Scribd Logo
Unggah

Selamat datang di Scribd!

  • Windows XP System Scan

    Diunggah oleh

    Mica Ivanovic
    46 tayangan4 halaman

    Judul Asli

    kas

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    TXT, PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai TXT, PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    46 tayangan4 halaman

    Windows XP System Scan

    Diunggah oleh

    Mica Ivanovic

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai TXT, PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 4

    <AVZ_CollectSysInfo>

    -------------------Start time:
    2/3/2011 11:09:22 AM
    Duration:
    00:01:13
    Finish time:
    2/3/2011 11:10:35 AM
    <AVZ_CollectSysInfo>
    -------------------Time
    Event
    -------2/3/2011 11:09:24 AM
    Windows version: Microsoft Windows XP, Build=2600, SP="S
    ervice Pack 3"
    2/3/2011 11:09:24 AM
    System Restore: enabled
    2/3/2011 11:09:26 AM
    1.1 Searching for user-mode API hooks
    2/3/2011 11:09:26 AM
    Analysis: kernel32.dll, export table found in section .
    text
    2/3/2011 11:09:26 AM
    Function kernel32.dll:CreateProcessA (99) intercepted, m
    ethod ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
    2/3/2011 11:09:26 AM
    Hook kernel32.dll:CreateProcessA (99) blocked
    2/3/2011 11:09:26 AM
    Function kernel32.dll:CreateProcessW (103) intercepted,
    method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
    2/3/2011 11:09:26 AM
    Hook kernel32.dll:CreateProcessW (103) blocked
    2/3/2011 11:09:26 AM
    Function kernel32.dll:FreeLibrary (241) intercepted, met
    hod ProcAddressHijack.GetProcAddress ->7C80AC7E->61F041FC
    2/3/2011 11:09:26 AM
    Hook kernel32.dll:FreeLibrary (241) blocked
    2/3/2011 11:09:26 AM
    Function kernel32.dll:GetModuleFileNameA (373) intercept
    ed, method ProcAddressHijack.GetProcAddress ->7C80B56F->61F040FB
    2/3/2011 11:09:26 AM
    Hook kernel32.dll:GetModuleFileNameA (373) blocked
    2/3/2011 11:09:26 AM
    Function kernel32.dll:GetModuleFileNameW (374) intercept
    ed, method ProcAddressHijack.GetProcAddress ->7C80B475->61F041A0
    2/3/2011 11:09:26 AM
    Hook kernel32.dll:GetModuleFileNameW (374) blocked
    2/3/2011 11:09:26 AM
    Function kernel32.dll:GetProcAddress (409) intercepted,
    method ProcAddressHijack.GetProcAddress ->7C80AE40->61F04648
    2/3/2011 11:09:26 AM
    Hook kernel32.dll:GetProcAddress (409) blocked
    2/3/2011 11:09:26 AM
    Function kernel32.dll:LoadLibraryA (581) intercepted, me
    thod ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
    2/3/2011 11:09:26 AM
    Hook kernel32.dll:LoadLibraryA (581) blocked
    2/3/2011 11:09:26 AM
    >>> Functions LoadLibraryA - preventing AVZ process fro
    m being intercepted by address replacement !!)
    2/3/2011 11:09:26 AM
    Function kernel32.dll:LoadLibraryExA (582) intercepted,
    method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
    2/3/2011 11:09:26 AM
    Hook kernel32.dll:LoadLibraryExA (582) blocked
    2/3/2011 11:09:26 AM
    >>> Functions LoadLibraryExA - preventing AVZ process f
    rom being intercepted by address replacement !!)
    2/3/2011 11:09:26 AM
    Function kernel32.dll:LoadLibraryExW (583) intercepted,
    method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
    2/3/2011 11:09:26 AM
    Hook kernel32.dll:LoadLibraryExW (583) blocked
    2/3/2011 11:09:26 AM
    Function kernel32.dll:LoadLibraryW (584) intercepted, me
    thod ProcAddressHijack.GetProcAddress ->7C80AEEB->61F03D0C
    2/3/2011 11:09:26 AM
    Hook kernel32.dll:LoadLibraryW (584) blocked
    2/3/2011 11:09:26 AM
    IAT modification detected: LoadLibraryW - 00B90010<>7C80
    AEEB
    2/3/2011 11:09:26 AM
    Analysis: ntdll.dll, export table found in section .tex
    t
    2/3/2011 11:09:26 AM
    Analysis: user32.dll, export table found in section .te
    xt
    2/3/2011 11:09:26 AM
    Analysis: advapi32.dll, export table found in section .
    text
    2/3/2011 11:09:26 AM
    Analysis: ws2_32.dll, export table found in section .te

