Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


AVZ - Danger ! Process masking detected - Windows 10

  • Please log in to reply
1 reply to this topic

#1 markreflex


  • Members
  • 5 posts
  • Local time:03:35 PM

Posted 06 September 2015 - 02:26 PM

I installed AVZ on upgrade of Windows 10.0.10240 from 7 and AVZ is coming up with Process masking detected on default settings(medium heuristics) on Windows files and others.

Do I have a rootkit or is it a false positive because AVZ is not compatible yet with Windows 10 yet? I have hitmanpro alert installed which detects nothing. Some of the third party newer programs are not in the AVZ database, could it be Windows 10 files are not in the database yet too?


Could you try AVZ with Windows 10 to see if you get similar results.



I include the log.​

AVZ Antiviral Toolkit log; AVZ version is 4.45
Scanning started at 06.09.2015 20:05:20
Database loaded: signatures - 297570, NN profile(s) - 2, malware removal microprograms - 56, signature database released 06.09.2015 16:00
Heuristic microprograms loaded: 394
PVS microprograms loaded: 9
Digital signatures of system files loaded: 759075
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 10.0.10240,  "Windows 10 Pro", install date 01.09.2015 02:17:48; AVZ is run with administrator rights (+)
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
 >> Danger ! Process masking detected
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .rdata
Function kernel32.dll:ReadConsoleInputExA (1103) intercepted, method - ProcAddressHijack.GetProcAddress ->746BA136->74F62210
Function kernel32.dll:ReadConsoleInputExW (1104) intercepted, method - ProcAddressHijack.GetProcAddress ->746BA169->74F62240
 Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:KiUserExceptionDispatcher (114) intercepted, method - APICodeHijack.JmpTo[70575DA6]
Function ntdll.dll:LdrLoadDll (145) intercepted, method - APICodeHijack.JmpTo[7052A996]
Function ntdll.dll:NtAllocateVirtualMemory (218) intercepted, method - APICodeHijack.JmpTo[70529A06]
Function ntdll.dll:NtCreateFile (272) intercepted, method - ProcAddressHijack.GetProcAddress ->77359130->70683340
Function ntdll.dll:NtFreeVirtualMemory (350) intercepted, method - APICodeHijack.JmpTo[70529D86]
Function ntdll.dll:NtMapViewOfSection (391) intercepted, method - APICodeHijack.JmpTo[7052A4D6]
Function ntdll.dll:NtProtectVirtualMemory (439) intercepted, method - APICodeHijack.JmpTo[70529E96]
Function ntdll.dll:NtSetInformationFile (558) intercepted, method - ProcAddressHijack.GetProcAddress ->77358E50->70683230
Function ntdll.dll:NtSetValueKey (590) intercepted, method - ProcAddressHijack.GetProcAddress ->773591E0->706B71D0
Function ntdll.dll:NtUnmapViewOfSection (619) intercepted, method - APICodeHijack.JmpTo[7052A8A6]
Function ntdll.dll:NtWaitForDebugEvent (625) intercepted, method - APICodeHijack.JmpTo[7053C0E6]
Function ntdll.dll:ZwAllocateVirtualMemory (1632) intercepted, method - APICodeHijack.JmpTo[70529A06]
Function ntdll.dll:ZwCreateFile (1686) intercepted, method - ProcAddressHijack.GetProcAddress ->77359130->70683340
Function ntdll.dll:ZwFreeVirtualMemory (1763) intercepted, method - APICodeHijack.JmpTo[70529D86]
Function ntdll.dll:ZwMapViewOfSection (1803) intercepted, method - APICodeHijack.JmpTo[7052A4D6]
Function ntdll.dll:ZwProtectVirtualMemory (1851) intercepted, method - APICodeHijack.JmpTo[70529E96]
Function ntdll.dll:ZwSetInformationFile (1970) intercepted, method - ProcAddressHijack.GetProcAddress ->77358E50->70683230
Function ntdll.dll:ZwSetValueKey (2002) intercepted, method - ProcAddressHijack.GetProcAddress ->773591E0->706B71D0
Function ntdll.dll:ZwUnmapViewOfSection (2031) intercepted, method - APICodeHijack.JmpTo[7052A8A6]
Function ntdll.dll:ZwWaitForDebugEvent (2037) intercepted, method - APICodeHijack.JmpTo[7053C0E6]
 Analysis: user32.dll, export table found in section .text
Function user32.dll:CallNextHookEx (1531) intercepted, method - ProcAddressHijack.GetProcAddress ->74431600->706821D0
Function user32.dll:GetMessageA (1878) intercepted, method - APICodeHijack.JmpTo[7053AAE6]
Function user32.dll:GetMessageW (1882) intercepted, method - APICodeHijack.JmpTo[7053AB46]
Function user32.dll:PeekMessageA (2145) intercepted, method - APICodeHijack.JmpTo[7053AA06]
Function user32.dll:PeekMessageW (2146) intercepted, method - APICodeHijack.JmpTo[7053AA76]
Function user32.dll:SetWindowsHookExW (2339) intercepted, method - ProcAddressHijack.GetProcAddress ->7443D910->706B7250
Function user32.dll:gSharedInfo (2433) intercepted, method - CodeHijack (not defined)
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
Function netapi32.dll:NetFreeAadJoinInformation (139) intercepted, method - ProcAddressHijack.GetProcAddress ->7187C11E->71848C40
Function netapi32.dll:NetGetAadJoinInformation (140) intercepted, method - ProcAddressHijack.GetProcAddress ->7187C14D->71848D40
1.2 Searching for kernel-mode API hooks
 Error - file not found (C:\SystemRoot\system32\ntoskrnl.exe)
 >>>> Process masking detected 1772 c:\program files (x86)\msi\super charger\chargeservice.exe
 >>>> Process masking detected 1900 c:\program files (x86)\msi\live update\msi_liveupdate_service.exe
 >>>> Process masking detected 2416 c:\program files (x86)\msi\super charger\super charger.exe
 >>>> Process masking detected 3008 c:\program files (x86)\hitmanpro.alert\hmpalert.exe
 >>>> Process masking detected 1984 c:\program files (x86)\hitmanpro.alert\hmpalert.exe
 >>>> Process masking detected 616 c:\program files (x86)\intel\intel(r) management engine components\dal\jhi_service.exe
 >>>> Process masking detected 4800 c:\program files (x86)\intel\intel(r) security assist\isa.exe
 >>>> Process masking detected 188 c:\users\user\downloads\avz4 (1)\avz4\avz.exe
 >>>> Process masking detected 2788 c:\users\user\downloads\avz4 (1)\avz4\avz.exe
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Error loading driver - operation interrupted [C000036B]
2. Scanning RAM
 Number of processes found: 9
 Number of modules loaded: 141
Scanning RAM - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 154, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 06.09.2015 20:05:41
Time of scanning: 00:00:22
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/

Edited by markreflex, 06 September 2015 - 02:40 PM.

BC AdBot (Login to Remove)



#2 markreflex

  • Topic Starter

  • Members
  • 5 posts
  • Local time:03:35 PM

Posted 07 September 2015 - 08:19 AM

It is incompatability of AVZ with Windows 10. I installed a official Windows 10 from DVD and comes up with the same detections.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users