AVZ Antiviral Toolkit log; AVZ version is 4.43
Scanning started at 03.08.2015 19:09:42
Database loaded: signatures - 297605, NN profile(s) - 2, malware removal microprograms - 56, signature database released 03.08.2015 16:00
Heuristic microprograms loaded: 394
PVS microprograms loaded: 9
Digital signatures of system files loaded: 749467
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 6.1.7601, Service Pack 1 "Windows 7 Ultimate" ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=16CB00)
Kernel ntkrnlpa.exe found in memory at address E3255000
SDT = E33C1B00
KiST = E32D3F6C (401)
Function NtAlpcSendWaitReceivePort (27) intercepted (E34AB887->B65F3CA0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtAssignProcessToJobObject (2B) intercepted (E3458064->B65F4DB0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateFile (42) intercepted (E34A8ABE->B65F3310), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateKey (46) intercepted (E3459FAF->B65F2DC0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateProcess (4F) intercepted (E353651B->B65F4770), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateProcessEx (50) intercepted (E3536566->B65F4670), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateSection (54) intercepted (E347C66B->B65F3FF0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateSymbolicLinkObject (56) intercepted (E345A97A->B65F4420), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateThread (57) intercepted (E3536322->B65F3900), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateThreadEx (58) intercepted (E34CA157->B65F4B00), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateUserProcess (5D) intercepted (E34C7FEE->B65F4E70), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeleteFile (66) intercepted (E33F15E4->B65F3E60), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeleteKey (67) intercepted (E34449C5->B65F34F0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeleteValueKey (6A) intercepted (E3436368->B65F35B0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeviceIoControlFile (6B) intercepted (E34CD3FB->B65F3BA0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDuplicateObject (6F) intercepted (E348ACA3->B65F39F0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtEnumerateValueKey (77) intercepted (E34C2916->B65F3820), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtGetNextProcess (8B) intercepted (E35382DC->B65F4C10), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtGetNextThread (8C) intercepted (E34E6D66->B65F4930), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtLoadDriver (9B) intercepted (E341EAF1->B65F3AE0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtOpenKeyEx (B7) intercepted (E3469193->BC1EA620), hook C:\Windows\system32\drivers\qutmipc.sys
Function NtOpenProcess (BE) intercepted (E346B093->BC12838A), hook C:\Windows\System32\drivers\zamguard32.sys
Function NtOpenSection (C2) intercepted (E34C30CB->B65F3F20), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtOpenThread (C6) intercepted (E34B7791->B65F4860), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtProtectVirtualMemory (D7) intercepted (E349BC79->B65F4340), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtQueryValueKey (10A) intercepted (E34A3CE3->B65F3740), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtQueueApcThread (10D) intercepted (E3454DE8->B65F4F80), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtRenameKey (122) intercepted (E34F5E4B->B65F45B0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtRequestWaitReplyPort (12B) intercepted (E349714A->B65F3670), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtRestoreKey (12E) intercepted (E34EBA5D->B65F5060), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetContextThread (13C) intercepted (E3537B8D->B65F44F0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetInformationFile (149) intercepted (E34B018F->B65F2F70), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetSecurityObject (15B) intercepted (E345A7AB->B65F5130), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetSystemInformation (15E) intercepted (E34A79C8->B65F3D90), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetValueKey (166) intercepted (E34635AC->B65F3150), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSuspendThread (16F) intercepted (E34EEF23->B65F40E0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSystemDebugControl (170) intercepted (E34DF5B6->B65F4260), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtTerminateProcess (172) intercepted (E34B4429->BC128444), hook C:\Windows\System32\drivers\zamguard32.sys
Function NtTerminateThread (173) intercepted (E34D237A->B65F41A0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtUnmapViewOfSection (181) intercepted (E34BE04A->B65F4CF0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtWriteFile (18C) intercepted (E34C8ED2->B65F3050), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtWriteVirtualMemory (18F) intercepted (E34B9126->B65F3230), hook C:\Windows\System32\drivers\Bhbase.sys
Functions checked: 401, intercepted: 42, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Analyzing CPU 2
Analyzing CPU 3
Analyzing CPU 4
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
Driver loaded successfully
Checking - complete
2. Scanning RAM
Number of processes found: 51
Number of modules loaded: 583
Scanning RAM - complete
3. Scanning disks
C:\Users\b\AppData\Local\Epic Privacy Browser\Application\40.0.2214.91\libegl.dll >>> suspicion for Trojan-PSW.Win32.Sinowal.n ( 0B505210 07CFC386 001CF588 00234CCC 73728)
File quarantined succesfully (C:\Users\b\AppData\Local\Epic Privacy Browser\Application\40.0.2214.91\libegl.dll)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Program Files\360\360Safe\safemon\360UDiskGuard.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\360\360Safe\safemon\360UDiskGuard.dll>>> Behaviour analysis
Behaviour typical for keyloggers was not detected
File quarantined succesfully (C:\Program Files\360\360Safe\safemon\360UDiskGuard.dll)
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious software
Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 66026, extracted from archives: 31852, malicious software found 0, suspicions - 1
Scanning finished at 03.08.2015 19:24:22
Time of scanning: 00:14:41
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address
http://forum.kaspersky.com/index.php?showforum=19For automatic scanning of files from the AVZ quarantine you can use the service
http://virusdetector.ru/
