Results of system analysis

LSP settings checked. No errors detected

яю1

Attention !!! Database was last updated 21.8.2009 it is necessary to update the database (via File - Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.32
Scanning started at 23.12.2009 21:42:04
Database loaded: signatures - 237871, NN profile(s) - 2, malware removal microprograms - 56, signature database released 21.08.2009 14:23
Heuristic microprograms loaded: 374
PVS microprograms loaded: 9
Digital signatures of system files loaded: 135524
Heuristic analyzer mode: Maximum heuristics mode
Malware removal mode: disabled
Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=07BFA0)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 80552FA0
   KiST = 80501B8C (284)
Function NtAdjustPrivilegesToken (0B) intercepted (805E1E0C->AA081BCC), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtConnectPort (1F) intercepted (805998E8->AA0811AA), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtCreateFile (25) intercepted (8056E27C->AA081832), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtCreateKey (29) intercepted (8061A286->AA08234C), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtCreatePort (2E) intercepted (8059A404->AA08108C), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtCreateSection (32) intercepted (805A06EC->AA08305C), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtCreateSymbolicLinkObject (34) intercepted (805B9594->AA0832F4), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtCreateThread (35) intercepted (805C7208->AA080C52), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtDeleteKey (3F) intercepted (8061A716->AA081FB6), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtDeleteValueKey (41) intercepted (8061A8E6->AA082166), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtDuplicateObject (44) intercepted (805B384E->AA080A84), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtLoadDriver (61) intercepted (80579588->AA082CDE), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtMakeTemporaryObject (69) intercepted (805B1CDE->AA08142E), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtOpenFile (74) intercepted (8056F39A->AA081A0E), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtOpenProcess (7A) intercepted (805C1296->AA0807B4), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtOpenSection (7D) intercepted (8059F722->AA0816BE), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtOpenThread (80) intercepted (805C1522->AA08092C), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Functions checked: 284, intercepted: 17, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
 Driver loaded successfully
1.5 Checking IRP handlers
 Checking - complete
2. Scanning RAM
 Number of processes found: 50
Extended process analysis: 1304 C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 1364 C:\Program Files\Alwil Software\Avast4\ashServ.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 384 C:\Program Files\Seznam\Postak\Postak.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 400 C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 884 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
Extended process analysis: 1216 C:\PROGRA~1\MICROS~3\rapimgr.exe
[ES]:Program code includes networking-related functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
Extended process analysis: 2420 C:\Program Files\Razer\razertra.exe
[ES]:Application has no visible windows
Extended process analysis: 2576 C:\Program Files\Razer\razerofa.exe
[ES]:Application has no visible windows
Extended process analysis: 2936 C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
[ES]:Program code includes networking-related functionality
[ES]:Capable of sending mail ?!
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 2964 C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
[ES]:Program code includes networking-related functionality
[ES]:Listens on TCP ports !
[ES]:Listens on HTTP ports !
[ES]:Application has no visible windows
Extended process analysis: 2820 C:\Program Files\Mozilla Firefox\firefox.exe
[ES]:Program code includes networking-related functionality
[ES]:Registered for automatic startup !!
[ES]:Loads RASAPI DLL - may use dialing ?
 Number of modules loaded: 543
Scanning RAM - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\WINDOWS\system32\guard32.dll --> Suspicion for Keylogger or Trojan DLL
C:\WINDOWS\system32\guard32.dll>>> Behaviour analysis 
 Behaviour typical for keyloggers was not detected
Note: Do NOT delete suspicious files, send them for analysis  (see FAQ for more details),  because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Latent DLL loading through AppInit_DLLs suspected: "C:\WINDOWS\system32\guard32.dll"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Vzd?len? registr)
>> Services: potentially dangerous service allowed: TermService (Termin?lov? slu?ba)
>> Services: potentially dangerous service allowed: SSDPSRV (Slu?ba rozpozn?v?n? pomoc? protokolu SSDP)
>> Services: potentially dangerous service allowed: Schedule (Pl?nova? ?loh)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting - Vzd?len? sd?len? plochy)
>> Services: potentially dangerous service allowed: RDSessMgr (Spr?vce relac? n?pov?dy ke vzd?len? plo?e)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 593, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 23.12.2009 21:42:34
Time of scanning: 00:00:31
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress


Script commands
 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
Remove traces of deleted files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:
Performance tweaking: disable service RemoteRegistry (Vzdбlenэ registr)
Performance tweaking: disable service TermService (Terminбlovб sluћba)
Performance tweaking: disable service SSDPSRV (Sluћba rozpoznбvбnн pomocн protokolu SSDP)
Performance tweaking: disable service Schedule (Plбnovaи ъloh)
Performance tweaking: disable service mnmsrvc (NetMeeting - Vzdбlenй sdнlenн plochy)
Performance tweaking: disable service RDSessMgr (Sprбvce relacн nбpovмdy ke vzdбlenй ploљe)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list