiosdsk | Driver: Unload, Delete, Disable Abiosdsk | Not started | Abiosdsk.sys | Script: Quarantine, Delete, BC delete Primary disk |
| abp480n5 | Driver: Unload, Delete, Disable abp480n5 | Not started | abp480n5.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| adpu160m | Driver: Unload, Delete, Disable adpu160m | Not started | adpu160m.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| Aha154x | Driver: Unload, Delete, Disable Aha154x | Not started | Aha154x.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| aic78u2 | Driver: Unload, Delete, Disable aic78u2 | Not started | aic78u2.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| aic78xx | Driver: Unload, Delete, Disable aic78xx | Not started | aic78xx.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| AliIde | Driver: Unload, Delete, Disable AliIde | Not started | AliIde.sys | Script: Quarantine, Delete, BC delete System Bus Extender |
| amsint | Driver: Unload, Delete, Disable amsint | Not started | amsint.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| asc | Driver: Unload, Delete, Disable asc | Not started | asc.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| asc3350p | Driver: Unload, Delete, Disable asc3350p | Not started | asc3350p.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| asc3550 | Driver: Unload, Delete, Disable asc3550 | Not started | asc3550.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| Atdisk | Driver: Unload, Delete, Disable Atdisk | Not started | Atdisk.sys | Script: Quarantine, Delete, BC delete Primary disk |
| Avg7Core | Driver: Unload, Delete, Disable AVG7 Kernel | Not started | C:\WINDOWS\System32\Drivers\avg7core.sys | Script: Quarantine, Delete, BC delete AVG |
| cd20xrnt | Driver: Unload, Delete, Disable cd20xrnt | Not started | cd20xrnt.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| cercsr6 | Driver: Unload, Delete, Disable cercsr6 | Not started | C:\WINDOWS\system32\Drivers\cercsr6.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| Changer | Driver: Unload, Delete, Disable Changer | Not started | Changer.sys | Script: Quarantine, Delete, BC delete Filter |
| CmdIde | Driver: Unload, Delete, Disable CmdIde | Not started | CmdIde.sys | Script: Quarantine, Delete, BC delete System Bus Extender |
| Cpqarray | Driver: Unload, Delete, Disable Cpqarray | Not started | Cpqarray.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| dac960nt | Driver: Unload, Delete, Disable dac960nt | Not started | dac960nt.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| dpti2o | Driver: Unload, Delete, Disable dpti2o | Not started | dpti2o.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| hpn | Driver: Unload, Delete, Disable hpn | Not started | hpn.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| i2omgmt | Driver: Unload, Delete, Disable i2omgmt | Not started | i2omgmt.sys | Script: Quarantine, Delete, BC delete SCSI Class |
| i2omp | Driver: Unload, Delete, Disable i2omp | Not started | i2omp.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| ini910u | Driver: Unload, Delete, Disable ini910u | Not started | ini910u.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| lbrtfdc | Driver: Unload, Delete, Disable lbrtfdc | Not started | lbrtfdc.sys | Script: Quarantine, Delete, BC delete System Bus Extender |
| LVPr2Mon | Driver: Unload, Delete, Disable Logitech LVPr2Mon Driver | Not started | C:\WINDOWS\system32\drivers\LVPr2Mon.sys | Script: Quarantine, Delete, BC delete AudioGroup |
| mraid35x | Driver: Unload, Delete, Disable mraid35x | Not started | mraid35x.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| PCIDump | Driver: Unload, Delete, Disable PCIDump | Not started | PCIDump.sys | Script: Quarantine, Delete, BC delete PCI Configuration |
| PDCOMP | Driver: Unload, Delete, Disable PDCOMP | Not started | PDCOMP.sys | Script: Quarantine, Delete, BC delete |
| PDFRAME | Driver: Unload, Delete, Disable PDFRAME | Not started | PDFRAME.sys | Script: Quarantine, Delete, BC delete |
| PDRELI | Driver: Unload, Delete, Disable PDRELI | Not started | PDRELI.sys | Script: Quarantine, Delete, BC delete |
| PDRFRAME | Driver: Unload, Delete, Disable PDRFRAME | Not started | PDRFRAME.sys | Script: Quarantine, Delete, BC delete |
| perc2 | Driver: Unload, Delete, Disable perc2 | Not started | perc2.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| perc2hib | Driver: Unload, Delete, Disable perc2hib | Not started | perc2hib.sys | Script: Quarantine, Delete, BC delete Filter |