    xt
    2/3/2011 11:09:26 AM
    Analysis: wininet.dll, export table found in section .t
    ext
    2/3/2011 11:09:26 AM
    Analysis: rasapi32.dll, export table found in section .
    text
    2/3/2011 11:09:26 AM
    Analysis: urlmon.dll, export table found in section .te
    xt
    2/3/2011 11:09:26 AM
    Analysis: netapi32.dll, export table found in section .
    text
    2/3/2011 11:09:26 AM
    1.2 Searching for kernel-mode API hooks
    2/3/2011 11:09:27 AM
    Driver loaded successfully
    2/3/2011 11:09:27 AM
    SDT found (RVA=085700)
    2/3/2011 11:09:27 AM
    Kernel ntkrnlpa.exe found in memory at address 804D7000
    2/3/2011 11:09:27 AM
    SDT = 8055C700
    2/3/2011 11:09:27 AM
    KiST = 80504480 (284)
    2/3/2011 11:09:27 AM
    Function NtCreateKey (29) intercepted (806237C8->B7EB50E
    0), hook speh.sys
    2/3/2011 11:09:27 AM
    >>> Function restored successfully !
    2/3/2011 11:09:27 AM
    >>> Hook code blocked
    2/3/2011 11:09:27 AM
    Function NtEnumerateKey (47) intercepted (80624014->B7EC
    DDA4), hook speh.sys
    2/3/2011 11:09:27 AM
    >>> Function restored successfully !
    2/3/2011 11:09:27 AM
    >>> Hook code blocked
    2/3/2011 11:09:27 AM
    Function NtEnumerateValueKey (49) intercepted (8062427E>B7ECE132), hook speh.sys
    2/3/2011 11:09:27 AM
    >>> Function restored successfully !
    2/3/2011 11:09:27 AM
    >>> Hook code blocked
    2/3/2011 11:09:27 AM
    Function NtOpenKey (77) intercepted (80624BA6->B7EB50C0)
    , hook speh.sys
    2/3/2011 11:09:27 AM
    >>> Function restored successfully !
    2/3/2011 11:09:27 AM
    >>> Hook code blocked
    2/3/2011 11:09:27 AM
    Function NtQueryKey (A0) intercepted (80624EE8->B7ECE20A
    ), hook speh.sys
    2/3/2011 11:09:27 AM
    >>> Function restored successfully !
    2/3/2011 11:09:27 AM
    >>> Hook code blocked
    2/3/2011 11:09:27 AM
    Function NtQueryValueKey (B1) intercepted (806219EC->B7E
    CE08A), hook speh.sys
    2/3/2011 11:09:27 AM
    >>> Function restored successfully !
    2/3/2011 11:09:27 AM
    >>> Hook code blocked
    2/3/2011 11:09:27 AM
    Function NtSetValueKey (F7) intercepted (80621D3A->B7ECE
    29C), hook speh.sys
    2/3/2011 11:09:27 AM
    >>> Function restored successfully !
    2/3/2011 11:09:27 AM
    >>> Hook code blocked
    2/3/2011 11:09:27 AM
    Function NtTerminateProcess (101) intercepted (805D2982>AFC690B0), hook C:\DOCUME~1\MICAIV~1\LOCALS~1\Temp\SuperAntiSpyware\SASKUTIL.sy
    s
    2/3/2011 11:09:27 AM
    >>> Function restored successfully !
    2/3/2011 11:09:27 AM
    >>> Hook code blocked
    2/3/2011 11:09:27 AM
    Functions checked: 284, intercepted: 8, restored: 8
    2/3/2011 11:09:27 AM
    1.3 Checking IDT and SYSENTER
    2/3/2011 11:09:27 AM
    Analysis for CPU 1
    2/3/2011 11:09:27 AM
    Analysis for CPU 2
    2/3/2011 11:09:27 AM
    Checking IDT and SYSENTER - complete
    2/3/2011 11:09:28 AM
    1.4 Searching for masking processes and drivers
    2/3/2011 11:09:28 AM
    Checking not performed: extended monitoring driver (AVZ
    PM) is not installed
    2/3/2011 11:09:28 AM
    Driver loaded successfully
    2/3/2011 11:09:28 AM
    1.5 Checking of IRP handlers
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_CREATE] = 8AD921F8 -> hook not d
    efined

