AVZ Antiviral Toolkit log; AVZ version is 4.39
Scanning started at 06.10.2012 15:27:09
Database loaded: signatures - 297616, NN profile(s) - 2, malware removal microprograms - 56, signature database released 06.10.2012 04:00
Heuristic microprograms loaded: 399
PVS microprograms loaded: 9
Digital signatures of system files loaded: 448758
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 6.2.8400, ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
>>>> Executable file's name could be masked 2628 taskhostex.exe, real name - C:\Windows\System32\taskhost.exe
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:ReadConsoleInputExA (1100) intercepted, method - ProcAddressHijack.GetProcAddress ->75989B80->7546A566
Function kernel32.dll:ReadConsoleInputExW (1101) intercepted, method - ProcAddressHijack.GetProcAddress ->75989B9F->7546A542
Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:NtdllDefWindowProc_W (627) intercepted, method - ProcAddressHijack.GetProcAddress ->77BB10B6->719759DB
Analysis: user32.dll, export table found in section .text
Function user32.dll:CallWindowProcW (1533) intercepted, method - ProcAddressHijack.GetProcAddress ->7704A9A4->719759F3
Function user32.dll:ChangeDisplaySettingsA (1538) intercepted, method - ProcAddressHijack.GetProcAddress ->770A5487->7199F7F1
Function user32.dll:ChangeDisplaySettingsExA (1539) intercepted, method - ProcAddressHijack.GetProcAddress ->770718BF->7199F679
Function user32.dll:ChangeDisplaySettingsExW (1540) intercepted, method - ProcAddressHijack.GetProcAddress ->7705CC2E->7199F5B4
Function user32.dll:ChangeDisplaySettingsW (1541) intercepted, method - ProcAddressHijack.GetProcAddress ->77071AB0->7199F73E
Function user32.dll:DestroyWindow (1681) intercepted, method - ProcAddressHijack.GetProcAddress ->77053740->71975E92
Function user32.dll:EnumChildWindows (1745) intercepted, method - ProcAddressHijack.GetProcAddress ->7704EF0C->71952F26
Function user32.dll:EnumDisplayDevicesA (1750) intercepted, method - ProcAddressHijack.GetProcAddress ->7705BFC4->71973A5F
Function user32.dll:EnumDisplayDevicesW (1751) intercepted, method - ProcAddressHijack.GetProcAddress ->77057F64->7199F187
Function user32.dll:EnumDisplaySettingsA (1753) intercepted, method - ProcAddressHijack.GetProcAddress ->7707BE30->7199F568
Function user32.dll:EnumDisplaySettingsExA (1754) intercepted, method - ProcAddressHijack.GetProcAddress ->7707BE5C->7199F4CA
Function user32.dll:EnumDisplaySettingsExW (1755) intercepted, method - ProcAddressHijack.GetProcAddress ->77051308->7199F478
Function user32.dll:EnumDisplaySettingsW (1756) intercepted, method - ProcAddressHijack.GetProcAddress ->770513FB->7199F519
Function user32.dll:EnumThreadWindows (1761) intercepted, method - ProcAddressHijack.GetProcAddress ->77055A56->71975F94
Function user32.dll:EnumWindows (1764) intercepted, method - ProcAddressHijack.GetProcAddress ->77050294->719B5A0D
Function user32.dll:GetDC (1815) intercepted, method - ProcAddressHijack.GetProcAddress ->77049A41->71975B2E
Function user32.dll:GetDCEx (1816) intercepted, method - ProcAddressHijack.GetProcAddress ->7705220F->71973C62
Function user32.dll:GetWindowDC (1952) intercepted, method - ProcAddressHijack.GetProcAddress ->7704ACC8->7197608D
Function user32.dll:GetWindowLongW (1957) intercepted, method - ProcAddressHijack.GetProcAddress ->77049047->719759C3
Function user32.dll:GetWindowThreadProcessId (1971) intercepted, method - ProcAddressHijack.GetProcAddress ->77048F73->719B59F7
Function user32.dll:IsWindowVisible (2041) intercepted, method - ProcAddressHijack.GetProcAddress ->77049D23->719B59E1
Function user32.dll:MessageBoxA (2088) intercepted, method - ProcAddressHijack.GetProcAddress ->7709F923->719B6C32
Function user32.dll:MessageBoxExA (2089) intercepted, method - ProcAddressHijack.GetProcAddress ->7709F8FF->719B6B93
Function user32.dll:MessageBoxExW (2090) intercepted, method - ProcAddressHijack.GetProcAddress ->7709F8DB->719B6B42
Function user32.dll:MessageBoxIndirectA (2091) intercepted, method - ProcAddressHijack.GetProcAddress ->7709F6E5->719B6AFD
Function user32.dll:MessageBoxIndirectW (2092) intercepted, method - ProcAddressHijack.GetProcAddress ->7706B745->719B6AB5
Function user32.dll:MessageBoxW (2095) intercepted, method - ProcAddressHijack.GetProcAddress ->7709FBBA->719B6BE4
Function user32.dll:RedrawWindow (2150) intercepted, method - ProcAddressHijack.GetProcAddress ->7704AB04->71975E7C
Function user32.dll:ReleaseDC (2182) intercepted, method - ProcAddressHijack.GetProcAddress ->77049A17->71975BB8
Function user32.dll:SetWindowLongW (2284) intercepted, method - ProcAddressHijack.GetProcAddress ->7704C6BA->71975D30
Function user32.dll:WindowFromDC (2384) intercepted, method - ProcAddressHijack.GetProcAddress ->7704CB4D->71975FC3
IAT modification detected: GetDC - 71975B2E<>77049A41
Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:TraceQueryInformation (1806) intercepted, method - ProcAddressHijack.GetProcAddress ->756C820A->754284DD
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=213400)
Kernel ntoskrnl.exe found in memory at address 8105E000
SDT = 81271400
KiST = 8113AC50 (430)
Function ExCompositionSurfaceObjectType (8123AAD8) - machine code modification Method not defined., embedding from byte 1
Function IoCompletionObjectType (81271148) - machine code modification Method not defined.