| ql1080 | Driver: Unload, Delete, Disable ql1080 | Not started | ql1080.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| Ql10wnt | Driver: Unload, Delete, Disable Ql10wnt | Not started | Ql10wnt.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| ql12160 | Driver: Unload, Delete, Disable ql12160 | Not started | ql12160.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| ql1240 | Driver: Unload, Delete, Disable ql1240 | Not started | ql1240.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| ql1280 | Driver: Unload, Delete, Disable ql1280 | Not started | ql1280.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| Simbad | Driver: Unload, Delete, Disable Simbad | Not started | Simbad.sys | Script: Quarantine, Delete, BC delete Filter |
| Sparrow | Driver: Unload, Delete, Disable Sparrow | Not started | Sparrow.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| symc810 | Driver: Unload, Delete, Disable symc810 | Not started | symc810.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| symc8xx | Driver: Unload, Delete, Disable symc8xx | Not started | symc8xx.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| TosIde | Driver: Unload, Delete, Disable TosIde | Not started | TosIde.sys | Script: Quarantine, Delete, BC delete System Bus Extender |
| ultra | Driver: Unload, Delete, Disable ultra | Not started | ultra.sys | Script: Quarantine, Delete, BC delete SCSI miniport |
| ViaIde | Driver: Unload, Delete, Disable ViaIde | Not started | ViaIde.sys | Script: Quarantine, Delete, BC delete System Bus Extender |
| WDICA | Driver: Unload, Delete, Disable WDICA | Not started | WDICA.sys | Script: Quarantine, Delete, BC delete |
| Detected - 209, recognized as trusted - 141
| | ||||||
| File name | Status | Startup method | Description
| C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Adobe Reader Speed Launcher
| C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, LogitechCommunicationsManager
| C:\Program Files\Logitech\QuickCam\Quickcam.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, LogitechQuickCamRibbon
| C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, APVXDWIN
| C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, SCANINICIO
| C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, SpybotSD TeaTimer
| C:\Program Files\Spyware Doctor\pctsTray.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, ISTray
| appmgmts.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}, DLLName
| autocheck autochk *�lsdelete | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager, BootExecute
| avldr.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avldr, DLLName
| Autoruns items detected - 60, recognized as trusted - 50
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| C:\PROGRA~1\SPYBOT~1\SDHelper.dll | Script: Quarantine, Delete, BC delete BHO | SBSD IE Protection | © 2000-2008 Safer Networking Limited. Alle Rechte vorbehalten. | {53707962-6F74-2D53-2644-206D7942484F} | Delete c:\program files\google\googletoolbar1.dll | Script: Quarantine, Delete, BC delete BHO | Google IE Client Toolbar | Copyright © 2000-2006 | {AA58ED58-01DD-4d91-8333-CF10577473F7} | Delete c:\program files\google\googletoolbar1.dll | Script: Quarantine, Delete, BC delete Toolbar | Google IE Client Toolbar | Copyright © 2000-2006 | {2318C2B1-4965-11d4-9B18-009027A5CD4F} | Delete C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe | Script: Quarantine, Delete, BC delete Extension module | Microgaming Poker Engine | Copyright (c) Microgaming 1998 - 2003 | {725E77D3-B919-4eef-8EEE-D09DE618B6C1} | Delete C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe | Script: Quarantine, Delete, BC delete Extension module | Microgaming Poker Engine | Copyright (c) Microgaming 1998 - 2003 | {92780B25-18CC-41C8-B9BE-3C9C571A8263} | Delete Extension module | {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} | Delete Elements detected - 13, recognized as trusted - 7
| | |||||||||
| File name | Destination | Description | Manufacturer | CLSID
| deskpan.dll | Script: Quarantine, Delete, BC delete Display Panning CPL Extension | {42071714-76d4-11d1-8b24-00a0c9068ff3}
| Shell extensions for file compression | {764BF0E1-F219-11ce-972D-00AA00A14F56}
| Encryption Context Menu | {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
| Taskbar and Start Menu | {0DF44EAA-FF21-4412-828E-260A8728E7F1}
| rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4} | Script: Quarantine, Delete, BC delete Autoplay for SlideShow | {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
| User Accounts | {7A9D77BD-5403-11d2-8785-2E0420524153}
