Attention !!! Database was last updated 06.04.2008 it is necessary to update the bases using automatic updates (File/Database update) AVZ Antiviral Toolkit log; AVZ version is 4.30 Scanning started at 27.08.2008 01:06:35 Database loaded: signatures - 157571, NN profile(s) - 2, microprograms of healing - 55, signature database released 06.04.2008 17:09 Heuristic microprograms loaded: 370 SPV microprograms loaded: 9 Digital signatures of system files loaded: 70476 Heuristic analyzer mode: Maximum heuristics level Healing mode: disabled Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights System Restore: Disabled 1. Searching for Rootkits and programs intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Function ntdll.dll:NtClose (111) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtCreateFile (123) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtCreateKey (127) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtCreateSection (137) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtDeleteKey (151) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtDeleteValueKey (153) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtRenameKey (283) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtSetInformationFile (315) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtSetValueKey (338) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtTerminateProcess (348) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtWriteFile (366) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtWriteFileGather (367) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtWriteVirtualMemory (369) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwClose (921) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwCreateFile (933) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwCreateKey (937) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwCreateSection (947) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwDeleteKey (960) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwDeleteValueKey (962) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwRenameKey (1092) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwSetInformationFile (1124) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwSetValueKey (1147) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwTerminateProcess (1157) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwWriteFile (1175) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwWriteFileGather (1176) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwWriteVirtualMemory (1178) intercepted, method CodeHijack (method not defined) Analysis: user32.dll, export table found in section .text Function user32.dll:SetWindowsHookExA (651) intercepted, method CodeHijack (method not defined) Function user32.dll:SetWindowsHookExW (652) intercepted, method CodeHijack (method not defined) Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=08B520) Kernel ntoskrnl.exe found in memory at address 80800000 SDT = 8088B520 KiST = 8080D8A0 (284) Function NtCreateKey (29) intercepted (808A0925->ACFA57A6), hook C:\WINDOWS\system32\drivers\iksysflt.sys Function NtCreateProcess (2F) intercepted (808D9470->ACFA2794), hook C:\WINDOWS\system32\drivers\iksysflt.sys Function NtCreateProcessEx (30) intercepted (808B47CD->ACFA2F1E), hook C:\WINDOWS\system32\drivers\iksysflt.sys Function NtDeleteKey (3F) intercepted (808BC334->ACFA61F0), hook C:\WINDOWS\system32\drivers\iksysflt.sys Function NtDeleteValueKey (41) intercepted (808BAF8B->ACFA642A), hook C:\WINDOWS\system32\drivers\iksysflt.sys Function NtRenameKey (C0) intercepted (8097EB50->ACFA712A), hook C:\WINDOWS\system32\drivers\iksysflt.sys Function NtSetValueKey (F7) intercepted (808AB294->ACFA683C), hook C:\WINDOWS\system32\drivers\iksysflt.sys Function NtTerminateProcess (101) intercepted (808B7695->ACFA1D0A), hook C:\WINDOWS\system32\drivers\iksysflt.sys Function NtWriteVirtualMemory (115) intercepted (808B15C2->ACFA1384), hook C:\WINDOWS\system32\drivers\iksysflt.sys Functions checked: 284, intercepted: 9, restored: 0 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Analysis for CPU 2 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Searching for masking processes and drivers - complete Driver loaded successfully 1.5 Checking of IRP handlers Checking - complete 2. Scanning memory Number of processes found: 25 Analyzer: process under analysis is 1952 C:\Programme\Spyware Doctor\pctsAuxs.exe [ES]:Contains network functionality [ES]:Application has no visible windows Process c:\programme\spyware doctor\pctssvc.exe Contains network functionality (wininet.dll) Analyzer: process under analysis is 1124 C:\Programme\Logitech\iTouch\iTouch.exe [ES]:Application has no visible windows [ES]:Registered in autoruns !! Analyzer: process under analysis is 1352 C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [ES]:Contains network functionality [ES]:Application has no visible windows Process c:\programme\ati technologies\ati.ace\core-static\mom.exe Contains network functionality (urlmon.dll) Analyzer: process under analysis is 552 C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe Analyzer: process under analysis is 620 C:\Programme\Internet Explorer\IEXPLORE.EXE [ES]:Contains network functionality [ES]:Loads RASAPI DLL - may use dialing ? Process c:\programme\internet explorer\iexplore.exe Contains network functionality (urlmon.dll,wininet.dll) Number of modules loaded: 456 Scanning memory - complete 3. Scanning disks 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) C:\Programme\Spyware Doctor\smumhook.dll --> Suspicion for Keylogger or Trojan DLL C:\Programme\Spyware Doctor\smumhook.dll>>> Behavioural analysis Behaviour typical for keyloggers not detected C:\Programme\Spyware Doctor\klg.dat --> Suspicion for Keylogger or Trojan DLL C:\Programme\Spyware Doctor\klg.dat>>> Behavioural analysis Behaviour typical for keyloggers not detected Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: Schedule (Taskplaner) >> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: anonymous user access is enabled Checking - complete 9. Troubleshooting wizard >> HDD autorun are allowed >> Autorun from network drives are allowed >> Removable media autorun are allowed Checking - complete Files scanned: 481, extracted from archives: 0, malicious software found 0, suspicions - 0 Scanning finished at 27.08.2008 01:07:12 Time of scanning: 00:00:38 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference System Analysis in progress System Analysis - complete