Results of system analysis

AVZ 4.37 http://z-oleg.com/secur/avz/

Process List

Kernel Space Modules Viewer

Services

Drivers

Autoruns

Internet Explorer extension modules (BHOs, Toolbars ...)

Windows Explorer extension modules

Printing system extensions (print monitors, providers)

Task Scheduler jobs

SPI/LSP settings

LSP settings checked. No errors detected

127.0.0.1       localhost

127.0.0.1 facebook.com

127.0.0.1 www.facebook.com

127.0.0.1 af-za.facebook.com

127.0.0.1 az-az.facebook.com

127.0.0.1 id-id.facebook.com

127.0.0.1 ms-my.facebook.com

127.0.0.1 bs-ba.facebook.com

127.0.0.1 ca-es.facebook.com

127.0.0.1 cs-cz.facebook.com

127.0.0.1 cy-gb.facebook.com

127.0.0.1 da-dk.facebook.com

127.0.0.1 de-de.facebook.com

127.0.0.1 et-ee.facebook.com

127.0.0.1 en-gb.facebook.com

127.0.0.1 es-la.facebook.com

127.0.0.1 eo-eo.facebook.com

127.0.0.1 eu-es.facebook.com

127.0.0.1 tl-ph.facebook.com

127.0.0.1 fo-fo.facebook.com

127.0.0.1 fr-fr.facebook.com

127.0.0.1 fy-nl.facebook.com

127.0.0.1 ga-ie.facebook.com

127.0.0.1 gl-es.facebook.com

127.0.0.1 ko-kr.facebook.com

127.0.0.1 hr-hr.facebook.com

127.0.0.1 is-is.facebook.com

127.0.0.1 it-it.facebook.com

127.0.0.1 ka-ge.facebook.com

127.0.0.1 sw-ke.facebook.com

127.0.0.1 ku-tr.facebook.com

127.0.0.1 lv-lv.facebook.com

127.0.0.1 fb-lt.facebook.com

127.0.0.1 lt-lt.facebook.com

127.0.0.1 la-va.facebook.com

127.0.0.1 hu-hu.facebook.com

127.0.0.1 nl-nl.facebook.com

127.0.0.1 ja-jp.facebook.com

127.0.0.1 nb-no.facebook.com

127.0.0.1 nn-no.facebook.com

127.0.0.1 pl-pl.facebook.com

127.0.0.1 pt-br.facebook.com

127.0.0.1 ro-ro.facebook.com

127.0.0.1 ru-ru.facebook.com

127.0.0.1 sq-al.facebook.com

127.0.0.1 sk-sk.facebook.com

127.0.0.1 sl-si.facebook.com

127.0.0.1 fi-fi.facebook.com

127.0.0.1 sv-se.facebook.com

127.0.0.1 th-th.facebook.com

127.0.0.1 vi-vn.facebook.com

127.0.0.1 tr-tr.facebook.com

127.0.0.1 zh-tw.facebook.com

127.0.0.1 el-gr.facebook.com

127.0.0.1 be-by.facebook.com

127.0.0.1 bg-bg.facebook.com

127.0.0.1 mk-mk.facebook.com

127.0.0.1 sr-rs.facebook.com

127.0.0.1 uk-ua.facebook.com

127.0.0.1 hy-am.facebook.com

127.0.0.1 he-il.facebook.com

127.0.0.1 ar-ar.facebook.com

127.0.0.1 ps-af.facebook.com

127.0.0.1 fa-ir.facebook.com

127.0.0.1 ne-np.facebook.com

127.0.0.1 hi-in.facebook.com

127.0.0.1 bn-in.facebook.com

127.0.0.1 pa-in.facebook.com

127.0.0.1 ta-in.facebook.com

127.0.0.1 te-in.facebook.com

127.0.0.1 ml-in.facebook.com

127.0.0.1 es-es.facebook.com

127.0.0.1 fr-ca.facebook.com

127.0.0.1 pt-pt.facebook.com

127.0.0.1 zh-cn.facebook.com

127.0.0.1 zh-hk.facebook.com

AVZ Antiviral Toolkit log; AVZ version is 4.37
Scanning started at 29.10.2011 16:34:37
Database loaded: signatures - 294598, NN profile(s) - 2, malware removal microprograms - 56, signature database released 29.10.2011 16:00
Heuristic microprograms loaded: 388
PVS microprograms loaded: 9
Digital signatures of system files loaded: 302280
Heuristic analyzer mode: Maximum heuristics mode
Malware removal mode: disabled
Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=08B520)
 Kernel ntoskrnl.exe found in memory at address 804D7000
   SDT = 80562520
   KiST = 804E48D0 (284)
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Analyzing CPU 2
 Analyzing CPU 3
 Analyzing CPU 4
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Driver loaded successfully
 Checking - complete
2. Scanning RAM
 Number of processes found: 51