| "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" | Script: Quarantine, Delete, BC delete OpenOffice.org Column Handler | {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
| "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" | Script: Quarantine, Delete, BC delete OpenOffice.org Infotip Handler | {087B3AE3-E237-4467-B8DB-5A38AB959AC9}
| "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" | Script: Quarantine, Delete, BC delete OpenOffice.org Property Sheet Handler | {63542C48-9552-494A-84F7-73AA6A7C99C1}
| "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" | Script: Quarantine, Delete, BC delete OpenOffice.org Thumbnail Viewer | {3B092F0C-7696-40E3-A80F-68D74DA84210}
| DllRegShlExt extension | {8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}
| C:\Program Files\Yahoo!\Common\YMMAPI.dll | Script: Quarantine, Delete, BC delete Yahoo! Mail | YMMAPI Module | Copyright © 2001-2006 Yahoo! Inc. | {5464D816-CF16-4784-B9F3-75C0DB52B499}
| C:\WINDOWS\lcmmfu.cpl | Script: Quarantine, Delete, BC delete eLicense Control | LCMMFU | Copyright © 1998-2007 ViaTech Technologies Inc. | {EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}
| iTunes | {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
| C:\Program Files\Panda Security\Panda Internet Security 2008\PavOLE.dll | Script: Quarantine, Delete, BC delete Panda Antivirus | PAVOLE | © Panda Software 2008 | {65756541-C65C-11CD-0000-4B656E696100}
| Elements detected - 207, recognized as trusted - 192
| | ||||||||||||||||||||||||||||||||||||
| File name | Type | Name | Description | Manufacturer
| Elements detected - 9, recognized as trusted - 9
| | ||||||
| File name | Job name | Job status | Description | Manufacturer
| C:\Program Files\Panda Security\Panda Internet Security 2008\PlaTasks.exe | Script: Quarantine, Delete, BC delete Basic clean-up.job | The task has not yet run. | PlaTasks. Panda Software S.L. | © Panda 2007
| C:\Program Files\Panda Security\Panda Internet Security 2008\PlaTasks.exe | Script: Quarantine, Delete, BC delete Basic clean-up1.job | The task has not yet run. | PlaTasks. Panda Software S.L. | © Panda 2007
| Elements detected - 2, recognized as trusted - 0
| | ||||||
| Manufacturer | Status | EXE file | Description | GUID
| Detected - 3, recognized as trusted - 3
| | ||||||
| Manufacturer | EXE file | Description
| PCTOOLS over [PAV_LAYERED over [MSAFD Tcpip [TCP/IP]]] | C:\Program Files\Common Files\PC Tools\LSP\PCTLsp.dll | Script: Quarantine, Delete, BC delete Copyright PC Tools Research Pty Ltd 2006.(1, 0, 91, 0)
| PCTOOLS over [PAV_LAYERED over [MSAFD Tcpip [UDP/IP]]] | C:\Program Files\Common Files\PC Tools\LSP\PCTLsp.dll | Script: Quarantine, Delete, BC delete Copyright PC Tools Research Pty Ltd 2006.(1, 0, 91, 0)
| PCTOOLS over [PAV_LAYERED over [MSAFD Tcpip [RAW/IP]]] | C:\Program Files\Common Files\PC Tools\LSP\PCTLsp.dll | Script: Quarantine, Delete, BC delete Copyright PC Tools Research Pty Ltd 2006.(1, 0, 91, 0)
| PAV_LAYERED over [PCTOOLS over [PAV_LAYERED over [MSAFD Tcpip [TCP/IP]]]] | C:\Program Files\Panda Security\Panda Internet Security 2008\pavlsp.dll | Script: Quarantine, Delete, BC delete © Panda Software 2007(7, 5, 21, 501)
| PAV_LAYERED over [PCTOOLS over [PAV_LAYERED over [MSAFD Tcpip [UDP/IP]]]] | C:\Program Files\Panda Security\Panda Internet Security 2008\pavlsp.dll | Script: Quarantine, Delete, BC delete © Panda Software 2007(7, 5, 21, 501)
| PAV_LAYERED over [PCTOOLS over [PAV_LAYERED over [MSAFD Tcpip [RAW/IP]]]] | C:\Program Files\Panda Security\Panda Internet Security 2008\pavlsp.dll | Script: Quarantine, Delete, BC delete © Panda Software 2007(7, 5, 21, 501)
| PCTOOLS CONTENT FILTER PROVIDER | C:\Program Files\Common Files\PC Tools\LSP\PCTLsp.dll | Script: Quarantine, Delete, BC delete Copyright PC Tools Research Pty Ltd 2006.(1, 0, 91, 0)
| PAV_LAYERED | C:\Program Files\Panda Security\Panda Internet Security 2008\pavlsp.dll | Script: Quarantine, Delete, BC delete © Panda Software 2007(7, 5, 21, 501)
| Detected - 21, recognized as trusted - 13
| | ||||||
| File name | Description | Manufacturer | CLSID | Source URL
| {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} | Delete http://www.apple.com/qtactivex/qtplugin.cab
| C:\Program Files\Yahoo!\Common\Yinsthelper.dll | Script: Quarantine, Delete, BC delete YInstHelper Module | Copyright © 2001-2007 Yahoo! Inc. All rights reserved. | {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} | Delete C:\Program Files\Yahoo!\Common\Yinsthelper.dll
| {512FC5A1-7DE1-43F1-BC0C-371622FCB409} | Delete http://www.nanoscan.com/as/cabs/ascstubie.cab
