Jump to content

SOL - Do I have a Virus ?


Recommended Posts

Hello anyone,

Malwarebyte's will not run, I have tried safe mode what is the way out ??

P.S. the IE and Firefox Explorers will not allow me to connect to any anti MaLware sites

I hope this can be resolved quick ???

LOG -----------

AVZ Antiviral Toolkit log; AVZ version is 4.30

Scanning started at 2009-03-10 12:13:24 AM

Database loaded: signatures - 213646, NN profile(s) - 2, microprograms of healing - 56, signature database released 09.03.2009 22:51

Heuristic microprograms loaded: 372

SPV microprograms loaded: 9

Digital signatures of system files loaded: 100531

Heuristic analyzer mode: Medium heuristics level

Healing mode: enabled

Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights

System Restore: enabled

1. Searching for Rootkits and programs intercepting API functions

1.1 Searching for user-mode API hooks

Analysis: kernel32.dll, export table found in section .text

Analysis: ntdll.dll, export table found in section .text

Function ntdll.dll:LdrGetProcedureAddress (65) intercepted, method ProcAddressHijack.GetProcAddress ->7C919B88->144ECF

Function ntdll.dll:LdrLoadDll (70) intercepted, method ProcAddressHijack.GetProcAddress ->7C9161CA->144F34

Function ntdll.dll:LdrUnloadDll (80) intercepted, method APICodeHijack.JmpTo[00E40000]

Function ntdll.dll:NtCreateThread (140) intercepted, method ProcAddressHijack.GetProcAddress ->7C90D7D2->144E9D

Function ntdll.dll:NtQueryDirectoryFile (234) intercepted, method ProcAddressHijack.GetProcAddress ->7C90DF5E->144FE8

Analysis: user32.dll, export table found in section .text

Function user32.dll:GetClipboardData (258) intercepted, method ProcAddressHijack.GetProcAddress ->7E430D7A->1452A1

Function user32.dll:TranslateMessage (683) intercepted, method ProcAddressHijack.GetProcAddress ->7E418BF6->145556

Analysis: advapi32.dll, export table found in section .text

Analysis: ws2_32.dll, export table found in section .text

Function ws2_32.dll:WSASend (76) intercepted, method ProcAddressHijack.GetProcAddress ->71AB6233->14C998

Function ws2_32.dll:WSASendTo (78) intercepted, method ProcAddressHijack.GetProcAddress ->71AC0A95->14C980

Function ws2_32.dll:closesocket (3) intercepted, method ProcAddressHijack.GetProcAddress ->71AB9639->14C971

Function ws2_32.dll:send (19) intercepted, method ProcAddressHijack.GetProcAddress ->71AB428A->14C9F8

Function ws2_32.dll:sendto (20) intercepted, method ProcAddressHijack.GetProcAddress ->71AB2C69->14C9C8

Analysis: wininet.dll, export table found in section .text

Function wininet.dll:HttpQueryInfoA (206) intercepted, method ProcAddressHijack.GetProcAddress ->78060C6D->14B804

Function wininet.dll:HttpQueryInfoW (207) intercepted, method ProcAddressHijack.GetProcAddress ->78067E4E->14B854

Function wininet.dll:HttpSendRequestA (208) intercepted, method ProcAddressHijack.GetProcAddress ->7806CD40->14C39C

Function wininet.dll:HttpSendRequestExA (209) intercepted, method ProcAddressHijack.GetProcAddress ->780CD3CE->14C47A

Function wininet.dll:HttpSendRequestExW (210) intercepted, method ProcAddressHijack.GetProcAddress ->78073532->14C45D

Function wininet.dll:HttpSendRequestW (211) intercepted, method ProcAddressHijack.GetProcAddress ->78080825->14C37F

Function wininet.dll:InternetCloseHandle (224) intercepted, method ProcAddressHijack.GetProcAddress ->7805DA59->14BC76

Function wininet.dll:InternetQueryDataAvailable (272) intercepted, method ProcAddressHijack.GetProcAddress ->7806ADF5->14BE0F

Function wininet.dll:InternetReadFile (276) intercepted, method ProcAddressHijack.GetProcAddress ->7806ABB4->14BDB6

Function wininet.dll:InternetReadFileExA (277) intercepted, method ProcAddressHijack.GetProcAddress ->78082AE2->14BDF1

Function wininet.dll:InternetReadFileExW (278) intercepted, method ProcAddressHijack.GetProcAddress ->78082AAA->14BDD3

Analysis: rasapi32.dll, export table found in section .text

Analysis: urlmon.dll, export table found in section .text

Analysis: netapi32.dll, export table found in section .text

1.4 Searching for masking processes and drivers

Searching for masking processes and drivers - complete

Driver loaded successfully

1.5 Checking of IRP handlers

Checking - complete

2. Scanning memory

Number of processes found: 29

Number of modules loaded: 288

Scanning memory - complete

3. Scanning disks

4. Checking Winsock Layered Service Provider (SPI/LSP)

LSP settings checked. No errors detected

5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)

\\?\globalroot\systemroot\system32\UACqquxiuxn.dll --> Suspicion for Keylogger or Trojan DLL

\\?\globalroot\systemroot\system32\UACqquxiuxn.dll>>> Behavioural analysis

Behaviour typical for keyloggers not detected

Quarantine file: failed (error), attempt of direct disk reading (\\?\globalroot\systemroot\system32\UACqquxiuxn.dll)

Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs

6. Searching for opened TCP/UDP ports used by malicious programs

Checking disabled by user

7. Heuristic system check

Latent loading of libraries through AppInit_DLLs suspected: "c:\windows\system32\yiyidaju.dll c:\windows\system32\goveyudi.dll njkjft.dll"

Checking - complete

8. Searching for vulnerabilities

>> Services: potentially dangerous service allowed: TermService (Terminal Services)

>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)

>> Services: potentially dangerous service allowed: TlntSvr (Telnet)

>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)

>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)

>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)

> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!

>> Security: disk drives' autorun is enabled

>> Security: administrative shares (C$, D$ ...) are enabled

>> Security: anonymous user access is enabled

Checking - complete

9. Troubleshooting wizard

Checking - complete

Files scanned: 317, extracted from archives: 0, malicious software found 0, suspicions - 0

Scanning finished at 2009-03-10 12:13:43 AM

Time of scanning: 00:00:20

If you have a suspicion on presence of viruses or questions on the suspected objects,

you can address http://virusinfo.info conference

Link to post
Share on other sites

Please follow these instructions (skipping any steps you are unable to complete) for posting in our Malware Removal - HijackThis Logs forum. If you cannot follow any of those steps, then please create a new topic in that forum explaining what happened when you tried to run each of the tools in the instructions, and the expert who helps you will be able to suggest steps to take to get the tools working.

Link to post
Share on other sites

Please follow these instructions (skipping any steps you are unable to complete) for posting in our Malware Removal - HijackThis Logs forum. If you cannot follow any of those steps, then please create a new topic in that forum explaining what happened when you tried to run each of the tools in the instructions, and the expert who helps you will be able to suggest steps to take to get the tools working.

thanks

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.