Results of system analysis

AVZ 4.43 http://z-oleg.com/secur/avz/

Process List

Kernel Space Modules Viewer

Services

Drivers

Autoruns

Internet Explorer extension modules (BHOs, Toolbars ...)

Windows Explorer extension modules

Printing system extensions (print monitors, providers)

Task Scheduler jobs

SPI/LSP settings

LSP settings checked. No errors detected

AVZ Antiviral Toolkit log; AVZ version is 4.43
Scanning started at 10.12.2014 12:02:04
Database loaded: signatures - 297605, NN profile(s) - 2, malware removal microprograms - 56, signature database released 10.12.2014 04:00
Heuristic microprograms loaded: 407
PVS microprograms loaded: 9
Digital signatures of system files loaded: 702551
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 6.2.9200,  "Windows 8.1" ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .rdata
Function kernel32.dll:ReadConsoleInputExA (1094) intercepted, method - ProcAddressHijack.GetProcAddress ->75E9297A->7590D435
Hook kernel32.dll:ReadConsoleInputExA (1094) blocked
Function kernel32.dll:ReadConsoleInputExW (1095) intercepted, method - ProcAddressHijack.GetProcAddress ->75E929AD->7590D459
Hook kernel32.dll:ReadConsoleInputExW (1095) blocked
 Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:NtCreateFile (268) intercepted, method - ProcAddressHijack.GetProcAddress ->7779AA40->704FB775
Hook ntdll.dll:NtCreateFile (268) blocked
Function ntdll.dll:NtCreateMutant (278) intercepted, method - APICodeHijack.JmpTo[001D0120]
 >>> Rootkit code in function NtCreateMutant blocked
Function ntdll.dll:NtCreateSymbolicLinkObject (290) intercepted, method - APICodeHijack.JmpTo[001D074E]
 >>> Rootkit code in function NtCreateSymbolicLinkObject blocked
Function ntdll.dll:NtCreateThread (291) intercepted, method - APICodeHijack.JmpTo[001D04A8]
 >>> Rootkit code in function NtCreateThread blocked
Function ntdll.dll:NtCreateThreadEx (292) intercepted, method - CodeHijack (not defined)
 >>> Rootkit code in function NtCreateThreadEx blocked
Function ntdll.dll:NtLoadDriver (371) intercepted, method - APICodeHijack.JmpTo[001D03C6]
 >>> Rootkit code in function NtLoadDriver blocked
Function ntdll.dll:NtOpenEvent (393) intercepted, method - APICodeHijack.JmpTo[001D02E4]
 >>> Rootkit code in function NtOpenEvent blocked
Function ntdll.dll:NtProtectVirtualMemory (431) intercepted, method - APICodeHijack.JmpTo[001D09F4]
 >>> Rootkit code in function NtProtectVirtualMemory blocked
Function ntdll.dll:NtResumeThread (522) intercepted, method - APICodeHijack.JmpTo[001D0AD6]
 >>> Rootkit code in function NtResumeThread blocked
Function ntdll.dll:NtSetContextThread (535) intercepted, method - APICodeHijack.JmpTo[001D058A]
 >>> Rootkit code in function NtSetContextThread blocked
Function ntdll.dll:NtSetInformationFile (549) intercepted, method - ProcAddressHijack.GetProcAddress ->7779A760->704FB6F1
Hook ntdll.dll:NtSetInformationFile (549) blocked
Function ntdll.dll:NtSetSystemInformation (571) intercepted, method - APICodeHijack.JmpTo[001D0830]
 >>> Rootkit code in function NtSetSystemInformation blocked
Function ntdll.dll:NtSetValueKey (580) intercepted, method - ProcAddressHijack.GetProcAddress ->7779AAF0->704FC69D
Hook ntdll.dll:NtSetValueKey (580) blocked
Function ntdll.dll:NtSuspendThread (591) intercepted, method - APICodeHijack.JmpTo[001D0202]
 >>> Rootkit code in function NtSuspendThread blocked
