AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 18.05.2008 10:40:00
Database loaded: signatures - 164764, NN profile(s) - 2, microprograms of healing - 55, signature database released 17.05.2008 22:37
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 71143
Heuristic analyzer mode: Medium heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=083220)
 Kernel ntoskrnl.exe found in memory at address 804D7000
   SDT = 8055A220
   KiST = 804E26A8 (284)
Function NtCreateKey (29) intercepted (8057065D->F73E90D0), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtEnumerateKey (47) intercepted (80570D64->F73EEFB2), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtEnumerateValueKey (49) intercepted (8059066B->F73EF340), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtOpenKey (77) intercepted (80568D59->F73E90B0), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtQueryKey (A0) intercepted (80570A6D->F73EF418), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtQueryValueKey (B1) intercepted (8056A1F1->F73EF298), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtSetValueKey (F7) intercepted (80572889->F73EF4AA), hook C:\WINDOWS\system32\Drivers\sptd.sys
Functions checked: 284, intercepted: 7, restored: 0
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
 Driver loaded successfully
1.5 Checking of IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 86B621E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 86B621E8 -> hook not defined
\driver\disk[IRP_MJ_CREATE] = 85BFFC86 -> hook not defined
\driver\disk[IRP_MJ_CLOSE] = 85BFFC86 -> hook not defined
\driver\disk[IRP_MJ_READ] = 85BFB486 -> hook not defined
\driver\disk[IRP_MJ_WRITE] = 85BFB486 -> hook not defined
\driver\disk[IRP_MJ_PNP] = 85BFFC9E -> hook not defined
 Checking - complete
2. Scanning memory
 Number of processes found: 47
 Number of modules loaded: 403
Scanning memory - complete
3. Scanning disks
C:\Projekte\SAP-Doku\(sap) - BC411 - Advanced ABAP Programming.rar/{RAR}/Bc411.zip/{ZIP}/PRINT1.DOC >>> suspicion for Trojan-Proxy.Win32.Small.du ( 033C6E39 0BCAAF76 00254F6B 0028C1EE 37888)
C:\Projekte\SAP-Doku\SAP.BC411.Advanced.ABAP.Programming.45A.rar/{RAR}/SAP.BC411.Advanced.ABAP.Programming.45A\PRINT1.DOC >>> suspicion for Trojan-Proxy.Win32.Small.du ( 033C6E39 0BCAAF76 00254F6B 0028C1EE 37888)
Direct reading C:\System Volume Information\_restore{235B13B4-E30F-4BE4-A30C-623D10D2BA51}\RP29\A0003457.dll
Direct reading C:\WINDOWS\system32\drivers\sptd.sys
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Programme\Hardcopy\HcDLL2_F_Win32.dll --> Suspicion for Keylogger or Trojan DLL
C:\Programme\Hardcopy\HcDLL2_F_Win32.dll>>> Behavioural analysis 
  1. Reacts to events: keyboard, all events
  2. Determines the window which has input focus
C:\Programme\Hardcopy\HcDLL2_F_Win32.dll>>> Neural net: file with probability 91.59% like a typical keyboard/mouse events interceptor
C:\Programme\Hardcopy\hardcopy.dll --> Suspicion for Keylogger or Trojan DLL
C:\Programme\Hardcopy\hardcopy.dll>>> Behavioural analysis 
 Behaviour typical for keyloggers not detected
Note: Do NOT delete suspicious files, send them for analysis  (see FAQ for more details),  because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
 Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote-Registrierung)
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 241197, extracted from archives: 176702, malicious software found 0, suspicions - 2
Scanning finished at 18.05.2008 12:06:37
Time of scanning: 01:26:39
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference