Results of system analysis

LSP settings checked. No errors detected

127.0.0.1       localhost

Attention !!! Database was last updated 3.6.2009 it is necessary to update the bases using automatic updates (File/Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.32
Scanning started at 5.10.2009 18:54:39
Database loaded: signatures - 226161, NN profile(s) - 2, microprograms of healing - 56, signature database released 03.06.2009 22:41
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 120365
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=085700)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 8055C700
   KiST = 80504460 (284)
Function NtOpenProcess (7A) intercepted (805CB408->8873FCB0), hook not defined
Function NtOpenThread (80) intercepted (805CB694->887400D0), hook not defined
Function NtSuspendProcess (FD) intercepted (805D4A4A->887406D0), hook not defined
Function NtSuspendThread (FE) intercepted (805D48BC->887404F0), hook not defined
Function NtTerminateProcess (101) intercepted (805D29AA->8873FEE0), hook not defined
Function NtTerminateThread (102) intercepted (805D2BA4->88740310), hook not defined
Functions checked: 284, intercepted: 6, restored: 0
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
 Driver loaded successfully
1.5 Checking of IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8A6541F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 8A6541F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CREATE] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CLOSE] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_WRITE] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_EA] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_EA] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 84D1F1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_PNP] = 84D1F1F8 -> hook not defined
 Checking - complete
2. Scanning memory
 Number of processes found: 56
Direct reading c:\program files\atk hotkey\hcontrol.exe
Analyzer: process under analysis is 796 C:\Program Files\ATK Hotkey\Hcontrol.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1044 C:\Program Files\ASUS\Splendid\ACMON.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 144 C:\WINDOWS\ASScrPro.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1480 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1768 C:\PROGRA~1\MI3AA1~1\rapimgr.exe
[ES]:Contains network functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
Analyzer: process under analysis is 2752 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing ?
 Number of modules loaded: 418
Scanning memory - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
 Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Vzd?len? registr)
>> Services: potentially dangerous service allowed: TermService (Termin?lov? slu?ba)
>> Services: potentially dangerous service allowed: SSDPSRV (Slu?ba rozpozn?v?n? pomoc? protokolu SSDP)
>> Services: potentially dangerous service allowed: Schedule (Pl?nova? ?loh)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting - Vzd?len? sd?len? plochy)
>> Services: potentially dangerous service allowed: RDSessMgr (Spr?vce relac? n?pov?dy ke vzd?len? plo?e)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  HDD autorun are allowed
 >>  Autorun from network drives are allowed
 >>  Removable media autorun are allowed
Checking - complete
Files scanned: 475, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 5.10.2009 18:55:17
Time of scanning: 00:00:39
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress


Script commands
 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
BootCleaner - import list of deleted files
Registry cleanup after deleting files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service RemoteRegistry (Vzdбlenэ registr)
Performance tweaking: disable service TermService (Terminбlovб sluћba)
Performance tweaking: disable service SSDPSRV (Sluћba rozpoznбvбnн pomocн protokolu SSDP)
Performance tweaking: disable service Schedule (Plбnovaи ъloh)
Performance tweaking: disable service mnmsrvc (NetMeeting - Vzdбlenй sdнlenн plochy)
Performance tweaking: disable service RDSessMgr (Sprбvce relacн nбpovмdy ke vzdбlenй ploљe)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list