Author Topic: problem  (Read 6173 times)

0 Members and 1 Guest are viewing this topic.

Offline Gamezertruth

  • Hero Member
  • *****
  • Join Date: Aug 2012
  • Posts: 1143
  • Karma: 4
    • View Profile
    • Gamezertruth
problem
« on: July 22, 2015, 09:40:49 pm »
can someone help with this ?

AVZ Antiviral Toolkit log; AVZ version is 4.43
Scanning started at 23.07.2015 07:20:07
Database loaded: signatures - 297605, NN profile(s) - 2, malware removal microprograms - 56, signature database released 23.07.2015 04:00
Heuristic microprograms loaded: 411
PVS microprograms loaded: 9
Digital signatures of system files loaded: 749467
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 6.1.7601, Service Pack 1 "Windows 7 Ultimate" ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=16CB00)
 Kernel ntkrnlpa.exe found in memory at address E3215000
   SDT = E3381B00
   KiST = E3293F6C (401)
Function NtAlpcSendWaitReceivePort (27) intercepted (E346B887->B6754CA0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtAssignProcessToJobObject (2B) intercepted (E3418064->B6755DB0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateFile (42) intercepted (E3468ABE->B6754310), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateKey (46) intercepted (E3419FAF->B6753DC0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateProcess (4F) intercepted (E34F651B->B6755770), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateProcessEx (50) intercepted (E34F6566->B6755670), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateSection (54) intercepted (E343C66B->B6754FF0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateSymbolicLinkObject (56) intercepted (E341A97A->B6755420), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateThread (57) intercepted (E34F6322->B6754900), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateThreadEx (58) intercepted (E348A157->B6755B00), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateUserProcess (5D) intercepted (E3487FEE->B6755E70), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeleteFile (66) intercepted (E33B15E4->B6754E60), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeleteKey (67) intercepted (E34049C5->B67544F0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeleteValueKey (6A) intercepted (E33F6368->B67545B0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeviceIoControlFile (6B) intercepted (E348D3FB->B6754BA0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDuplicateObject (6F) intercepted (E344ACA3->B67549F0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtEnumerateValueKey (77) intercepted (E3482916->B6754820), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtGetNextProcess (8B) intercepted (E34F82DC->B6755C10), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtGetNextThread (8C) intercepted (E34A6D66->B6755930), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtLoadDriver (9B) intercepted (E33DEAF1->B6754AE0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtOpenProcess (BE) intercepted (E342B093->B6DED1E0), hook C:\Windows\System32\drivers\zamguard32.sys
Function NtOpenSection (C2) intercepted (E34830CB->B6754F20), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtOpenThread (C6) intercepted (E3477791->B6755860), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtProtectVirtualMemory (D7) intercepted (E345BC79->B6755340), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtQueryValueKey (10A) intercepted (E3463CE3->B6754740), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtQueueApcThread (10D) intercepted (E3414DE8->B6755F80), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtRenameKey (122) intercepted (E34B5E4B->B67555B0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtRequestWaitReplyPort (12B) intercepted (E345714A->B6754670), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtRestoreKey (12E) intercepted (E34ABA5D->B6756060), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetContextThread (13C) intercepted (E34F7B8D->B67554F0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetInformationFile (149) intercepted (E347018F->B6753F70), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetSecurityObject (15B) intercepted (E341A7AB->B6756130), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetSystemInformation (15E) intercepted (E34679C8->B6754D90), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetValueKey (166) intercepted (E34235AC->B6754150), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSuspendThread (16F) intercepted (E34AEF23->B67550E0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSystemDebugControl (170) intercepted (E349F5B6->B6755260), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtTerminateProcess (172) intercepted (E3474429->B6DED29A), hook C:\Windows\System32\drivers\zamguard32.sys
Function NtTerminateThread (173) intercepted (E349237A->B67551A0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtUnmapViewOfSection (181) intercepted (E347E04A->B6755CF0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtWriteFile (18C) intercepted (E3488ED2->B6754050), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtWriteVirtualMemory (18F) intercepted (E3479126->B6754230), hook C:\Windows\System32\drivers\Bhbase.sys
Functions checked: 401, intercepted: 41, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Analyzing CPU 2
 Analyzing CPU 3
 Analyzing CPU 4
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Driver loaded successfully
 Checking - complete
2. Scanning RAM
 Number of processes found: 50
 Number of modules loaded: 546
Scanning RAM - complete
3. Scanning disks
C:\Users\b\AppData\Local\Epic Privacy Browser\Application\40.0.2214.91\libegl.dll >>> suspicion for Trojan-PSW.Win32.Sinowal.n ( 0B505210 07CFC386 001CF588 00234CCC 73728)
File quarantined succesfully (C:\Users\b\AppData\Local\Epic Privacy Browser\Application\40.0.2214.91\libegl.dll)
4. Checking  Winsock Layered Service Provider (SPI/LSP)
LSP NameSpace error: "WindowsLive NSP" --> file is missing C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
LSP NameSpace error: "WindowsLive Local NSP" --> file is missing C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
 Attention ! SPI/LSP errors detected. Number of errors - 2
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 64851, extracted from archives: 31023, malicious software found 0, suspicions - 1
Scanning finished at 23.07.2015 07:35:29
Time of scanning: 00:15:23
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/