AVZ Antiviral Toolkit log; AVZ version is 4.30 Scanning started at 15.07.2008 15:51:56 Database loaded: signatures - 176266, NN profile(s) - 2, microprograms of healing - 56, signature database released 14.07.2008 22:12 Heuristic microprograms loaded: 370 SPV microprograms loaded: 9 Digital signatures of system files loaded: 71502 Heuristic analyzer mode: Medium heuristics level Healing mode: enabled Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights System Restore: enabled 1. Searching for Rootkits and programs intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=083220) Kernel ntoskrnl.exe found in memory at address 804D7000 SDT = 8055A220 KiST = 804E26A8 (284) Function NtCreateKey (29) intercepted (8057065D->F74D70E0), hook spsp.sys Function NtCreateThread (35) intercepted (8058E63F->F7AAB1CC), hook not defined Function NtEnumerateKey (47) intercepted (80570D64->F74F5CA2), hook spsp.sys Function NtEnumerateValueKey (49) intercepted (8059066B->F74F6030), hook spsp.sys Function NtOpenKey (77) intercepted (80568D59->F74D70C0), hook spsp.sys Function NtOpenProcess (7A) intercepted (805717C7->F7AAB1B8), hook not defined Function NtOpenThread (80) intercepted (8058A1BD->F7AAB1BD), hook not defined Function NtQueryKey (A0) intercepted (80570A6D->F74F6108), hook spsp.sys Function NtQueryValueKey (B1) intercepted (8056A1F1->F74F5F88), hook spsp.sys Function NtSetValueKey (F7) intercepted (80572889->F74F619A), hook spsp.sys Function NtTerminateProcess (101) intercepted (805822E0->F7AAB1C7), hook not defined Function NtWriteVirtualMemory (115) intercepted (8057E420->F7AAB1C2), hook not defined Functions checked: 284, intercepted: 12, restored: 0 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking of IRP handlers \FileSystem\ntfs[IRP_MJ_CREATE] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_CLOSE] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_WRITE] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 899151F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 899151F8 -> hook not defined Checking - complete 2. Scanning memory Number of processes found: 38 Number of modules loaded: 597 Scanning memory - complete 3. Scanning disks Direct reading C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\okl2p37v.default\bookmarkbackups\bookmarks-2008-02-17.html Direct reading C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\okl2p37v.default\bookmarkbackups\bookmarks-2008-07-05.html Direct reading C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\okl2p37v.default\bookmarks.bak Direct reading C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\okl2p37v.default\bookmarks.html Direct reading C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\binkw32.dll Direct reading C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\d2l_Install.exe Direct reading C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\~DF11BA.tmp Direct reading C:\Dokumente und Einstellungen\Admin\Vorlagen\winword.doc Direct reading C:\Dokumente und Einstellungen\Frank\Eigene Dateien\Verlauf\Juli 2008\vincent858@msn.com.html Direct reading C:\Dokumente und Einstellungen\Frank\Lokale Einstellungen\Temp\~DF6196.tmp Direct reading C:\Dokumente und Einstellungen\Frank\Lokale Einstellungen\Temp\~DF7573.tmp C:\Programme\Trend Micro\HijackThis\backups\backup-20080714-184554-108.dll >>>>> Trojan.Win32.Monder.gen deleted successfully C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP143\A0042053.dll >>> suspicion for Trojan.Win32.Monder.gen ( 0B56EDEF 02E69BD9 00243001 002622FB 80896) File quarantined succesfully (C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP143\A0042053.dll) C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP144\A0043108.dll >>> suspicion for Trojan.Win32.Monder.gen ( 0B7E1913 01DDA690 0025DAEA 00241D42 92160) File quarantined succesfully (C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP144\A0043108.dll) C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP144\A0043115.dll >>>>> Trojan.Win32.Monder.gen deleted successfully C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP145\A0043129.dll >>>>> Trojan.Win32.Monder.gen deleted successfully C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP145\A0043276.dll >>>>> Trojan.Win32.Monder.gen deleted successfully Direct reading C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Direct reading C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\es.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Direct reading C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Direct reading C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\browser.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Direct reading C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Direct reading C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Direct reading C:\WINDOWS\system32\drivers\sptd.sys Removing traces of deleted files... 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) C:\Programme\SmartFTP Client\sfShellTools.dll --> Suspicion for Keylogger or Trojan DLL C:\Programme\SmartFTP Client\sfShellTools.dll>>> Behavioural analysis Behaviour typical for keyloggers not detected File quarantined succesfully (C:\Programme\SmartFTP Client\sfShellTools.dll) Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: RemoteRegistry (Remote-Registrierung) >> Services: potentially dangerous service allowed: TermService (Terminaldienste) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst) >> Services: potentially dangerous service allowed: TlntSvr (Telnet) >> Services: potentially dangerous service allowed: Schedule (Taskplaner) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe) >> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard Checking - complete Files scanned: 116853, extracted from archives: 66624, malicious software found 4, suspicions - 2 Scanning finished at 15.07.2008 17:34:09 Time of scanning: 01:42:14 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference