| Attention !!! Database was last updated 19.04.2011 it is necessary to update the database (via File - Database update) |
| AVZ Antiviral Toolkit log; AVZ version is 4.35 |
| Scanning started at 04.05.2011 16:23:54 |
| Database loaded: signatures - 288679, NN profile(s) - 2, malware removal microprograms - 56, signature database released 19.04.2011 22:47 |
| Heuristic microprograms loaded: 388 |
| PVS microprograms loaded: 9 |
| Digital signatures of system files loaded: 272495 |
| Heuristic analyzer mode: Medium heuristics mode |
| Malware removal mode: enabled |
| Windows version is: 6.0.6002, Service Pack 2 ; AVZ is run with administrator rights |
| System Restore: enabled |
| 1. Searching for Rootkits and other software intercepting API functions |
| 1.1 Searching for user-mode API hooks |
| Analysis: kernel32.dll, export table found in section .text |
| Analysis: ntdll.dll, export table found in section .text |
| Analysis: user32.dll, export table found in section .text |
| Analysis: advapi32.dll, export table found in section .text |
| Analysis: ws2_32.dll, export table found in section .text |
| Analysis: wininet.dll, export table found in section .text |
| Analysis: rasapi32.dll, export table found in section .text |
| Analysis: urlmon.dll, export table found in section .text |
| Analysis: netapi32.dll, export table found in section .text |
| 1.2 Searching for kernel-mode API hooks |
| Driver loaded successfully |
| SDT found (RVA=137B00) |
| Kernel ntkrnlpa.exe found in memory at address 82000000 |
| SDT = 82137B00 |
| KiST = 820AC86C (391) |
| Functions checked: 391, intercepted: 0, restored: 0 |
| 1.3 Checking IDT and SYSENTER |
| Analyzing CPU 1 |
| Analyzing CPU 2 |
| Checking IDT and SYSENTER - complete |
| 1.4 Searching for masking processes and drivers |
| Masking process with PID=456, name = "" |
| >> PID substitution detected (current PID is=0, real = 456) |
| Masking process with PID=568, name = "" |
| >> PID substitution detected (current PID is=0, real = 568) |
| Masking process with PID=624, name = "" |
| >> PID substitution detected (current PID is=0, real = 624) |
| Masking process with PID=1232, name = "" |
| >> PID substitution detected (current PID is=0, real = 1232) |
| Masking process with PID=756, name = "" |
| >> PID substitution detected (current PID is=0, real = 756) |
| Masking process with PID=1204, name = "" |
| >> PID substitution detected (current PID is=0, real = 1204) |
| Masking process with PID=1676, name = "" |
| >> PID substitution detected (current PID is=0, real = 1676) |
| Masking process with PID=1844, name = "" |
| >> PID substitution detected (current PID is=0, real = 1844) |
| Masking process with PID=1716, name = "" |
| >> PID substitution detected (current PID is=0, real = 1716) |
| Masking process with PID=2072, name = "" |
| >> PID substitution detected (current PID is=0, real = 2072) |
| Masking process with PID=2096, name = "" |
| >> PID substitution detected (current PID is=0, real = 2096) |
| Masking process with PID=2204, name = "" |
| >> PID substitution detected (current PID is=0, real = 2204) |
| Masking process with PID=2320, name = "" |
| >> PID substitution detected (current PID is=0, real = 2320) |
| Masking process with PID=2344, name = "" |
| >> PID substitution detected (current PID is=0, real = 2344) |
| Masking process with PID=2440, name = "" |
| >> PID substitution detected (current PID is=0, real = 2440) |
| Masking process with PID=2620, name = "" |
| >> PID substitution detected (current PID is=0, real = 2620) |
| Masking process with PID=2872, name = "" |
| >> PID substitution detected (current PID is=0, real = 2872) |
| Masking process with PID=2932, name = "" |
| >> PID substitution detected (current PID is=0, real = 2932) |
| Masking process with PID=3012, name = "" |
| >> PID substitution detected (current PID is=0, real = 3012) |
| Masking process with PID=3020, name = "" |
| >> PID substitution detected (current PID is=0, real = 3020) |
| Masking process with PID=3060, name = "" |
| >> PID substitution detected (current PID is=0, real = 3060) |
| Masking process with PID=3244, name = "" |
| >> PID substitution detected (current PID is=0, real = 3244) |
| Masking process with PID=3300, name = "" |
| >> PID substitution detected (current PID is=0, real = 3300) |
| Masking process with PID=3720, name = "" |
| >> PID substitution detected (current PID is=0, real = 3720) |
| Masking process with PID=2460, name = "" |
| >> PID substitution detected (current PID is=0, real = 2460) |
| Masking process with PID=1376, name = "" |
| >> PID substitution detected (current PID is=0, real = 1376) |
| Masking process with PID=872, name = "" |
| >> PID substitution detected (current PID is=0, real = 872) |
| Masking process with PID=2872, name = "" |
| >> PID substitution detected (current PID is=0, real = 2872) |
| Masking process with PID=820, name = "" |
| >> PID substitution detected (current PID is=0, real = 820) |
| Masking process with PID=2864, name = "" |
| >> PID substitution detected (current PID is=0, real = 2864) |
| Masking process with PID=3708, name = "" |
| >> PID substitution detected (current PID is=0, real = 3708) |
| Masking process with PID=1840, name = "" |
| >> PID substitution detected (current PID is=0, real = 1840) |
| Masking process with PID=1856, name = "" |
| >> PID substitution detected (current PID is=0, real = 1856) |
| Masking process with PID=3532, name = "" |
| >> PID substitution detected (current PID is=0, real = 3532) |
| Searching for masking processes and drivers - complete |
| 1.5 Checking IRP handlers |
| Driver loaded successfully |
| Checking - complete |
| 2. Scanning RAM |
| Number of processes found: 61 |
| Number of modules loaded: 521 |
| Scanning RAM - complete |
| 3. Scanning disks |
| 4. Checking Winsock Layered Service Provider (SPI/LSP) |
| LSP settings checked. No errors detected |
| 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) |
| 6. Searching for opened TCP/UDP ports used by malicious software |
| Checking - disabled by user |
| 7. Heuristic system check |
| Latent DLL loading through AppInit_DLLs suspected: "C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL" |
| Checking - complete |
| 8. Searching for vulnerabilities |
| >> Services: potentially dangerous service allowed: TermService (Terminaldienste) |
| >> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suche) |
| >> Services: potentially dangerous service allowed: Schedule (Aufgabenplanung) |
| > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! |
| >> Security: disk drives' autorun is enabled |
| >> Security: administrative shares (C$, D$ ...) are enabled |
| >> Security: anonymous user access is enabled |
| >> Security: sending Remote Assistant queries is enabled |
| Checking - complete |
| 9. Troubleshooting wizard |
| >> HDD autorun is allowed |
| >> Network drives autorun is allowed |
| >> Removable media autorun is allowed |
| Checking - complete |
| Files scanned: 582, extracted from archives: 0, malicious software found 0, suspicions - 0 |
| Scanning finished at 04.05.2011 16:24:32 |
| Time of scanning: 00:00:40 |
| If you have a suspicion on presence of viruses or questions on the suspected objects, |
| you can address hxxp://project911.kaspersky-labs.com/ |
04.05.2011, 15:33
![TR/Kazy.mekml.1' [trojan] / daten weg - Standard](images/icons/icon1.gif){kind=icon}
![TR/Kazy.mekml.1' [trojan] / daten weg](iconimages/plagegeister-aller-art-deren-bekaempfung/tr-kazy-mekml-1-trojan-daten-weg_ltr.gif)
Baum-Darstellung