Zostało mi jeszcze takie dziwne konto (USER-6C9AD9881C\JA) ma ta sama zawartość w C:\Documents and Settings jak używane konto Administrator . Jak je usunąć!?
Screen : http://www.fotosik.pl/pokaz_obrazek/99e … 1a0f2.html .
LOG z KVR AVZ CollectSysInfo:
--------------------
Start time: 2009-02-14 18:24:08
Duration: 00:01:36
Finish time: 2009-02-14 18:25:44
--------------------
Time Event
---- -----
2009-02-14 18:24:09 Windows version: Microsoft Windows XP, Build=2600, SP="Dodatek Service Pack 3"
2009-02-14 18:24:09 System Restore: enabled
2009-02-14 18:24:09 1.1 Searching for user-mode API hooks
2009-02-14 18:24:10 Analysis: kernel32.dll, export table found in section .text
2009-02-14 18:24:10 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
2009-02-14 18:24:10 Hook kernel32.dll:CreateProcessA (99) blocked
2009-02-14 18:24:10 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
2009-02-14 18:24:10 Hook kernel32.dll:CreateProcessW (103) blocked
2009-02-14 18:24:10 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
2009-02-14 18:24:10 Hook kernel32.dll:FreeLibrary (241) blocked
2009-02-14 18:24:10 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
2009-02-14 18:24:10 Hook kernel32.dll:GetModuleFileNameA (373) blocked
2009-02-14 18:24:10 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
2009-02-14 18:24:10 Hook kernel32.dll:GetModuleFileNameW (374) blocked
2009-02-14 18:24:10 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
2009-02-14 18:24:10 Hook kernel32.dll:GetProcAddress (409) blocked
2009-02-14 18:24:10 Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
2009-02-14 18:24:10 Hook kernel32.dll:LoadLibraryA (581) blocked
2009-02-14 18:24:10 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement )
2009-02-14 18:24:10 Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
2009-02-14 18:24:10 Hook kernel32.dll:LoadLibraryExA (582) blocked
2009-02-14 18:24:10 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement )
2009-02-14 18:24:10 Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
2009-02-14 18:24:10 Hook kernel32.dll:LoadLibraryExW (583) blocked
2009-02-14 18:24:10 Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
2009-02-14 18:24:10 Hook kernel32.dll:LoadLibraryW (584) blocked
2009-02-14 18:24:10 IAT modification detected: LoadLibraryW - 00C40010<>7C80AEDB
2009-02-14 18:24:10 Analysis: ntdll.dll, export table found in section .text
2009-02-14 18:24:10 Analysis: user32.dll, export table found in section .text
2009-02-14 18:24:10 Analysis: advapi32.dll, export table found in section .text
2009-02-14 18:24:10 Analysis: ws2_32.dll, export table found in section .text
2009-02-14 18:24:10 Analysis: wininet.dll, export table found in section .text
2009-02-14 18:24:10 Analysis: rasapi32.dll, export table found in section .text
2009-02-14 18:24:10 Analysis: urlmon.dll, export table found in section .text
2009-02-14 18:24:10 Analysis: netapi32.dll, export table found in section .text
2009-02-14 18:24:10 1.2 Searching for kernel-mode API hooks
2009-02-14 18:24:11 Driver loaded successfully
2009-02-14 18:24:11 SDT found (RVA=083220)
2009-02-14 18:24:11 Kernel ntoskrnl.exe found in memory at address 804D7000
2009-02-14 18:24:11 SDT = 8055A220
2009-02-14 18:24:11 KiST = 804E26A8 (284)
2009-02-14 18:24:11 Function NtConnectPort (1F) intercepted (805879F7->81C35830), hook not defined
2009-02-14 18:24:11 >>> Function restored successfully !
2009-02-14 18:24:11 >>> Hook code blocked
2009-02-14 18:24:11 Function NtCreateThread (35) intercepted (8058E64B->81C13E78), hook not defined
2009-02-14 18:24:11 >>> Function restored successfully !