| {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} | Delete http://acs.pandasoftware.com/activescan/as5free/asinst.cab
| Elements detected - 9, recognized as trusted - 5
| | |||||||||||||||
| File name | Description | Manufacturer
| C:\WINDOWS\lcmmfu.cpl | Script: Quarantine, Delete, BC delete LCMMFU | Copyright © 1998-2007 ViaTech Technologies Inc.
| C:\WINDOWS\system32\pavcpl.cpl | Script: Quarantine, Delete, BC delete PavCPL | Copyright © Panda Software 2006
| Elements detected - 27, recognized as trusted - 25
| | ||||||
| File name | Description | Manufacturer | CLSID
| Elements detected - 15, recognized as trusted - 15
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
| Elements detected - 32, recognized as trusted - 29
| | ||||||
AVZ Antiviral Toolkit log; AVZ version is 4.30 Scanning started at 6/21/2008 1:03:05 PM Database loaded: signatures - 171373, NN profile(s) - 2, microprograms of healing - 56, signature database released 20.06.2008 23:50 Heuristic microprograms loaded: 370 SPV microprograms loaded: 9 Digital signatures of system files loaded: 71156 Heuristic analyzer mode: Medium heuristics level Healing mode: enabled Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights System Restore: Disabled 1. Searching for Rootkits and programs intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Function kernel32.dll:CopyFileExW (66) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function CopyFileExW blocked Function kernel32.dll:CreateFileMappingW (82) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function CreateFileMappingW blocked Function kernel32.dll:CreateProcessInternalW (101) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function CreateProcessInternalW blocked Function kernel32.dll:CreateRemoteThread (104) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function CreateRemoteThread blocked Function kernel32.dll:MoveFileWithProgressW (611) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function MoveFileWithProgressW blocked Function kernel32.dll:TerminateProcess (839) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function TerminateProcess blocked Function kernel32.dll:WriteProcessMemory (917) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function WriteProcessMemory blocked Analysis: ntdll.dll, export table found in section .text Function ntdll.dll:LdrLoadDll (70) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function LdrLoadDll blocked Function ntdll.dll:NtClose (111) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtClose blocked Function ntdll.dll:NtCreateFile (123) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtCreateFile blocked Function ntdll.dll:NtCreateKey (127) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtCreateKey blocked Function ntdll.dll:NtCreateSection (137) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtCreateSection blocked Function ntdll.dll:NtDeleteFile (150) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtDeleteFile blocked Function ntdll.dll:NtDeleteKey (151) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtDeleteKey blocked Function ntdll.dll:NtDeleteValueKey (153) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtDeleteValueKey blocked Function ntdll.dll:NtDuplicateObject (156) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtDuplicateObject blocked Function ntdll.dll:NtEnumerateKey (159) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtEnumerateKey blocked Function ntdll.dll:NtEnumerateValueKey (161) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtEnumerateValueKey blocked Function ntdll.dll:NtOpenFile (204) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtOpenFile blocked Function ntdll.dll:NtQueryMultipleValueKey (250) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtQueryMultipleValueKey blocked Function ntdll.dll:NtQueryValueKey (267) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtQueryValueKey blocked Function ntdll.dll:NtReadFile (273) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtReadFile blocked Function ntdll.dll:NtRenameKey (283) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtRenameKey blocked Function ntdll.dll:NtSetInformationFile (315) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtSetInformationFile blocked Function ntdll.dll:NtSetValueKey (338) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtSetValueKey blocked Function ntdll.dll:NtTerminateProcess (348) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtTerminateProcess blocked Function ntdll.dll:NtUnloadKey (354) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtUnloadKey blocked Function ntdll.dll:NtWriteFile (366) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtWriteFile blocked Function ntdll.dll:NtWriteFileGather (367) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtWriteFileGather blocked Function ntdll.dll:NtWriteVirtualMemory (369) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function NtWriteVirtualMemory blocked Analysis: user32.dll, export table found in section .text Function user32.dll:AttachThreadInput (12) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function AttachThreadInput blocked Function user32.dll:BeginDeferWindowPos (13) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function BeginDeferWindowPos blocked Function user32.dll:CreateAcceleratorTableW (78) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function CreateAcceleratorTableW blocked Function user32.dll:DispatchMessageA (162) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function DispatchMessageA blocked Function user32.dll:DispatchMessageW (163) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function DispatchMessageW blocked Function user32.dll:GetAsyncKeyState (243) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function GetAsyncKeyState blocked Function user32.dll:GetKeyState (290) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function GetKeyState blocked Function user32.dll:GetKeyboardState (295) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function GetKeyboardState blocked Function user32.dll:SetWindowsHookExA (651) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function SetWindowsHookExA blocked Function user32.dll:SetWindowsHookExW (652) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function SetWindowsHookExW blocked Function user32.dll:TranslateMessage (683) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function TranslateMessage blocked Analysis: advapi32.dll, export table found in section .text Function advapi32.dll:ChangeServiceConfig2A (54) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function ChangeServiceConfig2A blocked Function advapi32.dll:ChangeServiceConfig2W (55) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function ChangeServiceConfig2W blocked Function advapi32.dll:ChangeServiceConfigA (56) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function ChangeServiceConfigA blocked Function advapi32.dll:ChangeServiceConfigW (57) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function ChangeServiceConfigW blocked Function advapi32.dll:CloseServiceHandle (64) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function CloseServiceHandle blocked Function advapi32.dll:ControlService (68) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function ControlService blocked Function advapi32.dll:CreateServiceA (102) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function CreateServiceA blocked Function advapi32.dll:CreateServiceW (103) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function CreateServiceW blocked Function advapi32.dll:DeleteService (177) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function DeleteService blocked Function advapi32.dll:LsaAddAccountRights (338) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function LsaAddAccountRights blocked Function advapi32.dll:LsaRemoveAccountRights (385) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function LsaRemoveAccountRights blocked Function advapi32.dll:OpenServiceA (430) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function OpenServiceA blocked Function advapi32.dll:OpenServiceW (431) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function OpenServiceW blocked Function advapi32.dll:StartServiceA (576) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function StartServiceA blocked Function advapi32.dll:StartServiceW (579) intercepted, method CodeHijack (method not defined) >>> Rootkit code in function StartServiceW blocked Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=07B380) Kernel ntkrnlpa.exe found in memory at address 804D7000 SDT = 80552380 KiST = 805011FC (284) Function NtCreateKey (29) intercepted (80618E86->AAFB27A6), hook C:\WINDOWS\system32\drivers\iksysflt.sys >>> Function restored successfully ! >>> Hook code blocked Function NtCreateProcess (2F) intercepted (805C5F8E->AAFAF794), hook C:\WINDOWS\system32\drivers\iksysflt.sys >>> Function restored successfully ! >>> Hook code blocked Function NtCreateProcessEx (30) intercepted (805C5ED8->AAFAFF1E), hook C:\WINDOWS\system32\drivers\iksysflt.sys >>> Function restored successfully ! >>> Hook code blocked Function NtDeleteKey (3F) intercepted (80619316->AAFB31F0), hook