AVZ 4.32 http://z-oleg.com/secur/avz/
| File name | PID | Description | Copyright | MD5 | Information
| c:\windows\system32\alg.exe | Script: Quarantine, Delete, Delete via BC, Terminate 2476 | Application Layer Gateway Service | © Microsoft Corporation. All rights reserved. | ?? | 43.50 kb, rsAh, | created: 2/28/2006 3:00:00 PM, modified: 4/14/2008 3:12:12 AM Command line: C:\windows\System32\alg.exe c:\documents and settings\king\my documents\downloads\compressed\avz4\avz4\avz.exe | Script: Quarantine, Delete, Delete via BC, Terminate 3020 | ???????????? ??????? AVZ | ???????????? ??????? AVZ | ?? | 733.00 kb, rsAh, | created: 9/13/2009 9:17:16 PM, modified: 8/21/2009 2:40:32 PM Command line: "C:\Documents and Settings\King\My Documents\Downloads\Compressed\avz4\avz4\avz.exe" c:\program files\eset\eset smart security\egui.exe | Script: Quarantine, Delete, Delete via BC, Terminate 312 | ESET GUI | Copyright (c) ESET 1992-2009. All rights reserved. | ?? | 1982.07 kb, rsAh, | created: 4/9/2009 3:17:56 PM, modified: 4/9/2009 3:17:56 PM Command line: "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice c:\program files\eset\eset smart security\ekrn.exe | Script: Quarantine, Delete, Delete via BC, Terminate 1988 | ESET Service | Copyright (c) ESET 1992-2009. All rights reserved. | ?? | 714.69 kb, rsAh, | created: 4/9/2009 3:19:08 PM, modified: 4/9/2009 3:19:08 PM Command line: "C:\Program Files\ESET\ESET Smart Security\ekrn.exe" c:\windows\explorer.exe | Script: Quarantine, Delete, Delete via BC, Terminate 1716 | Windows Explorer | © Microsoft Corporation. All rights reserved. | ?? | 1009.50 kb, rsAh, | created: 2/28/2006 3:00:00 PM, modified: 4/14/2008 3:12:19 AM Command line: C:\windows\Explorer.EXE c:\program files\internet download manager\idman.exe | Script: Quarantine, Delete, Delete via BC, Terminate 256 | Internet Download Manager (IDM) | Tonec Inc., Copyright © 1999 - 2009 | ?? | 3045.42 kb, rsAh, | created: 9/9/2009 12:53:04 PM, modified: 9/9/2009 4:21:22 PM Command line: "C:\Program Files\Internet Download Manager\IDMan.exe" /onboot c:\program files\internet download manager\iemonitor.exe | Script: Quarantine, Delete, Delete via BC, Terminate 2592 | Internet Download Manager agent for click monitoring in IE-based browsers | Tonec Inc., Copyright © 1999 - 2008 | ?? | 245.42 kb, rsAh, | created: 9/9/2009 12:52:59 PM, modified: 2/18/2008 4:01:01 PM Command line: "C:\Program Files\Internet Download Manager\IEMonitor.exe" c:\program files\java\jre6\bin\jqs.exe | Script: Quarantine, Delete, Delete via BC, Terminate 376 | Java(TM) Quick Starter Service | Copyright © 2004 | ?? | 149.78 kb, rsAh, | created: 9/10/2009 4:14:46 AM, modified: 7/25/2009 5:23:10 AM Command line: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" c:\windows\system32\lsass.exe | Script: Quarantine, Delete, Delete via BC, Terminate 1040 | LSA Shell (Export Version) | © Microsoft Corporation. All rights reserved. | ?? | 13.00 kb, rsAh, | created: 2/28/2006 3:00:00 PM, modified: 4/14/2008 3:12:24 AM Command line: C:\windows\system32\lsass.exe c:\program files\common files\ahead\lib\nmbgmonitor.exe | Script: Quarantine, Delete, Delete via BC, Terminate 668 | Nero Home | Copyright (c) 1995-2006 Nero AG and its licensors | ?? | 140.00 kb, rsAh, | created: 12/23/2006 6:05:20 PM, modified: 12/23/2006 6:05:20 PM Command line: "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" c:\program files\common files\ahead\lib\nmindexingservice.exe | Script: Quarantine, Delete, Delete via BC, Terminate 2360 | Nero Home | Copyright (c) 1995-2006 Nero AG and its licensors | ?? | 256.00 kb, rsAh, | created: 12/23/2006 5:54:04 PM, modified: 12/23/2006 5:54:04 PM Command line: "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" c:\program files\common files\ahead\lib\nmindexstoresvr.exe | Script: Quarantine, Delete, Delete via BC, Terminate 1248 | Nero Home | Copyright (c) 1995-2006 Nero AG and its licensors | ?? | 884.00 kb, rsAh, | created: 12/23/2006 6:04:42 PM, modified: 12/23/2006 6:04:42 PM Command line: "C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe" -Embedding c:\program files\common files\real\update_ob\realsched.exe | Script: Quarantine, Delete, Delete via BC, Terminate 492 | RealNetworks Scheduler | Copyright © RealNetworks, Inc. 1995-2007 | ?? | 193.52 kb, rsAh, | created: 9/10/2009 5:08:16 AM, modified: 9/10/2009 5:08:16 AM Command line: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot c:\windows\system32\svchost.exe | Script: Quarantine, Delete, Delete via BC, Terminate 1296 | Generic Host Process for Win32 Services | © Microsoft Corporation. All rights reserved. | ?? | 14.00 kb, rsAh, | created: 2/28/2006 3:00:00 PM, modified: 4/14/2008 3:12:36 AM Command line: C:\windows\system32\svchost -k rpcss c:\windows\system32\svchost.exe | Script: Quarantine, Delete, Delete via BC, Terminate 1360 | Generic Host Process for Win32 Services | © Microsoft Corporation. All rights reserved. | ?? | 14.00 kb, rsAh, | created: 2/28/2006 3:00:00 PM, modified: 4/14/2008 3:12:36 AM Command line: C:\windows\System32\svchost.exe -k netsvcs c:\windows\system32\svchost.exe | Script: Quarantine, Delete, Delete via BC, Terminate 1484 | Generic Host Process for Win32 Services | © Microsoft Corporation. All rights reserved. | ?? | 14.00 kb, rsAh, | created: 2/28/2006 3:00:00 PM, modified: 4/14/2008 3:12:36 AM Command line: C:\windows\system32\svchost.exe -k LocalService c:\program files\utorrent\utorrent.exe | Script: Quarantine, Delete, Delete via BC, Terminate 592 | µTorrent | ©2009 BitTorrent, Inc. All Rights Reserved. | ?? | 281.80 kb, rsAh, | created: 9/10/2009 4:21:21 AM, modified: 9/10/2009 4:21:21 AM Command line: "C:\Program Files\uTorrent\uTorrent.exe" Detected:31, recognized as trusted 26
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\windows\System32\Drivers\dump_atapi.sys | Script: Quarantine, Delete, Delete via BC F5BB0000 | 018000 (98304) |
| C:\windows\System32\Drivers\dump_WMILIB.SYS | Script: Quarantine, Delete, Delete via BC F7D92000 | 002000 (8192) |
| C:\windows\system32\DRIVERS\slnt.sys | Script: Quarantine, Delete, Delete via BC F7B58000 | 005000 (20480) | Silan 10/100M Network Driver | Copyright (C) Silan Micro-Electronics Inc. 1990-2003
| C:\windows\system32\Drivers\sptd.sys | Script: Quarantine, Delete, Delete via BC F775D000 | 0EA000 (958464) |
| Modules found - 116, recognized as trusted - 112
| | |||||||
| Service | Description | Status | File | Group | Dependencies
| NMIndexingService | Service: Stop, Delete, Disable NMIndexingService | Running | C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe | Script: Quarantine, Delete, Delete via BC | RPCSS
| ASKUpgrade | Service: Stop, Delete, Disable ASKUpgrade | Not started | C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe | Script: Quarantine, Delete, Delete via BC |
| NBService | Service: Stop, Delete, Disable NBService | Not started | C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe | Script: Quarantine, Delete, Delete via BC | RPCSS
| Detected - 94, recognized as trusted - 91
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| slnt | Driver: Unload, Delete, Disable RTL8139D PCI Fast Ethernet Adapter | Running | C:\windows\system32\DRIVERS\slnt.sys | Script: Quarantine, Delete, Delete via BC NDIS |
| sptd | Driver: Unload, Delete, Disable sptd | Running | C:\windows\System32\Drivers\sptd.sys | Script: Quarantine, Delete, Delete via BC Boot Bus Extender |
| Abiosdsk | Driver: Unload, Delete, Disable Abiosdsk | Not started | Abiosdsk.sys | Script: Quarantine, Delete, Delete via BC Primary disk |
| abp480n5 | Driver: Unload, Delete, Disable abp480n5 | Not started | abp480n5.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| adpu160m | Driver: Unload, Delete, Disable adpu160m | Not started | adpu160m.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| Aha154x | Driver: Unload, Delete, Disable Aha154x | Not started | Aha154x.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| aic78u2 | Driver: Unload, Delete, Disable aic78u2 | Not started | aic78u2.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| aic78xx | Driver: Unload, Delete, Disable aic78xx | Not started | aic78xx.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| AliIde | Driver: Unload, Delete, Disable AliIde | Not started | AliIde.sys | Script: Quarantine, Delete, Delete via BC System Bus Extender |
