AVZ 4.35 http://z-oleg.com/secur/avz/
| File name | PID | Description | Copyright | MD5 | Information
| c:\program files\alwil software\avast5\avastsvc.exe | Script: Quarantine, Delete, Delete via BC, Terminate 1824 | avast! Service | Copyright (c) 2010 AVAST Software | ?? | 39.44 kb, rsAh, | created: 03.05.2010 10:26:43, modified: 13.01.2011 16:47:33 Command line: "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" c:\program files\divx\divx plus web player\ddmservice.exe | Script: Quarantine, Delete, Delete via BC, Terminate 3976 | DivX Download Manager Service | © 2010 Sonic Solutions. All rights reserved. | ?? | 61.88 kb, rsAh, | created: 09.12.2010 05:15:44, modified: 09.12.2010 05:15:44 Command line: "C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe" start c:\program files\hp\digital imaging\bin\hpqste08.exe | Script: Quarantine, Delete, Delete via BC, Terminate 3504 | HP CUE Status Root | Copyright (C) Hewlett-Packard Co. 1995-2008 | ?? | 180.00 kb, rsAh, | created: 25.03.2008 20:49:02, modified: 25.03.2008 20:49:02 Command line: "C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe" -CtxID "#Hewlett-Packard#HP Deskjet D2400 series#1230986506" -Startup c:\program files\hp\digital imaging\bin\hpqtra08.exe | Script: Quarantine, Delete, Delete via BC, Terminate 2684 | HP Digital Imaging Monitor | Copyright (C) Hewlett-Packard Co. 1995-2008 | ?? | 209.34 kb, rsAh, | created: 25.03.2008 20:40:42, modified: 25.03.2008 20:40:42 Command line: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" c:\program files\itunes\ituneshelper.exe | Script: Quarantine, Delete, Delete via BC, Terminate 3268 | iTunesHelper | © 2003-2011 Apple Inc. All rights reserved. | ?? | 411.29 kb, rsAh, | created: 14.04.2011 11:32:28, modified: 14.04.2011 11:32:28 Command line: "C:\Program Files\iTunes\iTunesHelper.exe" c:\program files\iwin games\iwintrusted.exe | Script: Quarantine, Delete, Delete via BC, Terminate 2492 | iWin Trusted Games Service | Copyright (C) iWin Inc. 2006 | ?? | 172.27 kb, rsAh, | created: 27.09.2010 23:36:24, modified: 27.09.2010 23:36:24 Command line: "C:\Program Files\iWin Games\iWinTrusted.exe" c:\program files\microsoft office\office12\onenotem.exe | Script: Quarantine, Delete, Delete via BC, Terminate 856 | Microsoft Office OneNote Quick Launcher | © 2006 Microsoft Corporation. All rights reserved. | ?? | 95.39 kb, rsAh, | created: 26.02.2009 15:24:50, modified: 26.02.2009 15:24:50 Command line: "C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE" /tsr c:\users\† jeffrey †\appdata\local\rockmelt\update\1.2.189.1\rockmeltcrashhandler.exe | Script: Quarantine, Delete, Delete via BC, Terminate 3564 | RockMelt Installer | Copyright 2009 RockMelt Inc. | ?? | 133.14 kb, rsAh, | created: 19.01.2011 16:23:45, modified: 19.01.2011 16:23:41 Command line: "C:\Users\† JeFFreY †\AppData\Local\RockMelt\Update\1.2.189.1\RockMeltCrashHandler.exe" /crashhandler c:\program files\safari\safari.exe | Script: Quarantine, Delete, Delete via BC, Terminate 4556 | Safari | Copyright Apple Inc. 2007-2011 | ?? | 2332.29 kb, rsAh, | created: 21.03.2011 20:10:48, modified: 21.03.2011 20:10:48 Command line: "C:\Program Files\Safari\Safari.exe" c:\windows\system32\spoolsv.exe | Script: Quarantine, Delete, Delete via BC, Terminate 872 | Spooler SubSystem App | © Microsoft Corporation. All rights reserved. | ?? | 125.00 kb, rsAh, | created: 15.09.2010 18:49:45, modified: 17.08.2010 22:11:37 Command line: C:\Windows\System32\spoolsv.exe c:\program files\yahoo!\messenger\ymsgr_tray.exe | Script: Quarantine, Delete, Delete via BC, Terminate 2500 | Yahoo! Messenger Tray | (c) 1997-2009 Yahoo! Inc. All rights reserved. | ?? | 77.30 kb, rsAh, | created: 30.12.2008 21:13:32, modified: 01.06.2010 10:17:50 Command line: "C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe" "C:\Program Files\Yahoo!\Messenger\resources\en-US\��-ymsgr Detected:79, recognized as trusted 75
| | |||||
| Module name | Handle | Description | Copyright | MD5 | Used by processes