Function ntdll.dll:NtTerminateProcess (594) intercepted, method - APICodeHijack.JmpTo[001D0912]
 >>> Rootkit code in function NtTerminateProcess blocked
Function ntdll.dll:NtTerminateThread (595) intercepted, method - CodeHijack (not defined)
 >>> Rootkit code in function NtTerminateThread blocked
Function ntdll.dll:NtWriteVirtualMemory (646) intercepted, method - APICodeHijack.JmpTo[001D003E]
 >>> Rootkit code in function NtWriteVirtualMemory blocked
Function ntdll.dll:ZwCreateFile (1647) intercepted, method - ProcAddressHijack.GetProcAddress ->7779AA40->704FB775
Hook ntdll.dll:ZwCreateFile (1647) blocked
Function ntdll.dll:ZwSetInformationFile (1926) intercepted, method - ProcAddressHijack.GetProcAddress ->7779A760->704FB6F1
Hook ntdll.dll:ZwSetInformationFile (1926) blocked
Function ntdll.dll:ZwSetValueKey (1957) intercepted, method - ProcAddressHijack.GetProcAddress ->7779AAF0->704FC69D
Hook ntdll.dll:ZwSetValueKey (1957) blocked
 Analysis: user32.dll, export table found in section .text
Function user32.dll:CallNextHookEx (1531) intercepted, method - ProcAddressHijack.GetProcAddress ->7754779D->704FB6DB
Hook user32.dll:CallNextHookEx (1531) blocked
Function user32.dll:ExitWindowsEx (1768) intercepted, method - CodeHijack (not defined)
 >>> Rootkit code in function ExitWindowsEx blocked
Function user32.dll:SetWinEventHook (2284) intercepted, method - CodeHijack (not defined)
 >>> Rootkit code in function SetWinEventHook blocked
Function user32.dll:SetWindowsHookExW (2303) intercepted, method - ProcAddressHijack.GetProcAddress ->77555EFD->704FC801
Hook user32.dll:SetWindowsHookExW (2303) blocked
 Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:SystemFunction001 (1760) intercepted, method - ProcAddressHijack.GetProcAddress ->75277F2D->75164A91
Hook advapi32.dll:SystemFunction001 (1760) blocked
Function advapi32.dll:SystemFunction002 (1761) intercepted, method - ProcAddressHijack.GetProcAddress ->75277F49->751631B5
Hook advapi32.dll:SystemFunction002 (1761) blocked
Function advapi32.dll:SystemFunction003 (1762) intercepted, method - ProcAddressHijack.GetProcAddress ->75277F65->75163436
Hook advapi32.dll:SystemFunction003 (1762) blocked
Function advapi32.dll:SystemFunction004 (1763) intercepted, method - ProcAddressHijack.GetProcAddress ->75277F81->75164756
Hook advapi32.dll:SystemFunction004 (1763) blocked
Function advapi32.dll:SystemFunction005 (1764) intercepted, method - ProcAddressHijack.GetProcAddress ->75277F9D->7516489F
Hook advapi32.dll:SystemFunction005 (1764) blocked
Function advapi32.dll:SystemFunction034 (1793) intercepted, method - ProcAddressHijack.GetProcAddress ->75278261->751632F4
Hook advapi32.dll:SystemFunction034 (1793) blocked
Function advapi32.dll:SystemFunction036 (1795) intercepted, method - ProcAddressHijack.GetProcAddress ->7527829A->751611C0
Hook advapi32.dll:SystemFunction036 (1795) blocked
Function advapi32.dll:SystemFunction040 (1796) intercepted, method - ProcAddressHijack.GetProcAddress ->752782B6->75161256
Hook advapi32.dll:SystemFunction040 (1796) blocked
Function advapi32.dll:SystemFunction041 (1797) intercepted, method - ProcAddressHijack.GetProcAddress ->752782D2->751612AA
Hook advapi32.dll:SystemFunction041 (1797) blocked
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
Function urlmon.dll:URLDownloadToCacheFileW (224) intercepted, method - CodeHijack (not defined)
 >>> Rootkit code in function URLDownloadToCacheFileW blocked
