سماء المحبة
زيزوومى مميز
غير متصل
<AVZ_CollectSysInfo>
--------------------
Start time: 06/08/2009 08:12:13 م
Duration: 00:05:13
Finish time: 06/08/2009 08:17:26 م
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
06/08/2009 08:12:14 م Windows version: Windows Vista (TM) Home Premium, Build=6002, SP="Service Pack 2"
06/08/2009 08:12:14 م System Restore: enabled
06/08/2009 08:12:17 م 1.1 Searching for user-mode API hooks
06/08/2009 08:12:17 م Analysis: kernel32.dll, export table found in section .text
06/08/2009 08:12:17 م Function kernel32.dll:CreateProcessA (151) intercepted, method ProcAddressHijack.GetProcAddress ->760B1C28->61F03F42
06/08/2009 08:12:17 م Hook kernel32.dll:CreateProcessA (151) blocked
06/08/2009 08:12:17 م Function kernel32.dll:CreateProcessW (154) intercepted, method ProcAddressHijack.GetProcAddress ->760B1BF3->61F04040
06/08/2009 08:12:17 م Hook kernel32.dll:CreateProcessW (154) blocked
06/08/2009 08:12:17 م Function kernel32.dll:FreeLibrary (335) intercepted, method ProcAddressHijack.GetProcAddress ->760F3DB4->61F041FC
06/08/2009 08:12:17 م Hook kernel32.dll:FreeLibrary (335) blocked
06/08/2009 08:12:17 م Function kernel32.dll:GetModuleFileNameA (503) intercepted, method ProcAddressHijack.GetProcAddress ->760FB6BD->61F040FB
06/08/2009 08:12:17 م Hook kernel32.dll:GetModuleFileNameA (503) blocked
06/08/2009 08:12:17 م Function kernel32.dll:GetModuleFileNameW (504) intercepted, method ProcAddressHijack.GetProcAddress ->760FB27E->61F041A0
06/08/2009 08:12:17 م Hook kernel32.dll:GetModuleFileNameW (504) blocked
06/08/2009 08:12:17 م Function kernel32.dll:GetProcAddress (548) intercepted, method ProcAddressHijack.GetProcAddress ->760F903B->61F04648
06/08/2009 08:12:17 م Hook kernel32.dll:GetProcAddress (548) blocked
06/08/2009 08:12:17 م Function kernel32.dll:LoadLibraryA (759) intercepted, method ProcAddressHijack.GetProcAddress ->760D94DC->61F03C6F
06/08/2009 08:12:17 م Hook kernel32.dll:LoadLibraryA (759) blocked
06/08/2009 08:12:17 م >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
06/08/2009 08:12:17 م Function kernel32.dll:LoadLibraryExA (760) intercepted, method ProcAddressHijack.GetProcAddress ->760D94B4->61F03DAF
06/08/2009 08:12:17 م Hook kernel32.dll:LoadLibraryExA (760) blocked
06/08/2009 08:12:17 م >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
06/08/2009 08:12:17 م Function kernel32.dll:LoadLibraryExW (761) intercepted, method ProcAddressHijack.GetProcAddress ->760D9109->61F03E5A
06/08/2009 08:12:17 م Hook kernel32.dll:LoadLibraryExW (761) blocked
06/08/2009 08:12:17 م Function kernel32.dll:LoadLibraryW (762) intercepted, method ProcAddressHijack.GetProcAddress ->760D9362->61F03D0C
06/08/2009 08:12:17 م Hook kernel32.dll:LoadLibraryW (762) blocked
06/08/2009 08:12:17 م IAT modification detected: LoadLibraryW - 01A70010<>760D9362
06/08/2009 08:12:17 م Analysis: ntdll.dll, export table found in section .text
06/08/2009 08:12:17 م Analysis: user32.dll, export table found in section .text
06/08/2009 08:12:17 م Analysis: advapi32.dll, export table found in section .text
06/08/2009 08:12:18 م Analysis: ws2_32.dll, export table found in section .text
06/08/2009 08:12:18 م Analysis: wininet.dll, export table found in section .text
06/08/2009 08:12:18 م Analysis: rasapi32.dll, export table found in section .text
06/08/2009 08:12:18 م Analysis: urlmon.dll, export table found in section .text
06/08/2009 08:12:18 م Analysis: netapi32.dll, export table found in section .text
06/08/2009 08:12:21 م 1.2 Searching for kernel-mode API hooks
06/08/2009 08:12:21 م Driver loaded successfully
06/08/2009 08:12:21 م SDT found (RVA=137B00)
06/08/2009 08:12:21 م Kernel ntkrnlpa.exe found in memory at address 8204C000
06/08/2009 08:12:21 م SDT = 82183B00
06/08/2009 08:12:21 م KiST = 820F882C (391)