| amsint | Driver: Unload, Delete, Disable amsint | Not started | amsint.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| asc | Driver: Unload, Delete, Disable asc | Not started | asc.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| asc3350p | Driver: Unload, Delete, Disable asc3350p | Not started | asc3350p.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| asc3550 | Driver: Unload, Delete, Disable asc3550 | Not started | asc3550.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| Atdisk | Driver: Unload, Delete, Disable Atdisk | Not started | Atdisk.sys | Script: Quarantine, Delete, Delete via BC Primary disk |
| cd20xrnt | Driver: Unload, Delete, Disable cd20xrnt | Not started | cd20xrnt.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| Changer | Driver: Unload, Delete, Disable Changer | Not started | Changer.sys | Script: Quarantine, Delete, Delete via BC Filter |
| CmdIde | Driver: Unload, Delete, Disable CmdIde | Not started | CmdIde.sys | Script: Quarantine, Delete, Delete via BC System Bus Extender |
| Cpqarray | Driver: Unload, Delete, Disable Cpqarray | Not started | Cpqarray.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| dac960nt | Driver: Unload, Delete, Disable dac960nt | Not started | dac960nt.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| dpti2o | Driver: Unload, Delete, Disable dpti2o | Not started | dpti2o.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| hpn | Driver: Unload, Delete, Disable hpn | Not started | hpn.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| i2omgmt | Driver: Unload, Delete, Disable i2omgmt | Not started | i2omgmt.sys | Script: Quarantine, Delete, Delete via BC SCSI Class |
| i2omp | Driver: Unload, Delete, Disable i2omp | Not started | i2omp.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| ini910u | Driver: Unload, Delete, Disable ini910u | Not started | ini910u.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| lbrtfdc | Driver: Unload, Delete, Disable lbrtfdc | Not started | lbrtfdc.sys | Script: Quarantine, Delete, Delete via BC System Bus Extender |
| mraid35x | Driver: Unload, Delete, Disable mraid35x | Not started | mraid35x.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| PCIDump | Driver: Unload, Delete, Disable PCIDump | Not started | PCIDump.sys | Script: Quarantine, Delete, Delete via BC PCI Configuration |
| PCIIde | Driver: Unload, Delete, Disable PCIIde | Not started | PCIIde.sys | Script: Quarantine, Delete, Delete via BC System Bus Extender |
| PDCOMP | Driver: Unload, Delete, Disable PDCOMP | Not started | PDCOMP.sys | Script: Quarantine, Delete, Delete via BC |
| PDFRAME | Driver: Unload, Delete, Disable PDFRAME | Not started | PDFRAME.sys | Script: Quarantine, Delete, Delete via BC |
| PDRELI | Driver: Unload, Delete, Disable PDRELI | Not started | PDRELI.sys | Script: Quarantine, Delete, Delete via BC |
| PDRFRAME | Driver: Unload, Delete, Disable PDRFRAME | Not started | PDRFRAME.sys | Script: Quarantine, Delete, Delete via BC |
| perc2 | Driver: Unload, Delete, Disable perc2 | Not started | perc2.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| perc2hib | Driver: Unload, Delete, Disable perc2hib | Not started | perc2hib.sys | Script: Quarantine, Delete, Delete via BC Filter |
| ql1080 | Driver: Unload, Delete, Disable ql1080 | Not started | ql1080.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| Ql10wnt | Driver: Unload, Delete, Disable Ql10wnt | Not started | Ql10wnt.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| ql12160 | Driver: Unload, Delete, Disable ql12160 | Not started | ql12160.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| ql1240 | Driver: Unload, Delete, Disable ql1240 | Not started | ql1240.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| ql1280 | Driver: Unload, Delete, Disable ql1280 | Not started | ql1280.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| Simbad | Driver: Unload, Delete, Disable Simbad | Not started | Simbad.sys | Script: Quarantine, Delete, Delete via BC Filter |
| Sparrow | Driver: Unload, Delete, Disable Sparrow | Not started | Sparrow.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| sym_hi | Driver: Unload, Delete, Disable sym_hi | Not started | sym_hi.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| sym_u3 | Driver: Unload, Delete, Disable sym_u3 | Not started | sym_u3.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| symc810 | Driver: Unload, Delete, Disable symc810 | Not started | symc810.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| symc8xx | Driver: Unload, Delete, Disable symc8xx | Not started | symc8xx.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| TosIde | Driver: Unload, Delete, Disable TosIde | Not started | TosIde.sys | Script: Quarantine, Delete, Delete via BC System Bus Extender |
