AVZ Antiviral Toolkit log; AVZ version is 4.43
Scanning started at 06.06.2015 00:23:25
Database loaded: signatures - 297605, NN profile(s) - 2, malware removal microprograms - 56, signature database released 05.06.2015 16:00
Heuristic microprograms loaded: 410
PVS microprograms loaded: 9
Digital signatures of system files loaded: 738638
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 6.1.7601, Service Pack 1 "Windows 7 Ultimate" ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=16AB00)
 Kernel ntkrnlpa.exe found in memory at address E320A000
   SDT = E3374B00
   KiST = E3288B8C (401)
Function NtAlpcSendWaitReceivePort (27) intercepted (E345E419->B67E5CA0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtAssignProcessToJobObject (2B) intercepted (E340AFA2->B67E6DB0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateFile (42) intercepted (E345B666->B67E5310), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateKey (46) intercepted (E340CEDF->B67E4DC0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateProcess (4F) intercepted (E34E8A7F->B67E6770), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateProcessEx (50) intercepted (E34E8ACA->B67E6670), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateSection (54) intercepted (E342F25B->B67E5FF0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateSymbolicLinkObject (56) intercepted (E340D8AA->B67E6420), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateThread (57) intercepted (E34E8886->B67E5900), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateThreadEx (58) intercepted (E347C6AD->B67E6B00), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateUserProcess (5D) intercepted (E347A5D0->B67E6E70), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeleteFile (66) intercepted (E33A45B2->B67E5E60), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeleteKey (67) intercepted (E33F7906->B67E54F0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeleteValueKey (6A) intercepted (E33E930F->B67E55B0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeviceIoControlFile (6B) intercepted (E347F951->B67E5BA0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDuplicateObject (6F) intercepted (E343D893->B67E59F0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtEnumerateValueKey (77) intercepted (E3475436->B67E5820), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtGetNextProcess (8B) intercepted (E34EA840->B67E6C10), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtGetNextThread (8C) intercepted (E34992AC->B67E6930), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtLoadDriver (9B) intercepted (E33D1A98->B67E5AE0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtOpenProcess (BE) intercepted (E341DCB5->B6D951E0), hook C:\Windows\System32\drivers\zamguard32.sys
Function NtOpenSection (C2) intercepted (E3475BEB->B67E5F20), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtOpenThread (C6) intercepted (E346A2F6->B67E6860), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtProtectVirtualMemory (D7) intercepted (E344E821->B67E6340), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtQueryValueKey (10A) intercepted (E345688B->B67E5740), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtQueueApcThread (10D) intercepted (E3407D26->B67E6F80), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtRenameKey (122) intercepted (E34A83EB->B67E65B0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtRequestWaitReplyPort (12B) intercepted (E3449CF2->B67E5670), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtRestoreKey (12E) intercepted (E349DFA3->B67E7060), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetContextThread (13C) intercepted (E34EA0F1->B67E64F0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetInformationFile (149) intercepted (E3462CFB->B67E4F70), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetSecurityObject (15B) intercepted (E340D6DB->B67E7130), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetSystemInformation (15E) intercepted (E345A570->B67E5D90), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetValueKey (166) intercepted (E34164DC->B67E5150), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSuspendThread (16F) intercepted (E34A14CC->B67E60E0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSystemDebugControl (170) intercepted (E3491B06->B67E6260), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtTerminateProcess (172) intercepted (E3466F8E->B6D9529A), hook C:\Windows\System32\drivers\zamguard32.sys
Function NtTerminateThread (173) intercepted (E34848CA->B67E61A0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtUnmapViewOfSection (181) intercepted (E3470BAA->B67E6CF0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtWriteFile (18C) intercepted (E347B4B4->B67E5050), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtWriteVirtualMemory (18F) intercepted (E346BC8B->B67E5230), hook C:\Windows\System32\drivers\Bhbase.sys
Functions checked: 401, intercepted: 41, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Analyzing CPU 2
 Analyzing CPU 3
 Analyzing CPU 4
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Driver loaded successfully
 Checking - complete
2. Scanning RAM
 Number of processes found: 58
 Number of modules loaded: 532
Scanning RAM - complete
3. Scanning disks
C:\Program Files\Corel\Corel MotionStudio 3D 1.0\PexExif.dll >>> suspicion for Email-Worm.Win32.Warezov.lf ( 0AE6B6E4 07F4B0C5 001977C3 001D309E 53248)
File quarantined succesfully (C:\Program Files\Corel\Corel MotionStudio 3D 1.0\PexExif.dll)
C:\Users\b\AppData\Local\Epic Privacy Browser\Application\40.0.2214.91\libegl.dll >>> suspicion for Trojan-PSW.Win32.Sinowal.n ( 0B505210 07CFC386 001CF588 00234CCC 73728)
File quarantined succesfully (C:\Users\b\AppData\Local\Epic Privacy Browser\Application\40.0.2214.91\libegl.dll)
4. Checking  Winsock Layered Service Provider (SPI/LSP)
LSP NameSpace error: Number of namespaces 6 doesn't correspond to real 9
LSP NameSpace error: "WindowsLive NSP" --> file is missing C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
LSP NameSpace error: "WindowsLive Local NSP" --> file is missing C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
 Attention ! SPI/LSP errors detected. Number of errors - 3
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 114760, extracted from archives: 52149, malicious software found 0, suspicions - 2
Scanning finished at 06.06.2015 00:49:40
Time of scanning: 00:26:16
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/