06/08/2009 08:12:22 م Function NtAlpcCreatePort (16) intercepted (8220691F->8819AF84), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtAlpcSendWaitReceivePort (26) intercepted (822893D9->8819B014), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtClose (30) intercepted (8228672F->88199DF8), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtConnectPort (36) intercepted (82219AA7->8819A4EA), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateEvent (3A) intercepted (8225E953->8819A816), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateFile (3C) intercepted (8228DD59->88199F66), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateMutant (43) intercepted (8226C3AC->8819A6EE), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateNamedPipeFile (44) intercepted (8221A6F4->881999D2), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreatePort (47) intercepted (821D1A40->8819A5AA), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateSection (4B) intercepted (8227D803->88199B8C), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateSemaphore (4C) intercepted (8222398B->8819A948), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateWaitablePort (73) intercepted (821C6D04->8819A64C), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtFsControlFile (96) intercepted (82291B02->8819A0C4), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtOpenEvent (B8) intercepted (822459E7->8819A8B8), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtOpenFile (BA) intercepted (82251F99->88199E34), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtOpenMutant (BF) intercepted (8225D70D->8819A786), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtOpenSection (C5) intercepted (8225D219->8819B45C), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtOpenSemaphore (C6) intercepted (821F1EC2->8819A9EA), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtQueryDirectoryObject (DB) intercepted (8225D2DA->8819B214), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtReplyPort (10E) intercepted (8222D372->8819AD74), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtReplyWaitReceivePort (10F) intercepted (822858C7->8819AC3A), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtSecureConnectPort (11E) intercepted (82219680->8819A1F0), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtSetInformationToken (133) intercepted (82211C0A->8819B2C8), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:23 م Functions checked: 391, intercepted: 23, restored: 23
06/08/2009 08:12:23 م 1.3 Checking IDT and SYSENTER
06/08/2009 08:12:23 م Analysis for CPU 1
06/08/2009 08:12:24 م Analysis for CPU 2
06/08/2009 08:12:24 م Checking IDT and SYSENTER - complete
06/08/2009 08:12:29 م 1.4 Searching for masking processes and drivers
06/08/2009 08:12:29 م Checking not performed: extended monitoring driver (AVZPM) is not installed
06/08/2009 08:12:29 م Driver loaded successfully
06/08/2009 08:12:29 م 1.5 Checking of IRP handlers
06/08/2009 08:12:30 م \driver\tcpip[IRP_MJ_CREATE_NAMED_PIPE] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:30 م \driver\tcpip[IRP_MJ_READ] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:30 م \driver\tcpip[IRP_MJ_WRITE] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:30 م \driver\tcpip[IRP_MJ_QUERY_INFORMATION] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:31 م \driver\tcpip[IRP_MJ_SET_INFORMATION] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:31 م \driver\tcpip[IRP_MJ_QUERY_EA] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:31 م \driver\tcpip[IRP_MJ_SET_EA] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:31 م \driver\tcpip[IRP_MJ_FLUSH_BUFFERS] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:31 م \driver\tcpip[IRP_MJ_QUERY_VOLUME_INFORMATION] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:32 م \driver\tcpip[IRP_MJ_SET_VOLUME_INFORMATION] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:32 م \driver\tcpip[IRP_MJ_DIRECTORY_CONTROL] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:32 م \driver\tcpip[IRP_MJ_FILE_SYSTEM_CONTROL] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:33 م \driver\tcpip[IRP_MJ_SHUTDOWN] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:33 م \driver\tcpip[IRP_MJ_LOCK_CONTROL] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:33 م \driver\tcpip[IRP_MJ_CREATE_MAILSLOT] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:33 م \driver\tcpip[IRP_MJ_QUERY_SECURITY] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:34 م \driver\tcpip[IRP_MJ_SET_SECURITY] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:34 م \driver\tcpip[IRP_MJ_POWER] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:34 م \driver\tcpip[IRP_MJ_SYSTEM_CONTROL] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:34 م \driver\tcpip[IRP_MJ_DEVICE_CHANGE] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:35 م \driver\tcpip[IRP_MJ_QUERY_QUOTA] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:35 م \driver\tcpip[IRP_MJ_SET_QUOTA] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:35 م \driver\tcpip[IRP_MJ_PNP] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:35 م Checking - complete
06/08/2009 08:12:37 م C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll --> Suspicion for Keylogger or Trojan DLL
06/08/2009 08:12:37 م C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll>>> Behavioral analysis
06/08/2009 08:12:37 م Behaviour typical for keyloggers not detected
06/08/2009 08:12:37 م C:\Program Files\Microsoft Office\Office12\GrooveUtil.DLL --> Suspicion for Keylogger or Trojan DLL
06/08/2009 08:12:37 م C:\Program Files\Microsoft Office\Office12\GrooveUtil.DLL>>> Behavioral analysis
06/08/2009 08:12:37 م Behaviour typical for keyloggers not detected
06/08/2009 08:12:37 م C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL --> Suspicion for Keylogger or Trojan DLL
06/08/2009 08:12:37 م C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL>>> Behavioral analysis
06/08/2009 08:12:37 م Behaviour typical for keyloggers not detected
06/08/2009 08:12:38 م C:\Windows\WinSxS\x86_microsoft.vc80.atl_1fc8b3b9a 1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1\ATL80 .DLL --> Suspicion for Keylogger or Trojan DLL
06/08/2009 08:12:38 م C:\Windows\WinSxS\x86_microsoft.vc80.atl_1fc8b3b9a 1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1\ATL80 .DLL>>> Behavioral analysis
06/08/2009 08:12:38 م Behaviour typical for keyloggers not detected
06/08/2009 08:12:38 م Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
06/08/2009 08:12:56 م Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll"
06/08/2009 08:12:57 م >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
06/08/2009 08:12:57 م >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
06/08/2009 08:12:57 م >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
06/08/2009 08:12:57 م > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
06/08/2009 08:12:57 م >> Security: disk drives' autorun is enabled
06/08/2009 08:12:57 م >> Security: administrative shares (C$, D$ ...) are enabled
06/08/2009 08:12:57 م >> Security: anonymous user access is enabled
06/08/2009 08:12:57 م >> Security: sending Remote Assistant queries is enabled
06/08/2009 08:13:03 م >> Disable HDD autorun
06/08/2009 08:13:03 م >> Disable autorun from network drives
06/08/2009 08:13:03 م >> Disable CD/DVD autorun
06/08/2009 08:13:04 م >> Disable removable media autorun
06/08/2009 08:13:04 م System Analysis in progress
06/08/2009 08:17:26 م System Analysis - complete
06/08/2009 08:17:26 م Delete file:C:\Users\Noor\Desktop\Virus Removal Tool1\is-JQ8V9\LOG\avptool_syscheck.htm
06/08/2009 08:17:26 م Delete file:C:\Users\Noor\Desktop\Virus Removal Tool1\is-JQ8V9\LOG\avptool_syscheck.xml
06/08/2009 08:17:26 م Deleting service/driver: uti0odm2
06/08/2009 08:17:26 م Delete file:C:\Windows\system32\Drivers\uti0odm2.sys
06/08/2009 08:17:26 م Deleting service/driver: uji0odm2
06/08/2009 08:17:26 م Script executed without errors
--------------------
Start time: 06/08/2009 08:12:13 م
