كلاش الجبل
زيزوومي جديد
غير متصل
التقرير
<AVZ_CollectSysInfo>
--------------------
Start time: 10/01/1430 01:53:15 ص
Duration: 00:01:12
Finish time: 10/01/1430 01:54:27 ص
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
10/01/1430 01:53:16 ص Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
10/01/1430 01:53:16 ص System Restore: Disabled
10/01/1430 01:53:17 ص 1.1 Searching for user-mode API hooks
10/01/1430 01:53:17 ص Analysis: kernel32.dll, export table found in section .text
10/01/1430 01:53:17 ص Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
10/01/1430 01:53:17 ص Hook kernel32.dll:CreateProcessA (99) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
10/01/1430 01:53:17 ص Hook kernel32.dll:CreateProcessW (103) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
10/01/1430 01:53:17 ص Hook kernel32.dll:FreeLibrary (241) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
10/01/1430 01:53:17 ص Hook kernel32.dll:GetModuleFileNameA (373) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
10/01/1430 01:53:17 ص Hook kernel32.dll:GetModuleFileNameW (374) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
10/01/1430 01:53:17 ص Hook kernel32.dll:GetProcAddress (409) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
10/01/1430 01:53:17 ص Hook kernel32.dll:LoadLibraryA (581) blocked
10/01/1430 01:53:17 ص >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
10/01/1430 01:53:17 ص Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
10/01/1430 01:53:17 ص Hook kernel32.dll:LoadLibraryExA (582) blocked
10/01/1430 01:53:17 ص >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
10/01/1430 01:53:17 ص Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
10/01/1430 01:53:17 ص Hook kernel32.dll:LoadLibraryExW (583) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
10/01/1430 01:53:17 ص Hook kernel32.dll:LoadLibraryW (584) blocked
10/01/1430 01:53:17 ص IAT modification detected: LoadLibraryW - 00BF0010<>7C80AEDB
10/01/1430 01:53:17 ص Analysis: ntdll.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: user32.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: advapi32.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: ws2_32.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: wininet.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: rasapi32.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: urlmon.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: netapi32.dll, export table found in section .text
10/01/1430 01:53:17 ص 1.2 Searching for kernel-mode API hooks
10/01/1430 01:53:18 ص Driver loaded successfully
10/01/1430 01:53:18 ص SDT found (RVA=085700)
10/01/1430 01:53:18 ص Kernel ntkrnlpa.exe found in memory at address 804D7000
10/01/1430 01:53:18 ص SDT = 8055C700
10/01/1430 01:53:18 ص KiST = 80504460 (284)
10/01/1430 01:53:18 ص Functions checked: 284, intercepted: 0, restored: 0
10/01/1430 01:53:18 ص 1.3 Checking IDT and SYSENTER
10/01/1430 01:53:18 ص Analysis for CPU 1
10/01/1430 01:53:18 ص Analysis for CPU 2
10/01/1430 01:53:18 ص Checking IDT and SYSENTER - complete
10/01/1430 01:53:19 ص 1.4 Searching for masking processes and drivers
10/01/1430 01:53:19 ص Checking not performed: extended monitoring driver (AVZPM) is not installed
10/01/1430 01:53:19 ص Driver loaded successfully
10/01/1430 01:53:19 ص 1.5 Checking of IRP handlers
10/01/1430 01:53:19 ص Checking - complete
10/01/1430 01:53:35 ص >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
10/01/1430 01:53:35 ص >> Services: potentially dangerous service allowed: TermService (Terminal Services)
10/01/1430 01:53:35 ص >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
10/01/1430 01:53:35 ص >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
10/01/1430 01:53:35 ص >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
10/01/1430 01:53:35 ص > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
10/01/1430 01:53:35 ص >> Security: disk drives' autorun is enabled
10/01/1430 01:53:35 ص >> Security: administrative shares (C$, D$ ...) are enabled
10/01/1430 01:53:35 ص >> Security: anonymous user access is enabled
10/01/1430 01:53:35 ص >> Security: sending Remote Assistant queries is enabled
10/01/1430 01:53:40 ص >> Disable HDD autorun
10/01/1430 01:53:40 ص >> Disable autorun from network drives
10/01/1430 01:53:40 ص >> Disable CD/DVD autorun
10/01/1430 01:53:40 ص >> Disable removable media autorun
10/01/1430 01:53:40 ص >> Windows Update is disabled
10/01/1430 01:53:40 ص System Analysis in progress
10/01/1430 01:54:27 ص System Analysis - complete
10/01/1430 01:54:27 ص Delete file:C:\Documents and Settings\الرواد\سطح المكتب\Virus Removal Tool\is-5SUOB\LOG\avptool_syscheck.htm
10/01/1430 01:54:27 ص Delete file:C:\Documents and Settings\الرواد\سطح المكتب\Virus Removal Tool\is-5SUOB\LOG\avptool_syscheck.xml
10/01/1430 01:54:27 ص Deleting service/driver: utmymjk3
10/01/1430 01:54:27 ص Delete file:C:\WINDOWS\system32\Drivers\utmymjk3.sys
10/01/1430 01:54:27 ص Deleting service/driver: ujmymjk3
10/01/1430 01:54:27 ص Script executed without errors
