Results of system analysis

LSP settings checked. No errors detected

127.0.0.1 jL.chura.pl

127.0.0.1       localhost

AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 8/7/2009 8:59:57 AM
Database loaded: signatures - 235319, NN profile(s) - 2, microprograms of healing - 56, signature database released 05.08.2009 22:56
Heuristic microprograms loaded: 374
SPV microprograms loaded: 9
Digital signatures of system files loaded: 129825
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=082700)
 Kernel ntoskrnl.exe found in memory at address 804D7000
   SDT = 80559700
   KiST = 804E26A8 (284)
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
 Driver loaded successfully
1.5 Checking of IRP handlers
 Checking - complete
2. Scanning memory
 Number of processes found: 31
Analyzer: process under analysis is 564 C:\WINDOWS\system32\services.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\services.exe Contains network functionality (netapi32.dll)
Analyzer: process under analysis is 720 C:\WINDOWS\system32\Ati2evxx.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 732 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\svchost.exe Contains network functionality (netapi32.dll)
Analyzer: process under analysis is 808 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 844 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Process c:\windows\system32\svchost.exe Contains network functionality (netapi32.dll,wininet.dll,es.dll,urlmon.dll)
Analyzer: process under analysis is 896 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 992 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1328 C:\WINDOWS\system32\spoolsv.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Process c:\windows\system32\spoolsv.exe Contains network functionality (netapi32.dll)
Process c:\windows\explorer.exe Contains network functionality (netapi32.dll,wininet.dll,urlmon.dll)
Analyzer: process under analysis is 1388 C:\WINDOWS\System32\SCardSvr.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1012 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\svchost.exe Contains network functionality (wininet.dll)
Analyzer: process under analysis is 608 C:\Program Files\Bonjour\mDNSResponder.exe
[ES]:Contains network functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
Process c:\program files\bonjour\mdnsresponder.exe Contains network functionality (netapi32.dll)
Analyzer: process under analysis is 1088 C:\WINDOWS\system32\crypserv.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1220 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1448 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1524 C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Process c:\program files\airtel\netxpert\bin\sprtsvc.exe Contains network functionality (netapi32.dll,wininet.dll,urlmon.dll)
Analyzer: process under analysis is 1588 C:\WINDOWS\system32\svchost.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\svchost.exe Contains network functionality (netapi32.dll)
Analyzer: process under analysis is 1636 C:\WINDOWS\system32\wdfmgr.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1696 C:\WINDOWS\System32\wltrysvc.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1704 C:\WINDOWS\System32\bcmwltry.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\bcmwltry.exe Contains network functionality (wininet.dll)
Analyzer: process under analysis is 432 C:\WINDOWS\system32\wbem\wmiprvse.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\wbem\wmiprvse.exe Contains network functionality (netapi32.dll)
Analyzer: process under analysis is 672 C:\WINDOWS\System32\alg.exe
[ES]:Contains network functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1504 C:\WINDOWS\system32\wscntfy.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 2100 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
 Number of modules loaded: 244
Scanning memory - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
 Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>>> Security: Internet Explorer allows ActiveX, not marked as safe
>>> Security: block ActiveX not marked as safe in Internet Explorer
>>> Security: Internet Explorer allows unsigned ActiveX elements
>>> Security: Internet Explorer allows automatic queries of ActiveX administrative elements
>>> Security: Internet Explorer allows running files and applications in IFRAME window without asking user
Checking - complete
9. Troubleshooting wizard
 >>  Abnormal REG files association
 >>  Internet Explorer - ActiveX, not marked as safe, are allowed
 >>  Internet Explorer - signed ActiveX elements are allowed without asking user
 >>  Internet Explorer -unsigned ActiveX elements are allowed
 >>  Internet Explorer - automatic queries of ActiveX operating elements are allowed
 >>  Internet Explorer - running programs and files in IFRAME window is allowed
 >>  HDD autorun are allowed
 >>  Autorun from network drives are allowed
 >>  Removable media autorun are allowed
Checking - complete
Files scanned: 275, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 8/7/2009 9:00:38 AM
Time of scanning: 00:00:46
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress


Script commands
 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
BootCleaner - import list of deleted files
Registry cleanup after deleting files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service RemoteRegistry (Remote Registry)
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: block ActiveX not marked as safe, without asking user, in Internet Explorer
Security: Internet Explorer allows ActiveX, not marked as safe, without asking user
Security: block unsigned ActiveX elements in Internet Explorer
Security: block automatic queries of ActiveX administrative elements in Internet Explorer
Security: block running files and applications in IFRAME window without asking user in Internet Explorer

File list