AVZ Antiviral Toolkit log; AVZ version is 4.39 Scanning started at 16.05.2013 18:23:41 Database loaded: signatures - 297614, NN profile(s) - 2, malware removal microprograms - 56, signature database released 16.05.2013 16:00 Heuristic microprograms loaded: 402 PVS microprograms loaded: 9 Digital signatures of system files loaded: 551869 Heuristic analyzer mode: Medium heuristics mode Malware removal mode: disabled Windows version is: 5.1.2600, Dodatek Service Pack 3 ; AVZ is run with administrator rights System Restore: enabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Function kernel32.dll:CreateProcessA (99) intercepted, method - APICodeHijack.JmpTo[7C80236B] Function kernel32.dll:CreateProcessW (103) intercepted, method - APICodeHijack.JmpTo[7C802336] Analysis: ntdll.dll, export table found in section .text Function ntdll.dll:LdrUnloadDll (80) intercepted, method - APICodeHijack.JmpTo[7C9171CD] Function ntdll.dll:NtClose (111) intercepted, method - APICodeHijack.JmpTo[7C90CFEE] Function ntdll.dll:NtReplyWaitReceivePort (286) intercepted, method - APICodeHijack.JmpTo[7C90DA8E] Function ntdll.dll:NtReplyWaitReceivePortEx (287) intercepted, method - APICodeHijack.JmpTo[7C90DA9E] Function ntdll.dll:ZwClose (922) intercepted, method - APICodeHijack.JmpTo[7C90CFEE] Function ntdll.dll:ZwReplyWaitReceivePort (1096) intercepted, method - APICodeHijack.JmpTo[7C90DA8E] Function ntdll.dll:ZwReplyWaitReceivePortEx (1097) intercepted, method - APICodeHijack.JmpTo[7C90DA9E] Analysis: user32.dll, export table found in section .text Function user32.dll:SetWinEventHook (639) intercepted, method - APICodeHijack.JmpTo[7E3817F7] Function user32.dll:SetWindowsHookExA (651) intercepted, method - APICodeHijack.JmpTo[7E381211] Function user32.dll:SetWindowsHookExW (652) intercepted, method - APICodeHijack.JmpTo[7E37820F] Analysis: advapi32.dll, export table found in section .text Function advapi32.dll:CreateProcessAsUserA (97) intercepted, method - APICodeHijack.JmpTo[77E00CE8] Function advapi32.dll:CreateProcessAsUserW (99) intercepted, method - APICodeHijack.JmpTo[77DDA8A9] Function advapi32.dll:CreateProcessWithLogonW (100) intercepted, method - APICodeHijack.JmpTo[77E05FFD] Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=085700) Kernel ntkrnlpa.exe found in memory at address 804D7000 SDT = 8055C700 KiST = 805044C4 (284) Function NtAdjustPrivilegesToken (0B) intercepted (805EC410->B35A64EE), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtClose (19) intercepted (805BC538->B8733E24), hook not defined Function NtConnectPort (1F) intercepted (805A45D8->B35A579E), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtCreateFile (25) intercepted (805790A2->B35A611C), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtCreateKey (29) intercepted (8062423A->B8733DDE), hook not defined Function NtCreateSection (32) intercepted (805AB3D0->B8733E2E), hook not defined Function NtCreateSymbolicLinkObject (34) intercepted (805C3A02->B35A8882), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtCreateThread (35) intercepted (805D1038->B8733DD4), hook not defined Function NtDeleteKey (3F) intercepted (806246D6->B8733DE3), hook not defined Function NtDeleteValueKey (41) intercepted (806248A6->B8733DED), hook not defined Function NtDuplicateObject (44) intercepted (805BE010->B8733E1F), hook not defined Function NtEnumerateKey (47) intercepted (80624A86->B35A7994), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtEnumerateValueKey (49) intercepted (80624CF0->B35A7BA8), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtLoadDriver (61) intercepted (80584172->B35A8288), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtLoadKey (62) intercepted (8062645E->B8733DF2), hook not defined Function NtMakeTemporaryObject (69) intercepted (805BC5DC->B35A5A82), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtNotifyChangeKey (6F) intercepted (80626428->B35A8B54), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtNotifyChangeMultipleKeys (70) intercepted (8062505C->B35A7752), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtOpenFile (74) intercepted (8057A1A0->B35A6314), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtOpenKey (77) intercepted (80625618->B35A6DB0), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtOpenProcess (7A) intercepted (805CB456->B8733DC0), hook not defined Function NtOpenSection (7D) intercepted (805AA3F4->B35A5D36), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtOpenThread (80) intercepted (805CB6E2->B8733DC5), hook not defined Function NtQueryKey (A0) intercepted (8062595A->B35A7D1A), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtQueryMultipleValueKey (A1) intercepted (80623388->B35A7FCE), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtQueryValueKey (B1) intercepted (8062245E->B8733E47), hook not defined Function NtRenameKey (C0) intercepted (80623C5C->B35A74A8), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtReplaceKey (C1) intercepted (8062630E->B8733DFC), hook not defined Function NtRequestWaitReplyPort (C8) intercepted (805A2D7E->B8733E38), hook not defined Function NtRestoreKey (CC) intercepted (80625C1A->B8733DF7), hook not defined Function NtSetContextThread (D5) intercepted (805D2C1A->B8733E33), hook not defined Function NtSetSecurityObject (ED) intercepted (805C0636->B8733E3D), hook not defined Function NtSetSystemInformation (F0) intercepted (8060FE68->B35A8588), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtSetValueKey (F7) intercepted (806227AC->B8733DE8), hook not defined Function NtShutdownSystem (F9) intercepted (806130F2->B35A59EC), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Function NtSystemDebugControl (FF) intercepted (8061820E->B8733E42), hook not defined Function NtTerminateProcess (101) intercepted (805D22D8->B8733DCF), hook not defined Function NtTerminateThread (102) intercepted (805D24D2->B35A534C), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys Functions checked: 284, intercepted: 38, restored: 0 1.3 Checking IDT and SYSENTER Analyzing CPU 1 Analyzing CPU 2 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed 1.5 Checking IRP handlers Driver loaded successfully Checking - complete 2. Scanning RAM Number of processes found: 30 Number of modules loaded: 362 Scanning RAM - complete 3. Scanning disks 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) C:\WINDOWS\system32\msv1_0.dll --> Suspicion for Keylogger or Trojan DLL C:\WINDOWS\system32\msv1_0.dll>>> Behaviour analysis Behaviour typical for keyloggers was not detected Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 6. Searching for opened TCP/UDP ports used by malicious software In the database 317 port descriptions Opened at this PC: 33 TCP ports and 7 UDP ports Checking - complete; no suspicious ports detected 7. Heuristic system check >>> Suspicion for service/driver reg key masking "RealNetworks Downloader Resolver Servic" Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Usługi terminalowe) >> Services: potentially dangerous service allowed: Schedule (Harmonogram zadań) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing) >> Services: potentially dangerous service allowed: RDSessMgr (Menedżer sesji pomocy pulpitu zdalnego) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled Checking - complete 9. Troubleshooting wizard Checking - complete Files scanned: 392, extracted from archives: 0, malicious software found 0, suspicions - 0 Scanning finished at 16.05.2013 18:24:46 Time of scanning: 00:01:06 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://forum.kaspersky.com/index.php?showforum=19