| ultra | Driver: Unload, Delete, Disable ultra | Not started | ultra.sys | Script: Quarantine, Delete, Delete via BC SCSI miniport |
| ViaIde | Driver: Unload, Delete, Disable ViaIde | Not started | ViaIde.sys | Script: Quarantine, Delete, Delete via BC System Bus Extender |
| WDICA | Driver: Unload, Delete, Disable WDICA | Not started | WDICA.sys | Script: Quarantine, Delete, Delete via BC |
| Detected - 166, recognized as trusted - 117
| | ||||||
| File name | Status | Startup method | Description
| C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} | Delete C:\Program Files\Common Files\Real\Update_OB\realsched.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TkBellExe | Delete C:\Program Files\ESET\ESET Smart Security\NodEnabler\NodEnabler.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, NodEnabler | Delete C:\Program Files\Internet Download Manager\IDMan.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, IDMan | Delete C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe | Script: Quarantine, Delete, Delete via BC Active | Shortcut in Startup folder | C:\Documents and Settings\King\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\King\Application Data\Microsoft\Internet Explorer\Quick Launch\Nero Home Essentials SE.lnk,
| C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe | Script: Quarantine, Delete, Delete via BC Active | Shortcut in Startup folder | C:\Documents and Settings\King\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\King\Application Data\Microsoft\Internet Explorer\Quick Launch\Nero StartSmart Essentials.lnk,
| C:\Program Files\QuickTime\QuickTimePlayer.exe | Script: Quarantine, Delete, Delete via BC Active | Shortcut in Startup folder | C:\Documents and Settings\King\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\King\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk,
| C:\windows\System32\hidserv.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HidServ\Parameters, ServiceDll | Delete C:\windows\System32\igmpv2.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile | Delete C:\windows\System32\ipbootp.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile | Delete C:\windows\System32\iprip2.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile | Delete C:\windows\System32\ospf.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile | Delete C:\windows\System32\ospfmib.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile | Delete C:\windows\System32\polagent.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile | Delete C:\windows\System32\tssdis.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile | Delete C:\windows\system32\MsSip1.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL | Delete C:\windows\system32\MsSip2.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL | Delete C:\windows\system32\MsSip3.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL | Delete C:\windows\system32\psxss.exe | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| C:\windows\system32\stisvc.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile | Delete C:\windows\system32\xvidvfw.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, VIDC.XVID | Delete kbd101.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN | Delete kbd101a.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR | Delete mvfs32.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB | Delete mvfs32.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB | Delete mvfs32.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB | Delete mvfs32.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB | Delete mvfs32.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_CURRENT_USER, Control Panel\IOProcs, MVB | Delete vgafix.fon | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon | Delete vgaoem.fon | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon | Delete vgasys.fon | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon | Delete Autoruns items found - 532, recognized as trusted - 501