Function SeSystemDefaultSd (81529270) - machine code modification Method not defined.
Functions checked: 430, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Analyzing CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Masking process with PID=5988, name = ""
>> PID substitution detected (current PID is=0, real = 5988)
Masking process with PID=2852, name = ""
>> PID substitution detected (current PID is=0, real = 2852)
Masking process with PID=2144, name = ""
>> PID substitution detected (current PID is=0, real = 2144)
Masking process with PID=2896, name = ""
>> PID substitution detected (current PID is=0, real = 2896)
>> Driver masking: Base=A19B9000, size=28672, name = "\Device\HarddiskVolume1\Windows\System32\Drivers\ ute4odcx.sys"
Searching for masking processes and drivers - complete
1.5 Checking IRP handlers
Driver loaded successfully
Checking - complete
2. Scanning RAM
Number of processes found: 55
Number of modules loaded: 597
Scanning RAM - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\shellex.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\shellex.dll>>> Behaviour analysis
Behaviour typical for keyloggers was not detected
C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\prremote.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\prremote.dll>>> Behaviour analysis
Behaviour typical for keyloggers was not detected
C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\prloader.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\prloader.dll>>> Behaviour analysis
Behaviour typical for keyloggers was not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious software
In the database 317 port descriptions
Opened at this PC: 30 TCP ports and 0 UDP ports
Checking - complete; no suspicious ports detected
7. Heuristic system check
Danger - process debugger "taskmgr.exe" = ""C:\Program Files\Process Hacker 2\ProcessHacker.exe""
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Autorun) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Service) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Service) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Service) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Service) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Service) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Service) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Service) (high degree of probability)
>>> C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe HSC: suspicion for File with suspicious name (CH - Service) (high degree of probability)
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>>> Security: Internet Explorer allows ActiveX, not marked as safe
>>> Security: block ActiveX, not marked as safe, in Internet Explorer
>>> Security: Internet Explorer allows unsigned ActiveX elements
>>> Security: Internet Explorer allows automatic queries of ActiveX administrative elements
>>> Security: Internet Explorer allows running files and applications in IFRAME window without asking user
Checking - complete
9. Troubleshooting wizard
>> Internet Explorer - ActiveX, not marked as safe, are allowed
>>> Internet Explorer - ActiveX, not marked as safe, are allowed - fixed
>> Internet Explorer - signed ActiveX elements are allowed without asking user
>>> Internet Explorer - signed ActiveX elements are allowed without asking user - fixed
>> Internet Explorer - unsigned ActiveX elements are allowed
>>> Internet Explorer - unsigned ActiveX elements are allowed - fixed
>> Internet Explorer - automatic queries of ActiveX operating elements are allowed
>>> Internet Explorer - automatic queries of ActiveX operating elements are allowed - fixed
>> Internet Explorer - running programs and files in IFRAME window is allowed
>>> Internet Explorer - running programs and files in IFRAME window is allowed - fixed
>> Service termination timeout is out of admissible values
>>> Service termination timeout is out of admissible values - fixed
>> HDD autorun is allowed
>>> HDD autorun is allowed - fixed
>> Network drives autorun is allowed
>>> Network drives autorun is allowed - fixed
>> Removable media autorun is allowed
>>> Removable media autorun is allowed - fixed
>> Starting Windows Media Center is blocked
>>> Starting Windows Media Center is blocked - fixed
>> Starting Windows Mobility Center is blocked
>>> Starting Windows Mobility Center is blocked - fixed
Checking - complete
Files scanned: 37646, extracted from archives: 16952
Scanning finished at 06.10.2012 15:54:05
Time of scanning: 00:26:58
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address
http://forum.kaspersky.com/index.php?showforum=19
_____________
The last time I ran this scan was a year ago; it was a lot worse as hard as that is to believe. I'm too lazy to collate the many responses from Kaspersky Tech Support but you can take my word for it.
They really, really wanted to assist me! No really.
They kept asking for more and more information.
I'm not an ingrate. But when they came around full circle to the old "so what's the problem again"....
Linear Mode
