具体功能我还没搞清楚,绿色,可以在线更新,有启发式扫描,占用资源较少,可作为杀软辅助。可惜不支持中文,路径显示有乱码。
似乎可以发现卡巴的klif.sys有问题,还发现了我装的反间谍软件和QQ的问题。
看一篇扫描日志:
AVZ Antiviral Toolkit log; AVZ version is 4.25
Scanning started at 2007-6-22 23:11:58
Database loaded: 113518 signatures, 2 NN profile(s), 55 microprograms of healing, signature database released 21.06.2007 13:47
Heuristic microprograms loaded : 370
Digital signatures of system files loaded: 60356
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
1. Searching for rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section: .text
Function kernel32.dll:GetProcAddress (408) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADA0->7C883FEC
Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->7C883F9C
Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->7C883FB0
Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->7C883FD8
Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE4B->7C883FC4
IAT modification detected: LoadLibraryA - 7C883F9C<>7C801D77
IAT modification detected: GetProcAddress - 7C883FEC<>7C80ADA0
Analysis: ntdll.dll, export table found in section: .text
Analysis: user32.dll, export table found in section: .text
Function user32.dll:RegisterRawInputDevices (546) intercepted, method ProcAddressHijack.GetProcAddress ->77D6CBD4->7DD90080
Analysis: advapi32.dll, export table found in section: .text
Analysis: ws2_32.dll, export table found in section: .text
Analysis: wininet.dll, export table found in section: .text
Analysis: rasapi32.dll, export table found in section: .text
Analysis: urlmon.dll, export table found in section: .text
Analysis: netapi32.dll, export table found in section: .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=07B380)
Kernel ntkrnlpa.exe found in the memory at the address 804D8000
SDT = 80553380
KiST = 85597728 (297)
>>> Attention, the KiST table is moved ! (805021FC(284)->85597728(297))
Function NtClose (19) intercepted (805B19C0->EEAEAA00), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtCreateKey (29) intercepted (80619E86->EEADD350), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtCreateProcess (2F) intercepted (805C6F8E->EEAEA730), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtCreateProcessEx (30) intercepted (805C6ED8->EEAEA8A0), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtCreateSection (32) intercepted (805A04EA->EEAEB340), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtCreateSymbolicLinkObject (34) intercepted (805BA6C4->EEAEAF90), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtCreateThread (35) intercepted (805C6D76->EEAEBC60), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtDeleteKey (3F) intercepted (8061A316->EEADD450), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtDeleteValueKey (41) intercepted (8061A4E6->EEADD4D0), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtDuplicateObject (44) intercepted (805B349C->EEAEAB60), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtEnumerateKey (47) intercepted (8061A6C6->EEADD580), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtEnumerateValueKey (49) intercepted (8061A930->EEADD630), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtFlushKey (4F) intercepted (8061AB9A->EEADD6E0), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtInitializeRegistry (5C) intercepted (80617E5E->EEADD760), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtLoadDriver (61) intercepted (805795E4->EEAE8F80), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtLoadKey (62) intercepted (8061BBB6->EEADE180), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtLoadKey2 (63) intercepted (8061B800->EEADD780), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtNotifyChangeKey (6F) intercepted (8061BB80->EEADD860), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtOpenFile (74) intercepted (8056F4E8->F7319000), hook C:\WINDOWS\system32\Drivers\kl1.sys
Function NtOpenKey (77) intercepted (8061B21C->EEADD940), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtOpenProcess (7A) intercepted (805C0E1E->F7B507FD), hook F:\Tools\TianWang\SkyProcs.sys
Function NtOpenSection (7D) intercepted (8059F520->EEAEB170), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtQueryKey (A0) intercepted (8061B540->EEADDA20), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtQueryMultipleValueKey (A1) intercepted (80619054->EEADDAD0), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtQuerySystemInformation (AD) intercepted (806075E4->EEAEB910), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtQueryValueKey (B1) intercepted (80617F40->EEADDB80), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtReplaceKey (C1) intercepted (8061BA66->EEADDC60), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtRestoreKey (CC) intercepted (8061828E->EEADDCF0), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtResumeThread (CE) intercepted (805CA764->EEAEBC10), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtSaveKey (CF) intercepted (80618330->EEADDEF0), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtSetContextThread (D5) intercepted (805C74B0->EEAEBF90), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtSetInformationFile (E0) intercepted (80570398->EEAEC560), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtSetInformationKey (E2) intercepted (80618C20->EEADDF80), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtSetSecurityObject (ED) intercepted (805B563C->EEAE7C40), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtSetValueKey (F7) intercepted (80618546->EEADE020), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtSuspendThread (FE) intercepted (805CA69E->EEAEBBC0), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtSystemDebugControl (FF) intercepted (8060DC5C->EEAE92F0), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtTerminateProcess (101) intercepted (805C876C->F7D25812), hook F:\Tools\AVG\guard.sys
Function NtUnloadKey (107) intercepted (8061880E->EEADE140), hook C:\WINDOWS\system32\drivers\klif.sys
Function NtWriteVirtualMemory (115) intercepted (805A95A2->EEAEAA20), hook C:\WINDOWS\system32\drivers\klif.sys
Functions checked: 284, intercepted: 40, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
The extended monitoring driver (AVZPM) is not installed, examination is not performed
2. Scanning memory
Number of processes found: 19
Number of modules loaded: 288
Memory checking - complete
3. Scanning disks
Direct reading C:\DOCUME~1\DOwaY\LOCALS~1\Temp\avz_2952_2.tmp
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll --> Suspicion for a Keylogger or Trojan DLL
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
checking disabled by user
7. Heuristic system check
Checking complete
Files scanned: 354, extracted from archives: 26, malicious programs found 0
Scanning finished at 2007-6-22 23:12:20
Time of scanning: 00:00:23
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
下载页面:http://www.z-oleg.com/secur/avz/download.php
如图所示:
[ 本帖最后由 dickenson 于 2007-6-22 23:12 编辑 ] |
[复制链接]
发表于 2007-6-22 01:00:31
楼主
换个系统尝鲜,辛苦lz