Extended process analysis: 628 C:\WINDOWS\system32\PnkBstrB.exe
[ES]:Program code includes networking-related functionality
[ES]:Capable of sending mail ?!
[ES]:Application has no visible windows
[ES]:Located in system folder
Extended process analysis: 608 C:\WINDOWS\update.5.0\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:EXE runtime packer ?
[ES]:Located in system folder
Extended process analysis: 2660 C:\WINDOWS\update.5.0\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
[ES]:EXE runtime packer ?
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 4036 C:\WINDOWS\sysdriver32.exe
[ES]:Program code includes networking-related functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
[ES]:EXE runtime packer ?
[ES]:Located in system folder
[ES]:Registered for automatic startup !!
[ES]:Loads RASAPI DLL - may use dialing ?
 Number of modules loaded: 309
Scanning RAM - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Non-standard registry key for system service: BITS ImagePath=""
Non-standard registry key for system service: wuauserv ImagePath=""
>>> C:\WINDOWS\services32.exe HSC: suspicion for File with suspicious name (CH) (high degree of probability)
>>> C:\WINDOWS\sysdriver32.exe HSC: suspicion for File with suspicious name (CH) (high degree of probability)
>>> C:\WINDOWS\sysdriver32_.exe HSC: suspicion for File with suspicious name (CH) (high degree of probability)
>>> C:\WINDOWS\ufa\ufa.exe HSC: suspicion for File with suspicious name (CH)
>>> C:\WINDOWS\update.tray-2-0\svchost.exe HSC: suspicion for File with suspicious name (CH)
>>> C:\WINDOWS\update.tray-3-0\svchost.exe HSC: suspicion for File with suspicious name (CH)
>>> C:\WINDOWS\update.1\svchost.exe HSC: suspicion for File with suspicious name (CH)
>>> C:\WINDOWS\update.2\svchost.exe HSC: suspicion for File with suspicious name (CH)
>>> C:\WINDOWS\update.5.0\svchost.exe HSC: suspicion for File with suspicious name (CH)
>>> C:\DOCUME~1\Erika\LOCALS~1\Temp\wininitd.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\WINDOWS\sysdriver32.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\WINDOWS\sysdriver32_.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\WINDOWS\update.tray-3-0\svchost.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\WINDOWS\update.tray-2-0\svchost.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\WINDOWS\services32.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\WINDOWS\update.5.0\svchost.exe HSC: suspicion for File with suspicious name (CH - Service) (high degree of probability)
>>> C:\WINDOWS\update.2\svchost.exe HSC: suspicion for File with suspicious name (CH - Service) (high degree of probability)
>>> C:\WINDOWS\sysdriver32.exe HSC: suspicion for File with suspicious name (CH - Service) (high degree of probability)
>>> C:\WINDOWS\update.1\svchost.exe HSC: suspicion for File with suspicious name (CH - Service) (high degree of probability)
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 363, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 29.10.2011 16:35:06
Time of scanning: 00:00:30
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
System Analysis in progress

 System Analysis - complete


Script commands
 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Remove traces of deleted files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:
Performance tweaking: disable service RemoteRegistry (Remote Registry)
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list