AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 15.07.2008 15:51:56
Database loaded: signatures - 176266, NN profile(s) - 2, microprograms of healing - 56, signature database released 14.07.2008 22:12
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 71502
Heuristic analyzer mode: Medium heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=083220)
 Kernel ntoskrnl.exe found in memory at address 804D7000
   SDT = 8055A220
   KiST = 804E26A8 (284)
Function NtCreateKey (29) intercepted (8057065D->F74D70E0), hook spsp.sys
Function NtCreateThread (35) intercepted (8058E63F->F7AAB1CC), hook not defined
Function NtEnumerateKey (47) intercepted (80570D64->F74F5CA2), hook spsp.sys
Function NtEnumerateValueKey (49) intercepted (8059066B->F74F6030), hook spsp.sys
Function NtOpenKey (77) intercepted (80568D59->F74D70C0), hook spsp.sys
Function NtOpenProcess (7A) intercepted (805717C7->F7AAB1B8), hook not defined
Function NtOpenThread (80) intercepted (8058A1BD->F7AAB1BD), hook not defined
Function NtQueryKey (A0) intercepted (80570A6D->F74F6108), hook spsp.sys
Function NtQueryValueKey (B1) intercepted (8056A1F1->F74F5F88), hook spsp.sys
Function NtSetValueKey (F7) intercepted (80572889->F74F619A), hook spsp.sys
Function NtTerminateProcess (101) intercepted (805822E0->F7AAB1C7), hook not defined
Function NtWriteVirtualMemory (115) intercepted (8057E420->F7AAB1C2), hook not defined
Functions checked: 284, intercepted: 12, restored: 0
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
 Driver loaded successfully
1.5 Checking of IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 899151F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 899151F8 -> hook not defined
 Checking - complete
2. Scanning memory
 Number of processes found: 38
 Number of modules loaded: 597
Scanning memory - complete
3. Scanning disks
Direct reading C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\okl2p37v.default\bookmarkbackups\bookmarks-2008-02-17.html
Direct reading C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\okl2p37v.default\bookmarkbackups\bookmarks-2008-07-05.html
Direct reading C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\okl2p37v.default\bookmarks.bak
Direct reading C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\okl2p37v.default\bookmarks.html
Direct reading C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\binkw32.dll
Direct reading C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\d2l_Install.exe
Direct reading C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\~DF11BA.tmp
Direct reading C:\Dokumente und Einstellungen\Admin\Vorlagen\winword.doc
Direct reading C:\Dokumente und Einstellungen\Frank\Eigene Dateien\Verlauf\Juli 2008\vincent858@msn.com.html
Direct reading C:\Dokumente und Einstellungen\Frank\Lokale Einstellungen\Temp\~DF6196.tmp
Direct reading C:\Dokumente und Einstellungen\Frank\Lokale Einstellungen\Temp\~DF7573.tmp
C:\Programme\Trend Micro\HijackThis\backups\backup-20080714-184554-108.dll >>>>> Trojan.Win32.Monder.gen  deleted successfully
C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP143\A0042053.dll >>> suspicion for Trojan.Win32.Monder.gen ( 0B56EDEF 02E69BD9 00243001 002622FB 80896)
File quarantined succesfully (C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP143\A0042053.dll)
C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP144\A0043108.dll >>> suspicion for Trojan.Win32.Monder.gen ( 0B7E1913 01DDA690 0025DAEA 00241D42 92160)
File quarantined succesfully (C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP144\A0043108.dll)
C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP144\A0043115.dll >>>>> Trojan.Win32.Monder.gen  deleted successfully
C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP145\A0043129.dll >>>>> Trojan.Win32.Monder.gen  deleted successfully
C:\System Volume Information\_restore{4A2D5F20-9F00-41E6-915B-322B95830E75}\RP145\A0043276.dll >>>>> Trojan.Win32.Monder.gen  deleted successfully
Direct reading C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\colbact.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe
Direct reading C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\comuid.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\es.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe
Direct reading C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\ole32.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll
Direct reading C:\WINDOWS\$NtUninstallKB828741$\txflog.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\browser.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\callcont.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe
Direct reading C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\msgina.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\mst120.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll
Direct reading C:\WINDOWS\$NtUninstallKB835732$\schannel.dll
Direct reading C:\WINDOWS\system32\drivers\sptd.sys
Removing traces of deleted files...
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Programme\SmartFTP Client\sfShellTools.dll --> Suspicion for Keylogger or Trojan DLL
C:\Programme\SmartFTP Client\sfShellTools.dll>>> Behavioural analysis 
 Behaviour typical for keyloggers not detected
File quarantined succesfully (C:\Programme\SmartFTP Client\sfShellTools.dll)
Note: Do NOT delete suspicious files, send them for analysis  (see FAQ for more details),  because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
 Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote-Registrierung)
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 116853, extracted from archives: 66624, malicious software found 4, suspicions - 2
Scanning finished at 15.07.2008 17:34:09
Time of scanning: 01:42:14
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference