Attention !!! Database was last updated 08/02/2009 it is necessary to update the bases using automatic updates (File/Database update) AVZ Antiviral Toolkit log; AVZ version is 4.30 Scanning started at 30/06/2009 10:06:11 Database loaded: signatures - 209302, NN profile(s) - 2, microprograms of healing - 56, signature database released 08.02.2009 18:56 Heuristic microprograms loaded: 372 SPV microprograms loaded: 9 Digital signatures of system files loaded: 91560 Heuristic analyzer mode: Medium heuristics level Healing mode: disabled Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights System Restore: enabled 1. Searching for Rootkits and programs intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=083220) Kernel ntoskrnl.exe found in memory at address 804D7000 SDT = 8055A220 KiST = 804E26A8 (284) Function NtClose (19) intercepted (805678DD->F7C543AA), hook C:\WINDOWS\system32\drivers\HookCentre.sys Function NtCreateKey (29) intercepted (8057065D->F7C55078), hook C:\WINDOWS\system32\drivers\HookCentre.sys Function NtDeleteKey (3F) intercepted (805952CA->F7C5519C), hook C:\WINDOWS\system32\drivers\HookCentre.sys Function NtDeleteValueKey (41) intercepted (80592D5C->F7C551BE), hook C:\WINDOWS\system32\drivers\HookCentre.sys Function NtOpenKey (77) intercepted (80568D59->F7C55100), hook C:\WINDOWS\system32\drivers\HookCentre.sys Function NtOpenProcess (7A) intercepted (805717C7->F7C542D0), hook C:\WINDOWS\system32\drivers\HookCentre.sys Function NtSetValueKey (F7) intercepted (80572889->F7C5516E), hook C:\WINDOWS\system32\drivers\HookCentre.sys Functions checked: 284, intercepted: 7, restored: 0 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking of IRP handlers Checking - complete 2. Scanning memory Number of processes found: 48 Number of modules loaded: 624 Scanning memory - complete 3. Scanning disks Direct reading C:\Documents and Settings\Accueil\Local Settings\Temp\~DF54A4.tmp C:\Program Files\Fichiers communs\Windows Live\.cache\16e2b9d81c9aa5e\fssclient_x86.msi/{MS-OLE}/\8 >>>>> Trojan.Kyjak C:\Program Files\OpenOffice.org 2.2\program\invocation.uno.dll >>> suspicion for Backdoor.Win32.UltimateDefender.grg ( 09E25293 05903389 00213166 002769BD 44544) C:\WINDOWS\Installer\15e417.msi/{MS-OLE}/\7 >>>>> Trojan.Kyjak 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Services Terminal Server) >> Services: potentially dangerous service allowed: SSDPSRV (Service de découvertes SSDP) >> Services: potentially dangerous service allowed: Schedule (Planificateur de tâches) >> Services: potentially dangerous service allowed: mnmsrvc (Partage de Bureau à distance NetMeeting) >> Services: potentially dangerous service allowed: RDSessMgr (Gestionnaire de session d'aide sur le Bureau à distance) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard >> HDD autorun are allowed >> Autorun from network drives are allowed >> Removable media autorun are allowed Checking - complete Files scanned: 74699, extracted from archives: 55945, malicious software found 2, suspicions - 1 Scanning finished at 30/06/2009 11:01:24 Time of scanning: 00:55:21 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference