new trojan errors

[jjoshlin]

<AVZ_CollectSysInfo>
--------------------
Start time: 07/25/2008 10:29:26 AM
Duration: 00:01:40
Finish time: 07/25/2008 10:31:06 AM


<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
07/25/2008 10:29:28 AM 1.1 Searching for user-mode API hooks
07/25/2008 10:29:28 AM Analysis: kernel32.dll, export table found in section .text
07/25/2008 10:29:28 AM Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
07/25/2008 10:29:28 AM Hook kernel32.dll:CreateProcessA (99) blocked
07/25/2008 10:29:28 AM Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
07/25/2008 10:29:28 AM Hook kernel32.dll:CreateProcessW (103) blocked
07/25/2008 10:29:28 AM Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ABDE->61F041FC
07/25/2008 10:29:28 AM Hook kernel32.dll:FreeLibrary (241) blocked
07/25/2008 10:29:28 AM Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B4CF->61F040FB
07/25/2008 10:29:28 AM Hook kernel32.dll:GetModuleFileNameA (372) blocked
07/25/2008 10:29:28 AM Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B3D5->61F041A0
07/25/2008 10:29:28 AM Hook kernel32.dll:GetModuleFileNameW (373) blocked
07/25/2008 10:29:28 AM Function kernel32.dll:GetProcAddress (40 intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADA0->61F04648
07/25/2008 10:29:28 AM Hook kernel32.dll:GetProcAddress (40 blocked
07/25/2008 10:29:28 AM Function kernel32.dlloadLibraryA (57 intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F
07/25/2008 10:29:28 AM Hook kernel32.dlloadLibraryA (57 blocked
07/25/2008 10:29:28 AM >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
07/25/2008 10:29:28 AM Function kernel32.dlloadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF
07/25/2008 10:29:28 AM Hook kernel32.dlloadLibraryExA (579) blocked
07/25/2008 10:29:28 AM >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
07/25/2008 10:29:28 AM Function kernel32.dlloadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A
07/25/2008 10:29:28 AM Hook kernel32.dlloadLibraryExW (580) blocked
07/25/2008 10:29:28 AM Function kernel32.dlloadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE4B->61F03D0C
07/25/2008 10:29:28 AM Hook kernel32.dlloadLibraryW (581) blocked
07/25/2008 10:29:28 AM IAT modification detected: GetModuleFileNameW - 00AA0010<>7C80B3D5
07/25/2008 10:29:28 AM Analysis: ntdll.dll, export table found in section .text
07/25/2008 10:29:28 AM Function ntdll.dlldrGetProcedureAddress (65) intercepted, method ProcAddressHijack.GetProcAddress ->7C919B88->2F7467A
07/25/2008 10:29:28 AM Hook ntdll.dlldrGetProcedureAddress (65) blocked
07/25/2008 10:29:28 AM Analysis: user32.dll, export table found in section .text
07/25/2008 10:29:28 AM IAT modification detected: TranslateMessage - 02F7392E<>7E418BF6
07/25/2008 10:29:28 AM Analysis: advapi32.dll, export table found in section .text
07/25/2008 10:29:28 AM Analysis: ws2_32.dll, export table found in section .text
07/25/2008 10:29:28 AM Analysis: wininet.dll, export table found in section .text
07/25/2008 10:29:28 AM Analysis: rasapi32.dll, export table found in section .text
07/25/2008 10:29:29 AM Analysis: urlmon.dll, export table found in section .text
07/25/2008 10:29:29 AM Analysis: netapi32.dll, export table found in section .text
07/25/2008 10:29:29 AM 1.2 Searching for kernel-mode API hooks
07/25/2008 10:29:30 AM Driver loaded successfully
07/25/2008 10:29:30 AM SDT found (RVA=0846E0)
07/25/2008 10:29:30 AM Kernel ntkrnlpa.exe found in memory at address 804D7000
07/25/2008 10:29:30 AM SDT = 8055B6E0
07/25/2008 10:29:30 AM KiST = 80503940 (284)
07/25/2008 10:29:31 AM Functions checked: 284, intercepted: 0, restored: 0
07/25/2008 10:29:31 AM 1.3 Checking IDT and SYSENTER
07/25/2008 10:29:31 AM Analysis for CPU 1
07/25/2008 10:29:31 AM Analysis for CPU 2
07/25/2008 10:29:31 AM Checking IDT and SYSENTER - complete
07/25/2008 10:29:32 AM >>>> Suspicion for Rootkit utk0mtm2 C:\WINDOWS\system32\Drivers\utk0mtm2.sys
07/25/2008 10:29:32 AM 1.4 Searching for masking processes and drivers
07/25/2008 10:29:32 AM Checking not performed: extended monitoring driver (AVZPM) is not installed
07/25/2008 10:29:32 AM Driver loaded successfully
07/25/2008 10:29:32 AM 1.5 Checking of IRP handlers
07/25/2008 10:29:32 AM Checking - complete
07/25/2008 10:29:33 AM C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll --> Suspicion for Keylogger or Trojan DLL
07/25/2008 10:29:33 AM C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll>>> Behavioral analysis
07/25/2008 10:29:33 AM Behaviour typical for keyloggers not detected
07/25/2008 10:29:33 AM C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll --> Suspicion for Keylogger or Trojan DLL
07/25/2008 10:29:33 AM C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll>>> Behavioral analysis
07/25/2008 10:29:33 AM Behaviour typical for keyloggers not detected
07/25/2008 10:29:34 AM C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-F3TUN\avzkrnl.dll --> Suspicion for Keylogger/Trojan DLL, being masked as system file
07/25/2008 10:29:34 AM C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-F3TUN\avzkrnl.dll>>> Behavioral analysis
07/25/2008 10:29:34 AM 1. Reacts to events: keyboard, all events
07/25/2008 10:29:34 AM C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-F3TUN\avzkrnl.dll>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
07/25/2008 10:29:34 AM Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
07/25/2008 10:29:51 AM Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL"
07/25/2008 10:29:52 AM >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
07/25/2008 10:29:52 AM >> Services: potentially dangerous service allowed: TermService (Terminal Services)
07/25/2008 10:29:52 AM >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)