| C:\Program Files\Alwil Software\Avast5\defs\11060101\algo.dll | Script: Quarantine, Delete, Delete via BC 1665138688 | | | -- | 1824
| C:\Program Files\Alwil Software\Avast5\defs\11060101\arPot.dll | Script: Quarantine, Delete, Delete via BC 1672609792 | ArPot usermode dll component | Copyright (C) 2010 AVAST Software | -- | 1824
| C:\Program Files\Common Files\Apple\Apple Application Support\WebKit.dll | Script: Quarantine, Delete, Delete via BC 1679228928 | WebKit Dynamic Link Library | Copyright Apple Inc. 2003-2011 | -- | 4556
| C:\Program Files\DivX\DivX Plus Web Player\DivXDownloadManager.dll | Script: Quarantine, Delete, Delete via BC 268435456 | DivX Download Manager | © 2010 Sonic Solutions. All rights reserved. | -- | 3976
| C:\Program Files\HP\Digital Imaging\bin\hpqsem08.rsc | Script: Quarantine, Delete, Delete via BC 42598400 | Combined resource DLL | Copyright (C) Hewlett-Packard Co. 1995-2008 | -- | 3504
| C:\Program Files\HP\Digital Imaging\bin\hpqstv08.rsc | Script: Quarantine, Delete, Delete via BC 13303808 | Combined resource DLL | Copyright (C) Hewlett-Packard Co. 1995-2008 | -- | 3504
| C:\Program Files\HP\Digital Imaging\bin\hpqtra08.rsc | Script: Quarantine, Delete, Delete via BC 352321536 | CUE TrayApp Combined resource DLL | Copyright (C) Hewlett-Packard Co. 1995-2008 | -- | 2684
| C:\Program Files\iTunes\iTunesHelper.Resources\en.lproj\iTunesHelperLocalized.DLL | Script: Quarantine, Delete, Delete via BC 1961033728 | iTunesHelper Resource Library | © 2003-2011 Apple Inc. All rights reserved. | -- | 3268
| C:\Program Files\Microsoft Office\Office12\1033\ONINTL.DLL | Script: Quarantine, Delete, Delete via BC 1784020992 | Microsoft Office OneNote International Resources | © 2006 Microsoft Corporation. All rights reserved. | -- | 856
| C:\Program Files\Safari\Safari.dll | Script: Quarantine, Delete, Delete via BC 35061760 | Safari Dynamic Link Library | Copyright Apple Inc. 2007-2011 | -- | 4556
| C:\Program Files\Safari\SpellChecker.dll | Script: Quarantine, Delete, Delete via BC 1677393920 | SpellChecker Dynamic Link Library | Copyright Apple Inc. 2007-2010 | -- | 4556
| C:\Program Files\Yahoo!\Messenger\resources\en-US\res_msgr.dll | Script: Quarantine, Delete, Delete via BC 1694498816 | Resource Module | (c) 1997-2009 Yahoo! Inc. All rights reserved. | -- | 2500
| C:\Program Files\Yahoo!\Messenger\yui.dll | Script: Quarantine, Delete, Delete via BC 1632108544 | yui Dynamic Link Library | Copyright (C) 2007 Yahoo! Inc. | -- | 2500
| C:\Users\† JeFFreY †\AppData\Local\RockMelt\Update\1.2.189.1\rmupdate.dll | Script: Quarantine, Delete, Delete via BC 402653184 | RockMelt Update | Copyright 2010 RockMelt Inc. | -- | 3564
| C:\Windows\system32\dnssd.dll | Script: Quarantine, Delete, Delete via BC 1950154752 | Bonjour Client Library | Copyright (C) 2003-2010 Apple Inc. | -- | 4556
| C:\Windows\System32\hpzll64X.dll | Script: Quarantine, Delete, Delete via BC 1889665024 | LanguageMonitor | Copyright (C) 1999 | -- | 872
| Modules found:577, recognized as trusted 561
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\Windows\System32\Drivers\dump_iaStor.sys | Script: Quarantine, Delete, Delete via BC 8C910000 | 0C7000 (815104) |
| C:\Windows\System32\Drivers\spzr.sys | Script: Quarantine, Delete, Delete via BC 80689000 | 101000 (1052672) |
| Modules found - 141, recognized as trusted - 139
| | ||||||
| File name | Status | Startup method | Description
| C:\Program Files\Alwil Software\Avast4\aswRes.dll | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus\avast!, EventMessageFile
| C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, DivX Download Manager | Delete C:\Program Files\Pando Networks\Media Booster\PMB.cpl | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls, Pando | Delete C:\Program Files\ProcessTamer\ProcessTamerTray.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, ProcessTamer | Delete C:\Users\† JeFFreY †\AppData\Local\RockMelt\Application\rockmelt.exe | Script: Quarantine, Delete, Delete via BC Active | Shortcut in Startup folder | C:\Users\† JeFFreY †\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\† JeFFreY †\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\RockMelt.lnk,
