Results of system analysis

LSP settings checked. No errors detected

127.0.0.1       localhost

Attention !!! Database was last updated 4/6/2008 it is necessary to update the bases using automatic updates (File/Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 7/17/2008 4:28:15 PM
Database loaded: signatures - 157571, NN profile(s) - 2, microprograms of healing - 55, signature database released 06.04.2008 17:09
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 70476
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=085700)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 8055C700
   KiST = 80504450 (284)
Function NtCreateFile (25) - machine code modification Method of JmpTo. jmp B0F369AE\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtCreateProcess (2F) - machine code modification Method of JmpTo. jmp B0F3695C\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtCreateProcessEx (30) - machine code modification Method of JmpTo. jmp B0F36970\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtMapViewOfSection (6C) - machine code modification Method of JmpTo. jmp B0F369EE\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtOpenProcess (7A) - machine code modification Method of JmpTo. jmp B0F36934\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtOpenThread (80) - machine code modification Method of JmpTo. jmp B0F36948\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtProtectVirtualMemory (89) - machine code modification Method of JmpTo. jmp B0F369C2\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtSetContextThread (D5) - machine code modification Method of JmpTo. jmp B0F3699A\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtSetInformationProcess (E4) - machine code modification Method of JmpTo. jmp B0F36986\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtTerminateProcess (101) intercepted (805D299E->B0FF2F20), hook C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Function NtUnmapViewOfSection (10B) - machine code modification Method of JmpTo. jmp B0F36A04\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtYieldExecution (116) - machine code modification Method of JmpTo. jmp B0F369D8\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtCreateFile (80579084) - machine code modification Method of JmpTo. jmp B0F369AE \SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtMapViewOfSection (805B2006) - machine code modification Method of JmpTo. jmp B0F369EE \SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtOpenProcess (805CB3FC) - machine code modification Method of JmpTo. jmp B0F36934 \SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtOpenThread (805CB688) - machine code modification Method of JmpTo. jmp B0F36948 \SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Function NtSetInformationProcess (805CDE46) - machine code modification Method of JmpTo. jmp B0F36986 \SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Functions checked: 284, intercepted: 1, restored: 0
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
 Driver loaded successfully
1.5 Checking of IRP handlers
 Checking - complete
2. Scanning memory
 Number of processes found: 45
Analyzer: process under analysis is 1600 C:\Program Files\Digital Media Reader\readericon45G.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1624 C:\WINDOWS\zHotkey.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1656 C:\Program Files\McAfee.com\Agent\mcagent.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1728 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1748 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1872 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1984 C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 384 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 448 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 1324 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 1364 C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 1448 C:\Program Files\McAfee\MPF\MPFSrv.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 1616 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
[ES]:Application has no visible windows
Analyzer: process under analysis is 2728 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
 Number of modules loaded: 431
Scanning memory - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
 Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  HDD autorun are allowed
 >>  Autorun from network drives are allowed
 >>  Removable media autorun are allowed
Checking - complete
Files scanned: 476, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 7/17/2008 4:29:07 PM
Time of scanning: 00:00:54
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress


Script commands
 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
BootCleaner - import list of deleted files
Registry cleanup after deleting files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service RemoteRegistry (Remote Registry)
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list