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| C:\Program Files\Internet Download Manager\IDMIECC.dll | Script: Quarantine, Delete, Delete via BC BHO | IDM BHO Module | Tonec Inc., Copyright © 1999 - 2009 | {0055C089-8582-441B-A0BF-17B458C2A3A8} | Delete C:\Program Files\AskBarDis\bar\bin\askBar.dll | Script: Quarantine, Delete, Delete via BC BHO | Ask.com Toolbar | Copyright © 2008 Ask.com | {201f27d4-3704-41d6-89c1-aa35e39143ed} | Delete C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll | Script: Quarantine, Delete, Delete via BC BHO | RealPlayer Download and Record Plugin | Copyright © RealNetworks, Inc. 1995-2007 | {3049C3E9-B461-4BC5-8870-4C09146192CA} | Delete C:\Program Files\AskBarDis\bar\bin\askBar.dll | Script: Quarantine, Delete, Delete via BC Toolbar | Ask.com Toolbar | Copyright © 2008 Ask.com | {3041d03e-fd4b-44e0-b742-2d9b88305f98} | Delete C:\Program Files\AskSearch\bin\DefaultSearch.dll | Script: Quarantine, Delete, Delete via BC URLSearchHook | DefaultSearch Module | Copyright 2008 | {C94E154B-1459-4A47-966B-4B843BEFC7DB} | Delete Items found - 12, recognized as trusted - 7
| | ||||||
| File name | Destination | Description | Manufacturer | CLSID
| deskpan.dll | Script: Quarantine, Delete, Delete via BC Display Panning CPL Extension | {42071714-76d4-11d1-8b24-00a0c9068ff3} | Delete Shell extensions for file compression | {764BF0E1-F219-11ce-972D-00AA00A14F56} | Delete Encryption Context Menu | {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} | Delete Taskbar and Start Menu | {0DF44EAA-FF21-4412-828E-260A8728E7F1} | Delete rundll32.exe C:\windows\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4} | Script: Quarantine, Delete, Delete via BC Autoplay for SlideShow | {00E7B358-F65B-4dcf-83DF-CD026B94BFD4} | Delete User Accounts | {7A9D77BD-5403-11d2-8785-2E0420524153} | Delete C:\Program Files\Real\RealPlayer\rpshell.dll | Script: Quarantine, Delete, Delete via BC Shell Extensions for RealOne Player | RealPlayer Shell Extensions | Copyright © RealNetworks, Inc. 2001-2007 | {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} | Delete IE User Assist | {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} | Delete Items found - 211, recognized as trusted - 203
| | |||||||||||||||||||||||||
| File name | Type | Name | Description | Manufacturer
| Items found - 7, recognized as trusted - 7
| | ||||||
| File name | Job name | Job state | Description | Manufacturer
| Items found - 3, recognized as trusted - 3
| | ||||||
| Manufacturer | Status | EXE file | Description | GUID
| Detected - 3, recognized as trusted - 3
| | ||||||
| Manufacturer | EXE file | Description
| IDM_LAYERED_MSAFD Tcpip [TCP/IP] | C:\WINDOWS\system32\idmmbc.dll | Script: Quarantine, Delete, Delete via BC Tonec Inc., Copyright © 1999 - 2009
| IDM_LAYERED_MSAFD Tcpip [UDP/IP] | C:\WINDOWS\system32\idmmbc.dll | Script: Quarantine, Delete, Delete via BC Tonec Inc., Copyright © 1999 - 2009
| IDM_LAYERED_MSAFD Tcpip [RAW/IP] | C:\WINDOWS\system32\idmmbc.dll | Script: Quarantine, Delete, Delete via BC Tonec Inc., Copyright © 1999 - 2009
| IDM_LAYERED_RSVP UDP Service Provider | C:\WINDOWS\system32\idmmbc.dll | Script: Quarantine, Delete, Delete via BC Tonec Inc., Copyright © 1999 - 2009
| IDM_LAYERED_RSVP TCP Service Provider | C:\WINDOWS\system32\idmmbc.dll | Script: Quarantine, Delete, Delete via BC Tonec Inc., Copyright © 1999 - 2009
| IDM_LP | C:\WINDOWS\system32\idmmbc.dll | Script: Quarantine, Delete, Delete via BC Tonec Inc., Copyright © 1999 - 2009
| Detected - 17, recognized as trusted - 11
| | ||||||
| File name | Description | Manufacturer | CLSID | Source URL
| Items found - 4, recognized as trusted - 4
| | ||||||
| File name | Description | Manufacturer
| Items found - 26, recognized as trusted - 26
| | ||||||
| File name | Description | Manufacturer | CLSID
| Items found - 14, recognized as trusted - 14
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| Items found - 25, recognized as trusted - 25
| | ||||||
| File | Description | Type
| C:\windows\system32\Drivers\sptd.sys | Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit | Kernel-mode hook
| C:\Program Files\Real\RealPlayer\browserrecord\chrome\hook\rpchromebrowserrecordhelper.dll | Script: Quarantine, Delete, Delete via BC Suspicion for Keylogger | Suspicion for Keylogger or Trojan DLL
| |