| C:\Users\† JeFFreY †\AppData\Local\RockMelt\Update\RockMeltUpdate.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, RockMelt Update | Delete C:\Users\† JeFFreY †\AppData\Local\Temp\NEventMessages.dll | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Nokia M Platform, EventMessageFile
| C:\Users\† JeFFreY †\AppData\Local\Temp\NEventMessages.dll | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Nokia Software Installer, EventMessageFile
| C:\Users\† JeFFreY †\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk | Script: Quarantine, Delete, Delete via BC Active | File in Startup folder | C:\Users\† JeFFreY †\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\† JeFFreY †\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk,
| C:\Users\† JeFFreY †\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk | Script: Quarantine, Delete, Delete via BC Active | File in Startup folder | C:\Users\† JeFFreY †\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\† JeFFreY †\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk,
| C:\WindowsSystem32\IoLogMsg.dll | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vsmraid, EventMessageFile
| C:\Windows\SoftwareDistribution\Download\Install\WGAER_M.exe | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WGA Scanner, EventMessageFile
| C:\Windows\System32\appmgmts.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll | Delete C:\Windows\System32\igmpv2.dll | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
| C:\Windows\System32\ipbootp.dll | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
| C:\Windows\System32\iprip2.dll | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
| C:\Windows\System32\ws03res.dll | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPNATHLP, EventMessageFile
| C:\Windows\system32\psxss.exe | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| SDEvents.dll | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile
| c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, HP Health Check Scheduler | Delete progman.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell | Delete rdpclip | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms | Delete vgafix.fon | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon | Delete vgaoem.fon | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon | Delete vgasys.fon | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon | Delete Autoruns items found - 820, recognized as trusted - 795
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll | Script: Quarantine, Delete, Delete via BC BHO | Yahoo! Toolbar | (c) Yahoo! Inc. All rights reserved. | {02478D38-C3F9-4efb-9B51-7695ECA05670} | Delete BHO | {30F9B915-B755-4826-820B-08FBA6BD249D} | Delete BHO | {A1056498-D09A-41E4-864B-505EDD640D9E} | Delete c:\program files\google\googletoolbar1.dll | Script: Quarantine, Delete, Delete via BC BHO | Google IE Client Toolbar | Copyright © 2000-2006 | {AA58ED58-01DD-4d91-8333-CF10577473F7} | Delete BHO | {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} | Delete C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll | Script: Quarantine, Delete, Delete via BC BHO | Yahoo! Single Instance for Mail | (c) Yahoo! Inc. All rights reserved. | {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} | Delete c:\program files\google\googletoolbar1.dll | Script: Quarantine, Delete, Delete via BC Toolbar | Google IE Client Toolbar | Copyright © 2000-2006 | {2318C2B1-4965-11d4-9B18-009027A5CD4F} | Delete C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll | Script: Quarantine, Delete, Delete via BC Toolbar | Yahoo! Toolbar | (c) Yahoo! Inc. All rights reserved. | {EF99BD32-C1FB-11D2-892F-0090271D4F88} | Delete Toolbar | {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} | Delete