2009-02-14 18:24:11 >>> Hook code blocked
2009-02-14 18:24:11 Function NtDeleteKey (3F) intercepted (805952CA->BA5AA2A0), hook C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2009-02-14 18:24:11 >>> Function restored successfully !
2009-02-14 18:24:11 >>> Hook code blocked
2009-02-14 18:24:11 Function NtLoadDriver (61) intercepted (805A3B01->81B61928), hook not defined
2009-02-14 18:24:11 >>> Function restored successfully !
2009-02-14 18:24:11 >>> Hook code blocked
2009-02-14 18:24:11 Function NtResumeThread (CE) intercepted (8058ECBE->81C5F358), hook not defined
2009-02-14 18:24:11 >>> Function restored successfully !
2009-02-14 18:24:11 >>> Hook code blocked
2009-02-14 18:24:11 Function NtSetValueKey (F7) intercepted (80572889->BA5AAA50), hook C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2009-02-14 18:24:11 >>> Function restored successfully !
2009-02-14 18:24:11 >>> Hook code blocked
2009-02-14 18:24:14 Functions checked: 284, intercepted: 6, restored: 6
2009-02-14 18:24:14 1.3 Checking IDT and SYSENTER
2009-02-14 18:24:14 Analysis for CPU 1
2009-02-14 18:24:14 Checking IDT and SYSENTER - complete
2009-02-14 18:24:15 1.4 Searching for masking processes and drivers
2009-02-14 18:24:15 Checking not performed: extended monitoring driver (AVZPM) is not installed
2009-02-14 18:24:15 Driver loaded successfully
2009-02-14 18:24:15 1.5 Checking of IRP handlers
2009-02-14 18:24:15 Checking - complete
2009-02-14 18:24:29 >> Services: potentially dangerous service allowed: TermService (Usługi terminalowe)
2009-02-14 18:24:29 >> Services: potentially dangerous service allowed: SSDPSRV (Usługa odnajdywania SSDP)
2009-02-14 18:24:29 >> Services: potentially dangerous service allowed: Schedule (Harmonogram zadań)
2009-02-14 18:24:29 >> Services: potentially dangerous service allowed: RDSessMgr (Menedżer sesji pomocy pulpitu zdalnego)
2009-02-14 18:24:29 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
2009-02-14 18:24:29 >> Security: disk drives' autorun is enabled
2009-02-14 18:24:29 >> Security: administrative shares (C$, D$ ...) are enabled
2009-02-14 18:24:29 >> Security: anonymous user access is enabled
2009-02-14 18:24:33 >> Service termination timeout is out of admissible values
2009-02-14 18:24:33 >> Disable HDD autorun
2009-02-14 18:24:33 >> Disable autorun from network drives
2009-02-14 18:24:33 >> Disable CD/DVD autorun
2009-02-14 18:24:33 >> Disable removable media autorun
2009-02-14 18:24:33 System Analysis in progress
2009-02-14 18:25:44 System Analysis - complete
2009-02-14 18:25:44 Delete file:C:\Documents and Settings\JA\Pulpit\Virus Removal Tool\is-NUJT2\LOG\avptool_syscheck.htm
2009-02-14 18:25:44 Delete file:C:\Documents and Settings\JA\Pulpit\Virus Removal Tool\is-NUJT2\LOG\avptool_syscheck.xml
2009-02-14 18:25:44 Deleting service/driver: utqwndey
2009-02-14 18:25:44 Delete file:C:\WINDOWS\system32\Drivers\utqwndey.sys
2009-02-14 18:25:44 Deleting service/driver: ujqwndey
2009-02-14 18:25:44 Script executed without errors[/code]
Najbardziej mnie zastanawia i wku…a Dlaczego nie mogę uruchomić ściągniętego programu typu AV na kompie .
Ściągnąłem : NSecurity Scan- wypakowuje , klikam na .exe …start i lipa . Komunikat
"Error:nie można pobrać wymaganego update’u " i program się wyłącza .
I tak jest z każdym, nie ważne jak się nazywa do czego służy. Ma ktoś jakieś rozwiązanie. ???