    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_CLOSE] = 8AD921F8 -> hook not de
    fined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_WRITE] = 8AD921F8 -> hook not de
    fined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8AD921F8 ->
    hook not defined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8AD921F8 -> h
    ook not defined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8AD921F8 -> hook not
    defined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_SET_EA] = 8AD921F8 -> hook not d
    efined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8AD9
    21F8 -> hook not defined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8AD921
    F8 -> hook not defined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8AD921F8 ->
    hook not defined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8AD921F8
    -> hook not defined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8AD921F8 -> ho
    ok not defined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8AD921F8 -> hook
    not defined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8AD921F8 -> ho
    ok not defined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8AD921F8 -> hook
    not defined
    2/3/2011 11:09:28 AM
    \FileSystem\ntfs[IRP_MJ_PNP] = 8AD921F8 -> hook not defi
    ned
    2/3/2011 11:09:28 AM
    Checking - complete
    2/3/2011 11:09:28 AM
    C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3
    b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll --> Suspicion for Keylogger or Trojan
    DLL
    2/3/2011 11:09:28 AM
    C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3
    b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll>>> Behavioral analysis
    2/3/2011 11:09:28 AM
    Behaviour typical for keyloggers not detected
    2/3/2011 11:09:28 AM
    C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3
    b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll --> Suspicion for Keylogger or Trojan
    DLL
    2/3/2011 11:09:28 AM
    C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3
    b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll>>> Behavioral analysis
    2/3/2011 11:09:28 AM
    Behaviour typical for keyloggers not detected
    2/3/2011 11:09:30 AM
    C:\Program Files\Microsoft Office\Office12\GrooveShellEx
    tensions.dll --> Suspicion for Keylogger or Trojan DLL
    2/3/2011 11:09:30 AM
    C:\Program Files\Microsoft Office\Office12\GrooveShellEx
    tensions.dll>>> Behavioral analysis
    2/3/2011 11:09:30 AM
    Behaviour typical for keyloggers not detected
    2/3/2011 11:09:30 AM
    C:\Program Files\Microsoft Office\Office12\GrooveUtil.DL
    L --> Suspicion for Keylogger or Trojan DLL
    2/3/2011 11:09:30 AM
    C:\Program Files\Microsoft Office\Office12\GrooveUtil.DL
    L>>> Behavioral analysis
    2/3/2011 11:09:30 AM
    Behaviour typical for keyloggers not detected
    2/3/2011 11:09:30 AM
    C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL
    --> Suspicion for Keylogger or Trojan DLL
    2/3/2011 11:09:30 AM
    C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL
    >>> Behavioral analysis
    2/3/2011 11:09:30 AM
    Behaviour typical for keyloggers not detected
    2/3/2011 11:09:30 AM
    C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3
    b_8.0.50727.4053_x-ww_473666fd\ATL80.DLL --> Suspicion for Keylogger or Trojan D

    LL
    2/3/2011 11:09:30 AM
    C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3
    b_8.0.50727.4053_x-ww_473666fd\ATL80.DLL>>> Behavioral analysis
    2/3/2011 11:09:30 AM
    Behaviour typical for keyloggers not detected
    2/3/2011 11:09:31 AM
    Note: Do NOT delete suspicious files, send them for anal
    ysis (see FAQ for more details), because there are lots of useful hooking DLLs
    2/3/2011 11:09:44 AM
    >> Services: potentially dangerous service allowed: Term
    Service (Terminal Services)
    2/3/2011 11:09:44 AM
    >> Services: potentially dangerous service allowed: Tlnt
    Svr ()
    2/3/2011 11:09:44 AM
    >> Services: potentially dangerous service allowed: Sche
    dule (Task Scheduler)
    2/3/2011 11:09:44 AM
    > Services: please bear in mind that the set of services
    depends on the use of the PC (home PC, office PC connected to corporate network
    , etc)!
    2/3/2011 11:09:44 AM
    >> Security: disk drives' autorun is enabled
    2/3/2011 11:09:44 AM
    >> Security: administrative shares (C$, D$ ...) are enab
    led
    2/3/2011 11:09:44 AM
    >> Security: anonymous user access is enabled
    2/3/2011 11:09:44 AM
    >> Security: sending Remote Assistant queries is enabled
    2/3/2011 11:09:46 AM
    >> Disable HDD autorun
    2/3/2011 11:09:46 AM
    >> Disable autorun from network drives
    2/3/2011 11:09:47 AM
    >> Disable CD/DVD autorun
    2/3/2011 11:09:47 AM
    >> Disable removable media autorun
    2/3/2011 11:09:47 AM
    System Analysis in progress
    2/3/2011 11:10:35 AM
    System Analysis - complete
    2/3/2011 11:10:35 AM
    Delete file:C:\DOCUME~1\MICAIV~1\LOCALS~1\Temp\Kaspersky
    \LOG\avptool_syscheck.htm
    2/3/2011 11:10:35 AM
    Delete file:C:\DOCUME~1\MICAIV~1\LOCALS~1\Temp\Kaspersky
    \LOG\avptool_syscheck.xml
    2/3/2011 11:10:35 AM
    Deleting service/driver: ute2mjc2
    2/3/2011 11:10:35 AM
    Delete file:C:\WINDOWS\system32\Drivers\ute2mjc2.sys
    2/3/2011 11:10:35 AM
    Deleting service/driver: uje2mjc2
    2/3/2011 11:10:35 AM
    Script executed without errors

    Anda mungkin juga menyukai