Extension module | {0000036B-C524-4050-81A0-243669A86B9F} | Delete Extension module | {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} | Delete Extension module | {2670000A-7350-4f3c-8081-5663EE0C6C49} | Delete Extension module | {92780B25-18CC-41C8-B9BE-3C9C571A8263} | Delete Extension module | {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} | Delete URLSearchHook | {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} | Delete C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll | Script: Quarantine, Delete, Delete via BC URLSearchHook | Yahoo! Toolbar | (c) Yahoo! Inc. All rights reserved. | {EF99BD32-C1FB-11D2-892F-0090271D4F88} | Delete C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTNavAssist.dll | Script: Quarantine, Delete, Delete via BC URLSearchHook | Yahoo! Toolbar Nav Assistant plugin | (c) Yahoo! Inc. All rights reserved. | {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} | Delete Items found - 36, recognized as trusted - 19
| | ||||||||||||||||||||||||||||||||||||
| File name | Destination | Description | Manufacturer | CLSID
| IE User Assist | {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} | Delete Color Control Panel Applet | {b2c761c6-29bc-4f19-9251-e6195265baf1} | Delete Add New Hardware | {7A979262-40CE-46ff-AEEE-7884AC3B6136} | Delete Get Programs Online | {3e7efb4c-faf1-453d-89eb-56026875ef90} | Delete Taskbar and Start Menu | {0DF44EAA-FF21-4412-828E-260A8728E7F1} | Delete ActiveDirectory Folder | {1b24a030-9b20-49bc-97ac-1be4426f9e59} | Delete ActiveDirectory Folder | {34449847-FD14-4fc8-A75A-7432F5181EFB} | Delete Sam Account Folder | {C8494E42-ACDD-4739-B0FB-217361E4894F} | Delete Sam Account Folder | {E29F9716-5C08-4FCD-955A-119FDB5A522D} | Delete Control Panel command object for Start menu | {5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0} | Delete Default Programs command object for Start menu | {E44E5D18-0652-4508-A4E2-8A090067BCB0} | Delete Folder Options | {6dfd7c5c-2451-11d3-a299-00c04f8ef6af} | Delete Explorer Query Band | {2C2577C2-63A7-40e3-9B7F-586602617ECB} | Delete View Available Networks | {38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b} | Delete Contacts folder | {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} | Delete Windows Firewall | {4026492f-2f69-46b8-b9bf-5654fc07e423} | Delete Problem Reports and Solutions | {fcfeecae-ee1b-4849-ae50-685dcf7717ec} | Delete iSCSI Initiator | {a304259d-52b8-4526-8b1a-a1d6cecc8243} | Delete .cab or .zip files | {911051fa-c21c-4246-b470-070cd8df6dc4} | Delete Windows Search Shell Service | {da67b8ad-e81b-4c70-9b91b417b5e33527} | Delete Microsoft.ScannersAndCameras | {00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3} | Delete Windows Sidebar Properties | {37efd44d-ef8d-41b1-940d-96973a50e9e0} | Delete Windows Features | {67718415-c450-4f3c-bf8a-b487642dc39b} | Delete Windows Defender | {d8559eb9-20c0-410e-beda-7ed416aecc2a} | Delete Mobility Center Control Panel | {5ea4f148-308c-46d7-98a9-49041b1dd468} | Delete User Accounts | {7A9D77BD-5403-11d2-8785-2E0420524153} | Delete 7-Zip Shell Extension | {23170F69-40C1-278A-1000-000100020000} | Delete WLMD Message Handler | {0563DB41-F538-4B37-A92D-4659049B7766} | Delete Items found - 322, recognized as trusted - 294
| | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| File name | Type | Name | Description | Manufacturer
| C:\Windows\system32\hpzll64X.dll | Script: Quarantine, Delete, Delete via BC Monitor | LIDIL hpzll64X | LanguageMonitor | Copyright (C) 1999
| Items found - 10, recognized as trusted - 9
| | ||||||
| File name | Job name | Job state | Description | Manufacturer
| Items found - 3, recognized as trusted - 3
| | ||||||
| Manufacturer | Status | EXE file | Description | GUID
| Detected - 7, recognized as trusted - 7
| | ||||||
| Manufacturer | EXE file | Description
| Detected - 22, recognized as trusted - 22
| | ||||||
| File name | Description | Manufacturer | CLSID | Source URL
| {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} | Delete
| {E2883E8F-472F-4FB0-9522-AC9BF37916A7} | Delete http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
| Items found - 5, recognized as trusted - 3
| | ||||||||||||
| File name | Description | Manufacturer
| C:\Windows\system32\styleman.cpl | Script: Quarantine, Delete, Delete via BC Autodesk Hardcopy componenent | Copyright (c) 1982-2009 by Autodesk, Inc.
| Items found - 27, recognized as trusted - 26
| | ||||||
| File name | Description | Manufacturer | CLSID
| Items found - 9, recognized as trusted - 9
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, Delete via BC Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, Delete via BC Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, Delete via BC Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete Items found - 21, recognized as trusted - 18
| | ||||||
| File | Description | Type
| C:\Windows\system32\drivers\PCTCore.sys | Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit | Kernel-mode hook
| \SystemRoot\System32\Drivers\aswSP.SYS | Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit | Kernel-mode hook
| C:\Windows\System32\Drivers\aswSP.SYS | Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit | Kernel-mode hook
| |
AVZ Antiviral Toolkit log; AVZ version is 4.35 Scanning started at 03.06.2011 13:40:22 Database loaded: signatures - 289649, NN profile(s) - 2, malware removal microprograms - 56, signature database released 31.05.2011 22:31 Heuristic microprograms loaded: 388 PVS microprograms loaded: 9 Digital signatures of system files loaded: 279390 Heuristic analyzer mode: Maximum heuristics mode Malware removal mode: disabled Windows version is: 6.0.6002, Service Pack 2 ; AVZ is run with administrator rights System Restore: enabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Function ntdll.dll:LdrLoadDll (122) intercepted, method - APICodeHijack.JmpTo[64D06946] Function ntdll.dll:LdrUnloadDll (144) intercepted, method - APICodeHijack.JmpTo[64D069A6] Analysis: user32.dll, export table found in section .text Function user32.dll:SetWinEventHook (2675) intercepted, method - APICodeHijack.JmpTo[64D0B716] Function user32.dll:SetWindowsHookExA (2688) intercepted, method - APICodeHijack.JmpTo[64D0B9A6] Function user32.dll:SetWindowsHookExW (2689) intercepted, method - APICodeHijack.JmpTo[64D0BB26] Function user32.dll:UnhookWinEvent (2728) intercepted, method - APICodeHijack.JmpTo[64D0B896] Function user32.dll:UnhookWindowsHookEx (2730) intercepted, method - APICodeHijack.JmpTo[64D0BCA6] Analysis: advapi32.dll, export table found in section .text Function advapi32.dll:ChangeServiceConfig2A (74) intercepted, method - APICodeHijack.JmpTo[64D08286] Function advapi32.dll:ChangeServiceConfig2W (75) intercepted, method - APICodeHijack.JmpTo[64D083B6] Function advapi32.dll:ChangeServiceConfigA (76) intercepted, method - APICodeHijack.JmpTo[64D07AD6] Function advapi32.dll:ChangeServiceConfigW (77) intercepted, method - APICodeHijack.JmpTo[64D07EC6] Function advapi32.dll:CreateServiceA (126) intercepted, method - APICodeHijack.JmpTo[64D06E36] Function advapi32.dll:CreateServiceW (127) intercepted, method - APICodeHijack.JmpTo[64D072A6] Function advapi32.dll:DeleteService (216) intercepted, method - APICodeHijack.JmpTo[64D078D6] Function advapi32.dll:SetServiceObjectSecurity (698) intercepted, method - APICodeHijack.JmpTo[64D09D36] Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=137B00) Kernel ntkrnlpa.exe found in memory at address 85850000 SDT = 85987B00 KiST = 858FC86C (391) Function NtCreateProcess (48) intercepted (85AE1D63->85F81CDC), hook C:\Windows\system32\drivers\PCTCore.sys, driver recognized as trusted Function NtCreateProcessEx (49) intercepted (85AE1DAE->85F81ECE), hook C:\Windows\system32\drivers\PCTCore.sys, driver recognized as trusted Function NtCreateSection (4B) - machine code modification Method of JmpTo. jmp 91546656\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted Function NtLoadDriver (A5) - machine code modification Method of JmpTo. jmp 91546790\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted Function NtTerminateProcess (14E) intercepted (85A410D3->85F81982), hook C:\Windows\system32\drivers\PCTCore.sys, driver recognized as trusted Function NtCreateUserProcess (17F) intercepted (85A19BA6->85F820D6), hook C:\Windows\system32\drivers\PCTCore.sys, driver recognized as trusted Function NtCreateSection (85A81D95) - machine code modification Method of JmpTo. jmp 91546656 \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted Function ObInsertObject (85A804F3) - machine code modification Method of JmpTo. jmp 91543C88 \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted Function ObMakeTemporaryObject (85A275C7) - machine code modification Method of JmpTo. jmp 915421EE \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted Functions checked: 391, intercepted: 4, restored: 0 1.3 Checking IDT and SYSENTER Analyzing CPU 1 Analyzing CPU 2 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed 1.5 Checking IRP handlers Driver loaded successfully \FileSystem\ntfs[IRP_MJ_CREATE] = 9154631E -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted \FileSystem\ntfs[IRP_MJ_CLOSE] = 9154635E -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted \FileSystem\ntfs[IRP_MJ_WRITE] = 9154643A -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 88D9C1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 9154647A -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 88D9C1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 88D9C1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 88D9C1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 88D9C1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 88D9C1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 88D9C1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 88D9C1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 88D9C1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 88D9C1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 88D9C1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 88D9C1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_CREATE] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_CLOSE] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_WRITE] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_EA] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_EA] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 887D41F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_PNP] = 887D41F8 -> hook not defined Checking - complete 2. Scanning RAM Number of processes found: 75 Extended process analysis: 2492 C:\Program Files\iWin Games\iWinTrusted.exe [ES]:Application has no visible windows Extended process analysis: 3976 C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Registered for automatic startup !! Extended process analysis: 3564 C:\Users\† JeFFreY †\AppData\Local\RockMelt\Update\1.2.189.1\RockMeltCrashHandler.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows Number of modules loaded: 575 Scanning RAM - complete 3. Scanning disks 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious software Checking - disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Terminal Services) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery) >> Services: potentially dangerous service allowed: Schedule (Task Scheduler) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard >> Abnormal SCR files association >> HDD autorun is allowed >> Network drives autorun is allowed >> Removable media autorun is allowed Checking - complete Files scanned: 650, extracted from archives: 0, malicious software found 0, suspicions - 0 Scanning finished at 03.06.2011 13:41:32 Time of scanning: 00:01:13 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://project911.kaspersky-labs.com/ System Analysis in progressAdd commands to script:
System Analysis - complete
Script commands