Duration: 00:05:13
Finish time: 06/08/2009 08:17:26 م
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
06/08/2009 08:12:14 م Windows version: Windows Vista (TM) Home Premium, Build=6002, SP="Service Pack 2"
06/08/2009 08:12:14 م System Restore: enabled
06/08/2009 08:12:17 م 1.1 Searching for user-mode API hooks
06/08/2009 08:12:17 م Analysis: kernel32.dll, export table found in section .text
06/08/2009 08:12:17 م Function kernel32.dll:CreateProcessA (151) intercepted, method ProcAddressHijack.GetProcAddress ->760B1C28->61F03F42
06/08/2009 08:12:17 م Hook kernel32.dll:CreateProcessA (151) blocked
06/08/2009 08:12:17 م Function kernel32.dll:CreateProcessW (154) intercepted, method ProcAddressHijack.GetProcAddress ->760B1BF3->61F04040
06/08/2009 08:12:17 م Hook kernel32.dll:CreateProcessW (154) blocked
06/08/2009 08:12:17 م Function kernel32.dll:FreeLibrary (335) intercepted, method ProcAddressHijack.GetProcAddress ->760F3DB4->61F041FC
06/08/2009 08:12:17 م Hook kernel32.dll:FreeLibrary (335) blocked
06/08/2009 08:12:17 م Function kernel32.dll:GetModuleFileNameA (503) intercepted, method ProcAddressHijack.GetProcAddress ->760FB6BD->61F040FB
06/08/2009 08:12:17 م Hook kernel32.dll:GetModuleFileNameA (503) blocked
06/08/2009 08:12:17 م Function kernel32.dll:GetModuleFileNameW (504) intercepted, method ProcAddressHijack.GetProcAddress ->760FB27E->61F041A0
06/08/2009 08:12:17 م Hook kernel32.dll:GetModuleFileNameW (504) blocked
06/08/2009 08:12:17 م Function kernel32.dll:GetProcAddress (548) intercepted, method ProcAddressHijack.GetProcAddress ->760F903B->61F04648
06/08/2009 08:12:17 م Hook kernel32.dll:GetProcAddress (548) blocked
06/08/2009 08:12:17 م Function kernel32.dll:LoadLibraryA (759) intercepted, method ProcAddressHijack.GetProcAddress ->760D94DC->61F03C6F
06/08/2009 08:12:17 م Hook kernel32.dll:LoadLibraryA (759) blocked
06/08/2009 08:12:17 م >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
06/08/2009 08:12:17 م Function kernel32.dll:LoadLibraryExA (760) intercepted, method ProcAddressHijack.GetProcAddress ->760D94B4->61F03DAF
06/08/2009 08:12:17 م Hook kernel32.dll:LoadLibraryExA (760) blocked
06/08/2009 08:12:17 م >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
06/08/2009 08:12:17 م Function kernel32.dll:LoadLibraryExW (761) intercepted, method ProcAddressHijack.GetProcAddress ->760D9109->61F03E5A
06/08/2009 08:12:17 م Hook kernel32.dll:LoadLibraryExW (761) blocked
06/08/2009 08:12:17 م Function kernel32.dll:LoadLibraryW (762) intercepted, method ProcAddressHijack.GetProcAddress ->760D9362->61F03D0C
06/08/2009 08:12:17 م Hook kernel32.dll:LoadLibraryW (762) blocked
06/08/2009 08:12:17 م IAT modification detected: LoadLibraryW - 01A70010<>760D9362
06/08/2009 08:12:17 م Analysis: ntdll.dll, export table found in section .text
06/08/2009 08:12:17 م Analysis: user32.dll, export table found in section .text
06/08/2009 08:12:17 م Analysis: advapi32.dll, export table found in section .text
06/08/2009 08:12:18 م Analysis: ws2_32.dll, export table found in section .text
06/08/2009 08:12:18 م Analysis: wininet.dll, export table found in section .text
06/08/2009 08:12:18 م Analysis: rasapi32.dll, export table found in section .text
06/08/2009 08:12:18 م Analysis: urlmon.dll, export table found in section .text
06/08/2009 08:12:18 م Analysis: netapi32.dll, export table found in section .text
06/08/2009 08:12:21 م 1.2 Searching for kernel-mode API hooks
06/08/2009 08:12:21 م Driver loaded successfully
06/08/2009 08:12:21 م SDT found (RVA=137B00)
06/08/2009 08:12:21 م Kernel ntkrnlpa.exe found in memory at address 8204C000
06/08/2009 08:12:21 م SDT = 82183B00
06/08/2009 08:12:21 م KiST = 820F882C (391)