C:\WINDOWS\system32\drivers\iksysflt.sys >>> Function restored successfully ! >>> Hook code blocked Function NtDeleteValueKey (41) intercepted (806194E6->AAFB342A), hook C:\WINDOWS\system32\drivers\iksysflt.sys >>> Function restored successfully ! >>> Hook code blocked Function NtRenameKey (C0) intercepted (806188AC->AAFB412A), hook C:\WINDOWS\system32\drivers\iksysflt.sys >>> Function restored successfully ! >>> Hook code blocked Function NtSetValueKey (F7) intercepted (80617546->AAFB383C), hook C:\WINDOWS\system32\drivers\iksysflt.sys >>> Function restored successfully ! >>> Hook code blocked Function NtTerminateProcess (101) intercepted (805C776C->A9C9AA70), hook C:\WINDOWS\system32\DRIVERS\PavProc.sys >>> Function restored successfully ! >>> Hook code blocked Function NtTerminateThread (102) intercepted (805C7966->A9C99E40), hook C:\WINDOWS\system32\DRIVERS\PavProc.sys >>> Function restored successfully ! >>> Hook code blocked Function NtWriteVirtualMemory (115) intercepted (805A85A2->AAFAE384), hook C:\WINDOWS\system32\drivers\iksysflt.sys >>> Function restored successfully ! >>> Hook code blocked Functions checked: 284, intercepted: 10, restored: 10 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking of IRP handlers \FileSystem\ntfs[IRP_MJ_CREATE] = F882D7D0 -> C:\WINDOWS\system32\Drivers\ShlDrv51.sys \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = F882DC70 -> C:\WINDOWS\system32\Drivers\ShlDrv51.sys Checking - complete 2. Scanning memory Number of processes found: 43 Number of modules loaded: 461 Scanning memory - complete 3. Scanning disks 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) C:\WINDOWS\SYSTEM32\PAVSHOOK.DLL --> Suspicion for Keylogger or Trojan DLL C:\WINDOWS\SYSTEM32\PAVSHOOK.DLL>>> Behavioural analysis Behaviour typical for keyloggers not detected File quarantined succesfully (C:\WINDOWS\SYSTEM32\PAVSHOOK.DLL) C:\WINDOWS\system32\systools.dll --> Suspicion for Keylogger or Trojan DLL C:\WINDOWS\system32\systools.dll>>> Behavioural analysis Behaviour typical for keyloggers not detected File quarantined succesfully (C:\WINDOWS\system32\systools.dll) C:\Program Files\Spyware Doctor\smumhook.dll --> Suspicion for Keylogger or Trojan DLL C:\Program Files\Spyware Doctor\smumhook.dll>>> Behavioural analysis Behaviour typical for keyloggers not detected File quarantined succesfully (C:\Program Files\Spyware Doctor\smumhook.dll) C:\Program Files\Spyware Doctor\klg.dat --> Suspicion for Keylogger or Trojan DLL C:\Program Files\Spyware Doctor\klg.dat>>> Behavioural analysis Behaviour typical for keyloggers not detected File quarantined succesfully (C:\Program Files\Spyware Doctor\klg.dat) C:\Program Files\Panda Security\Panda Internet Security 2008\pavoepl.dll --> Suspicion for Keylogger or Trojan DLL C:\Program Files\Panda Security\Panda Internet Security 2008\pavoepl.dll>>> Behavioural analysis 1. Reacts to events: mouse C:\Program Files\Panda Security\Panda Internet Security 2008\pavoepl.dll>>> Neural net: file with probability 99.80% like a typical keyboard/mouse events interceptor File quarantined succesfully (C:\Program Files\Panda Security\Panda Internet Security 2008\pavoepl.dll) C:\Program Files\Common Files\PC Tools\LSP\PCTLsp.dll --> Suspicion for Keylogger or Trojan DLL C:\Program Files\Common Files\PC Tools\LSP\PCTLsp.dll>>> Behavioural analysis Behaviour typical for keyloggers not detected File quarantined succesfully (C:\Program Files\Common Files\PC Tools\LSP\PCTLsp.dll) Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Terminal Services) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service) >> Services: potentially dangerous service allowed: Schedule (Task Scheduler) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing) >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard >> Abnormal SCR files association >> Abnormal REG files association >> Service termination timeout is out of admissible values >> HDD autorun are allowed >> Autorun from network drives are allowed >> Removable media autorun are allowed Checking - complete Files scanned: 97949, extracted from archives: 78804, malicious software found 0, suspicions - 0 Scanning finished at 6/21/2008 1:34:43 PM !!! Attention !!! Recovered 10 KiST functions during Anti-Rootkit operation This may affect execution of several programs, so it is strongly recommended to reboot Time of scanning: 00:31:43 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference Creating archive of files from Quarantine Creating archive of files from Quarantine - complete System Analysis in progressAdd commands to script:
Script commands