AVZ Antiviral Toolkit log; AVZ version is 4.32 Scanning started at 9/13/2009 9:51:03 PM Database loaded: signatures - 241239, NN profile(s) - 2, malware removal microprograms - 56, signature database released 12.09.2009 22:24 Heuristic microprograms loaded: 374 PVS microprograms loaded: 9 Digital signatures of system files loaded: 139608 Heuristic analyzer mode: Maximum heuristics mode Malware removal mode: disabled Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights System Restore: enabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=083220) Kernel ntoskrnl.exe found in memory at address 804D7000 SDT = 8055A220 KiST = 804E26A8 (284) Function NtAssignProcessToJobObject (13) intercepted (805A24CA->83113630), hook not defined Function NtCreateKey (29) intercepted (8057065D->F775E0D0), hook C:\windows\system32\Drivers\sptd.sys Function NtEnumerateKey (47) intercepted (80570D64->F7763FB2), hook C:\windows\system32\Drivers\sptd.sys Function NtEnumerateValueKey (49) intercepted (80590677->F7764340), hook C:\windows\system32\Drivers\sptd.sys Function NtOpenKey (77) intercepted (80568D59->F775E0B0), hook C:\windows\system32\Drivers\sptd.sys Function NtOpenProcess (7A) intercepted (805717C7->83112A60), hook not defined Function NtOpenThread (80) intercepted (8058A1C9->83112E80), hook not defined Function NtQueryKey (A0) intercepted (80570A6D->F7764418), hook C:\windows\system32\Drivers\sptd.sys Function NtQueryValueKey (B1) intercepted (8056A1F2->F7764298), hook C:\windows\system32\Drivers\sptd.sys Function NtSetValueKey (F7) intercepted (80572889->F77644AA), hook C:\windows\system32\Drivers\sptd.sys Function NtSuspendProcess (FD) intercepted (8062F8F9->83113460), hook not defined Function NtSuspendThread (FE) intercepted (805E046E->83113280), hook not defined Function NtTerminateProcess (101) intercepted (805822EC->83112C90), hook not defined Function NtTerminateThread (102) intercepted (8057B88F->831130B0), hook not defined Functions checked: 284, intercepted: 14, restored: 0 1.3 Checking IDT and SYSENTER Analyzing CPU 1 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking IRP handlers \FileSystem\ntfs[IRP_MJ_CREATE] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_CLOSE] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_WRITE] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 837DC1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 837DC1E8 -> hook not defined Checking - complete 2. Scanning RAM Number of processes found: 31 Extended process analysis: 492 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [ES]:Application has no visible windows [ES]:Registered for automatic startup !! Extended process analysis: 668 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Registered for automatic startup !! Extended process analysis: 1248 C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows Extended process analysis: 2360 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows Number of modules loaded: 327 Scanning RAM - complete 3. Scanning disks 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) C:\Program Files\Real\RealPlayer\browserrecord\chrome\hook\rpchromebrowserrecordhelper.dll --> Suspicion for Keylogger or Trojan DLL C:\Program Files\Real\RealPlayer\browserrecord\chrome\hook\rpchromebrowserrecordhelper.dll>>> Behaviour analysis 1. Reacts to events: keyboard, mouse C:\Program Files\Real\RealPlayer\browserrecord\chrome\hook\rpchromebrowserrecordhelper.dll>>> Neural net: file is 0.00% like a typical keyboard/mouse events interceptor Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 6. Searching for opened TCP/UDP ports used by malicious software Checking - disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry) >> Services: potentially dangerous service allowed: TermService (Terminal Services) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service) >> Services: potentially dangerous service allowed: Alerter (Alerter) >> Services: potentially dangerous service allowed: Schedule (Task Scheduler) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing) >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard >> HDD autorun is allowed >> Network drives autorun is allowed >> Removable media autorun is allowed Checking - complete Files scanned: 358, extracted from archives: 0, malicious software found 0, suspicions - 0 Scanning finished at 9/13/2009 9:52:02 PM Time of scanning: 00:01:02 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference System Analysis in progressAdd commands to script:
Script commands