06/08/2009 08:12:22 م Function NtAlpcCreatePort (16) intercepted (8220691F->8819AF84), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtAlpcSendWaitReceivePort (26) intercepted (822893D9->8819B014), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtClose (30) intercepted (8228672F->88199DF8), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtConnectPort (36) intercepted (82219AA7->8819A4EA), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateEvent (3A) intercepted (8225E953->8819A816), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateFile (3C) intercepted (8228DD59->88199F66), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateMutant (43) intercepted (8226C3AC->8819A6EE), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateNamedPipeFile (44) intercepted (8221A6F4->881999D2), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreatePort (47) intercepted (821D1A40->8819A5AA), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateSection (4B) intercepted (8227D803->88199B8C), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateSemaphore (4C) intercepted (8222398B->8819A948), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtCreateWaitablePort (73) intercepted (821C6D04->8819A64C), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtFsControlFile (96) intercepted (82291B02->8819A0C4), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtOpenEvent (B8) intercepted (822459E7->8819A8B8), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtOpenFile (BA) intercepted (82251F99->88199E34), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtOpenMutant (BF) intercepted (8225D70D->8819A786), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtOpenSection (C5) intercepted (8225D219->8819B45C), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtOpenSemaphore (C6) intercepted (821F1EC2->8819A9EA), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtQueryDirectoryObject (DB) intercepted (8225D2DA->8819B214), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtReplyPort (10E) intercepted (8222D372->8819AD74), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtReplyWaitReceivePort (10F) intercepted (822858C7->8819AC3A), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtSecureConnectPort (11E) intercepted (82219680->8819A1F0), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:22 م Function NtSetInformationToken (133) intercepted (82211C0A->8819B2C8), hook C:\Windows\system32\DRIVERS\klif.sys
06/08/2009 08:12:22 م >>> Function restored successfully !
06/08/2009 08:12:22 م >>> Hook code blocked
06/08/2009 08:12:23 م Functions checked: 391, intercepted: 23, restored: 23
06/08/2009 08:12:23 م 1.3 Checking IDT and SYSENTER
06/08/2009 08:12:23 م Analysis for CPU 1
06/08/2009 08:12:24 م Analysis for CPU 2
06/08/2009 08:12:24 م Checking IDT and SYSENTER - complete
06/08/2009 08:12:29 م 1.4 Searching for masking processes and drivers
06/08/2009 08:12:29 م Checking not performed: extended monitoring driver (AVZPM) is not installed
06/08/2009 08:12:29 م Driver loaded successfully
06/08/2009 08:12:29 م 1.5 Checking of IRP handlers
06/08/2009 08:12:30 م \driver\tcpip[IRP_MJ_CREATE_NAMED_PIPE] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:30 م \driver\tcpip[IRP_MJ_READ] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:30 م \driver\tcpip[IRP_MJ_WRITE] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:30 م \driver\tcpip[IRP_MJ_QUERY_INFORMATION] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:31 م \driver\tcpip[IRP_MJ_SET_INFORMATION] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:31 م \driver\tcpip[IRP_MJ_QUERY_EA] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:31 م \driver\tcpip[IRP_MJ_SET_EA] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:31 م \driver\tcpip[IRP_MJ_FLUSH_BUFFERS] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:31 م \driver\tcpip[IRP_MJ_QUERY_VOLUME_INFORMATION] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:32 م \driver\tcpip[IRP_MJ_SET_VOLUME_INFORMATION] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:32 م \driver\tcpip[IRP_MJ_DIRECTORY_CONTROL] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:32 م \driver\tcpip[IRP_MJ_FILE_SYSTEM_CONTROL] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:33 م \driver\tcpip[IRP_MJ_SHUTDOWN] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:33 م \driver\tcpip[IRP_MJ_LOCK_CONTROL] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:33 م \driver\tcpip[IRP_MJ_CREATE_MAILSLOT] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:33 م \driver\tcpip[IRP_MJ_QUERY_SECURITY] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:34 م \driver\tcpip[IRP_MJ_SET_SECURITY] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:34 م \driver\tcpip[IRP_MJ_POWER] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:34 م \driver\tcpip[IRP_MJ_SYSTEM_CONTROL] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:34 م \driver\tcpip[IRP_MJ_DEVICE_CHANGE] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:35 م \driver\tcpip[IRP_MJ_QUERY_QUOTA] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:35 م \driver\tcpip[IRP_MJ_SET_QUOTA] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:35 م \driver\tcpip[IRP_MJ_PNP] = 820749D2 -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
06/08/2009 08:12:35 م Checking - complete
06/08/2009 08:12:37 م C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll --> Suspicion for Keylogger or Trojan DLL
06/08/2009 08:12:37 م C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll>>> Behavioral analysis
06/08/2009 08:12:37 م Behaviour typical for keyloggers not detected
06/08/2009 08:12:37 م C:\Program Files\Microsoft Office\Office12\GrooveUtil.DLL --> Suspicion for Keylogger or Trojan DLL
06/08/2009 08:12:37 م C:\Program Files\Microsoft Office\Office12\GrooveUtil.DLL>>> Behavioral analysis
06/08/2009 08:12:37 م Behaviour typical for keyloggers not detected
06/08/2009 08:12:37 م C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL --> Suspicion for Keylogger or Trojan DLL
06/08/2009 08:12:37 م C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL>>> Behavioral analysis
06/08/2009 08:12:37 م Behaviour typical for keyloggers not detected
06/08/2009 08:12:38 م C:\Windows\WinSxS\x86_microsoft.vc80.atl_1fc8b3b9a 1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1\ATL80 .DLL --> Suspicion for Keylogger or Trojan DLL
06/08/2009 08:12:38 م C:\Windows\WinSxS\x86_microsoft.vc80.atl_1fc8b3b9a 1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1\ATL80 .DLL>>> Behavioral analysis
06/08/2009 08:12:38 م Behaviour typical for keyloggers not detected
06/08/2009 08:12:38 م Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
06/08/2009 08:12:56 م Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll"
06/08/2009 08:12:57 م >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
06/08/2009 08:12:57 م >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
06/08/2009 08:12:57 م >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
06/08/2009 08:12:57 م > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
06/08/2009 08:12:57 م >> Security: disk drives' autorun is enabled
06/08/2009 08:12:57 م >> Security: administrative shares (C$, D$ ...) are enabled
06/08/2009 08:12:57 م >> Security: anonymous user access is enabled
06/08/2009 08:12:57 م >> Security: sending Remote Assistant queries is enabled
06/08/2009 08:13:03 م >> Disable HDD autorun
06/08/2009 08:13:03 م >> Disable autorun from network drives
06/08/2009 08:13:03 م >> Disable CD/DVD autorun
06/08/2009 08:13:04 م >> Disable removable media autorun
06/08/2009 08:13:04 م System Analysis in progress
06/08/2009 08:17:26 م System Analysis - complete
06/08/2009 08:17:26 م Delete file:C:\Users\Noor\Desktop\Virus Removal Tool1\is-JQ8V9\LOG\avptool_syscheck.htm
06/08/2009 08:17:26 م Delete file:C:\Users\Noor\Desktop\Virus Removal Tool1\is-JQ8V9\LOG\avptool_syscheck.xml
06/08/2009 08:17:26 م Deleting service/driver: uti0odm2
06/08/2009 08:17:26 م Delete file:C:\Windows\system32\Drivers\uti0odm2.sys
06/08/2009 08:17:26 م Deleting service/driver: uji0odm2
06/08/2009 08:17:26 م Script executed without errors