Function urlmon.dll:URLDownloadToFileW (226) intercepted, method - CodeHijack (not defined)
 >>> Rootkit code in function URLDownloadToFileW blocked
 Analysis: netapi32.dll, export table found in section .text
 >> Danger ! Process masking detected
1.2 Searching for kernel-mode API hooks
 Error - file not found (C:\SystemRoot\system32\ntoskrnl.exe)
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Error loading driver - operation interrupted [C000036B]
2. Scanning RAM
 Number of processes found: 25
 Number of modules loaded: 399
Scanning RAM - complete
3. Scanning disks
Error scanning directory (C:\Program Files (x86)\Common Files\Apple\Apple Application Support\CoreFoundation.resources\, Privileged instruction, 3,.
Direct reading: C:\Users\Kevon\AppData\Local\Temp\~DF04171C575A6774B8.TMP
Direct reading: C:\Users\Kevon\AppData\Local\Temp\~DF14AFA80192A70BA1.TMP
Direct reading: C:\Users\Kevon\AppData\Local\Temp\~DF29BF0EB2DC640FD5.TMP
Direct reading: C:\Users\Kevon\AppData\Local\Temp\~DF6E56591DF7A8A8E6.TMP
Direct reading: C:\Users\Kevon\AppData\Local\Temp\~DFD81C61C7643CBB82.TMP
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  Service termination timeout is out of admissible values
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 77163, extracted from archives: 27156, malicious software found 0, suspicions - 0
Scanning finished at 10.12.2014 12:26:31
Time of scanning: 00:24:31
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/
System Analysis in progress
Network diagnostics
 DNS and Ping test
  Host="yandex.ru", IP="93.158.134.11,213.180.193.11,213.180.204.11", Ping=OK (0,164,93.158.134.11)
  Host="google.ru", IP="173.194.46.119,173.194.46.111,173.194.46.120,173.194.46.127", Ping=OK (0,20,173.194.46.119)
  Host="google.com", IP="74.125.193.138,74.125.193.113,74.125.193.100,74.125.193.102,74.125.193.101,74.125.193.139", Ping=OK (0,41,74.125.193.138)
  Host="www.kaspersky.com", IP="4.59.181.209", Ping=OK (0,34,4.59.181.209)
  Host="www.kaspersky.ru", IP="4.59.181.212", Ping=OK (0,40,4.59.181.212)
  Host="dnl-03.geo.kaspersky.com", IP="4.28.136.36", Ping=OK (0,35,4.28.136.36)
  Host="dnl-11.geo.kaspersky.com", IP="38.117.98.196", Ping=OK (0,37,38.117.98.196)
  Host="activation-v2.kaspersky.com", IP="4.59.181.141", Ping=Error (11010,0,0.0.0.0)
  Host="odnoklassniki.ru", IP="217.20.147.94", Ping=OK (0,166,217.20.147.94)
  Host="vk.com", IP="87.240.131.119,87.240.131.117,87.240.131.118", Ping=OK (0,149,87.240.131.119)
  Host="vkontakte.ru", IP="95.213.4.247,95.213.4.248,95.213.4.246", Ping=OK (0,230,95.213.4.247)
  Host="twitter.com", IP="199.16.156.70,199.16.156.198,199.16.156.230,199.16.156.6", Ping=OK (0,53,199.16.156.70)
  Host="facebook.com", IP="173.252.120.6", Ping=OK (0,49,173.252.120.6)
  Host="ru-ru.facebook.com", IP="31.13.74.128", Ping=OK (0,20,31.13.74.128)
 Network IE settings
  IE setting AutoConfigURL=
  IE setting AutoConfigProxy=wininet.dll
  IE setting ProxyOverride=<-loopback>
  IE setting ProxyServer=
  IE setting Internet\ManualProxies=
 Network TCP/IP settings
 Network Persistent Routes

 System Analysis - complete


Script commands
 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Remove traces of deleted files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:
Performance tweaking: disable service TermService (Remote Desktop Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Task Scheduler)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list