<AVZ_CollectSysInfo>
--------------------
Start time: 10/01/1430 01:53:15 ص
Duration: 00:01:12
Finish time: 10/01/1430 01:54:27 ص
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
10/01/1430 01:53:16 ص Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
10/01/1430 01:53:16 ص System Restore: Disabled
10/01/1430 01:53:17 ص 1.1 Searching for user-mode API hooks
10/01/1430 01:53:17 ص Analysis: kernel32.dll, export table found in section .text
10/01/1430 01:53:17 ص Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
10/01/1430 01:53:17 ص Hook kernel32.dll:CreateProcessA (99) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
10/01/1430 01:53:17 ص Hook kernel32.dll:CreateProcessW (103) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
10/01/1430 01:53:17 ص Hook kernel32.dll:FreeLibrary (241) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
10/01/1430 01:53:17 ص Hook kernel32.dll:GetModuleFileNameA (373) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
10/01/1430 01:53:17 ص Hook kernel32.dll:GetModuleFileNameW (374) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
10/01/1430 01:53:17 ص Hook kernel32.dll:GetProcAddress (409) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
10/01/1430 01:53:17 ص Hook kernel32.dll:LoadLibraryA (581) blocked
10/01/1430 01:53:17 ص >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
10/01/1430 01:53:17 ص Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
10/01/1430 01:53:17 ص Hook kernel32.dll:LoadLibraryExA (582) blocked
10/01/1430 01:53:17 ص >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
10/01/1430 01:53:17 ص Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
10/01/1430 01:53:17 ص Hook kernel32.dll:LoadLibraryExW (583) blocked
10/01/1430 01:53:17 ص Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
10/01/1430 01:53:17 ص Hook kernel32.dll:LoadLibraryW (584) blocked
10/01/1430 01:53:17 ص IAT modification detected: LoadLibraryW - 00BF0010<>7C80AEDB
10/01/1430 01:53:17 ص Analysis: ntdll.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: user32.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: advapi32.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: ws2_32.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: wininet.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: rasapi32.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: urlmon.dll, export table found in section .text
10/01/1430 01:53:17 ص Analysis: netapi32.dll, export table found in section .text
10/01/1430 01:53:17 ص 1.2 Searching for kernel-mode API hooks
10/01/1430 01:53:18 ص Driver loaded successfully
10/01/1430 01:53:18 ص SDT found (RVA=085700)
10/01/1430 01:53:18 ص Kernel ntkrnlpa.exe found in memory at address 804D7000
10/01/1430 01:53:18 ص SDT = 8055C700
10/01/1430 01:53:18 ص KiST = 80504460 (284)
10/01/1430 01:53:18 ص Functions checked: 284, intercepted: 0, restored: 0
10/01/1430 01:53:18 ص 1.3 Checking IDT and SYSENTER
10/01/1430 01:53:18 ص Analysis for CPU 1
10/01/1430 01:53:18 ص Analysis for CPU 2
10/01/1430 01:53:18 ص Checking IDT and SYSENTER - complete
10/01/1430 01:53:19 ص 1.4 Searching for masking processes and drivers
10/01/1430 01:53:19 ص Checking not performed: extended monitoring driver (AVZPM) is not installed
10/01/1430 01:53:19 ص Driver loaded successfully
10/01/1430 01:53:19 ص 1.5 Checking of IRP handlers
10/01/1430 01:53:19 ص Checking - complete
10/01/1430 01:53:35 ص >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
10/01/1430 01:53:35 ص >> Services: potentially dangerous service allowed: TermService (Terminal Services)
10/01/1430 01:53:35 ص >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
10/01/1430 01:53:35 ص >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
10/01/1430 01:53:35 ص >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
10/01/1430 01:53:35 ص > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
10/01/1430 01:53:35 ص >> Security: disk drives' autorun is enabled
10/01/1430 01:53:35 ص >> Security: administrative shares (C$, D$ ...) are enabled
10/01/1430 01:53:35 ص >> Security: anonymous user access is enabled
10/01/1430 01:53:35 ص >> Security: sending Remote Assistant queries is enabled
10/01/1430 01:53:40 ص >> Disable HDD autorun
10/01/1430 01:53:40 ص >> Disable autorun from network drives
10/01/1430 01:53:40 ص >> Disable CD/DVD autorun
10/01/1430 01:53:40 ص >> Disable removable media autorun
10/01/1430 01:53:40 ص >> Windows Update is disabled
10/01/1430 01:53:40 ص System Analysis in progress
10/01/1430 01:54:27 ص System Analysis - complete
10/01/1430 01:54:27 ص Delete file:C:\Documents and Settings\الرواد\سطح المكتب\Virus Removal Tool\is-5SUOB\LOG\avptool_syscheck.htm
10/01/1430 01:54:27 ص Delete file:C:\Documents and Settings\الرواد\سطح المكتب\Virus Removal Tool\is-5SUOB\LOG\avptool_syscheck.xml
10/01/1430 01:54:27 ص Deleting service/driver: utmymjk3
10/01/1430 01:54:27 ص Delete file:C:\WINDOWS\system32\Drivers\utmymjk3.sys
10/01/1430 01:54:27 ص Deleting service/driver: ujmymjk3
10/01/1430 01:54:27 ص Script executed without errors
