Attention !!! Database was last updated 06.04.2008 it is necessary to update the bases using automatic updates (File/Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 19.06.2008 09:53:22
Database loaded: signatures - 157571, NN profile(s) - 2, microprograms of healing - 55, signature database released 06.04.2008 17:09
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 70476
Heuristic analyzer mode: Medium heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=0846E0)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 8055B6E0
   KiST = 80503940 (284)
Function NtOpenFile (74) intercepted (80578FD0->A3A5B000), hook C:\WINDOWS\system32\DRIVERS\kl1.sys, driver recognized as trusted
Functions checked: 284, intercepted: 1, restored: 0
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
 Driver loaded successfully
1.5 Checking of IRP handlers
 Checking - complete
2. Scanning memory
 Number of processes found: 85
 Number of modules loaded: 759
Scanning memory - complete
3. Scanning disks
C:\Dokumente und Einstellungen\olegt\Anwendungsdaten\Mozilla\Firefox\Profiles\h490gbmy.default\extensions\firebit@firebit\components\firebit.dll >>> suspicion for AdvWare.Win32.Kitsune.a ( 007A8187 00000000 001CAECF 0025441E 319488)
C:\Programme\Akademische Arbeitsgemeinschaft\Steuertipps\2008\Steuerprogramm\usc.exe >>> suspicion for Trojan-PSW.Win32.OnLineGames.htm ( 00715354 08CD8ABD 0019EAC2 001FBCB2 53248)
C:\Programme\BitAccelerator\BitAccelerator.dll >>> suspicion for AdvWare.Win32.BHO.xq ( 006D821F 00000000 0020B407 0021BE56 77824)
C:\Programme\SAP\FrontEnd\Controls\CrossSection.dll >>> suspicion for AdvWare.Win32.Boran.bs ( 00818663 00000000 001E546E 003DF1D0 499712)
File quarantined succesfully (C:\Programme\SAP\FrontEnd\Controls\CrossSection.dll)
C:\Programme\Visio\Hilfe\Vis_NDA.chm/{CHM}//Assistant.ocx >>> Danger - executable file in CHM file - executable file masking is possible 
File quarantined succesfully (C:\DOKUME~1\olegt\LOKALE~1\Temp\avz_4832_1.tmp)
C:\WINDOWS\Installer\1a69bb.msi/{MS-OLE}/\107 >>> suspicion for Trojan-PSW.Win32.OnLineGames.htm ( 00511EC1 08CD8ABD 001C13F0 001FD6D9 53248)
File quarantined succesfully (C:\WINDOWS\Installer\1a69bb.msi)
C:\WINDOWS\Installer\{F705E3E1-A471-426B-9A09-73429F3418EE}\NewShortcut1_778BE0ABA7934F848CC8783177877802.exe >>> suspicion for Trojan-PSW.Win32.OnLineGames.htm ( 00511EC1 08CD8ABD 001C13F0 001FD6D9 53248)
File quarantined succesfully (C:\WINDOWS\Installer\{F705E3E1-A471-426B-9A09-73429F3418EE}\NewShortcut1_778BE0ABA7934F848CC8783177877802.exe)
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\WINDOWS\system32\winspool.drv --> Suspicion for Keylogger or Trojan DLL
C:\WINDOWS\system32\winspool.drv>>> Behavioural analysis 
 Behaviour typical for keyloggers not detected
File quarantined succesfully (C:\WINDOWS\system32\winspool.drv)
C:\WINDOWS\system32\SynTPFcs.dll --> Suspicion for Keylogger or Trojan DLL
C:\WINDOWS\system32\SynTPFcs.dll>>> Behavioural analysis 
 Behaviour typical for keyloggers not detected
File quarantined succesfully (C:\WINDOWS\system32\SynTPFcs.dll)
C:\WINDOWS\system32\PROCHLP.DLL --> Suspicion for Keylogger or Trojan DLL
C:\WINDOWS\system32\PROCHLP.DLL>>> Behavioural analysis 
 Behaviour typical for keyloggers not detected
File quarantined succesfully (C:\WINDOWS\system32\PROCHLP.DLL)
C:\WINDOWS\system32\RICHED32.DLL --> Suspicion for Keylogger or Trojan DLL
C:\WINDOWS\system32\RICHED32.DLL>>> Behavioural analysis 
 Behaviour typical for keyloggers not detected
File quarantined succesfully (C:\WINDOWS\system32\RICHED32.DLL)
Note: Do NOT delete suspicious files, send them for analysis  (see FAQ for more details),  because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
 Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote-Registrierung)
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  Service termination timeout is out of admissible values
Checking - complete
Files scanned: 175910, extracted from archives: 137634, malicious software found 0, suspicions - 6
Scanning finished at 19.06.2008 10:51:51
Time of scanning: 00:58:30
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference