07/12/2008 09:28:15 г Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
07/12/2008 09:28:15 г System Restore: Disabled
07/12/2008 09:28:15 г >> Danger ! Process masking detected
07/12/2008 09:28:15 г >>>> Process masking detected 436 MPK.exe
07/12/2008 09:28:16 г 1.1 Searching for user-mode API hooks
07/12/2008 09:28:17 г Analysis: kernel32.dll, export table found in section .text
07/12/2008 09:28:17 г Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
07/12/2008 09:28:17 г Hook kernel32.dll:CreateProcessA (99) blocked
07/12/2008 09:28:17 г Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
07/12/2008 09:28:17 г Hook kernel32.dll:CreateProcessW (103) blocked
07/12/2008 09:28:17 г Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ABDE->61F041FC
07/12/2008 09:28:17 г Hook kernel32.dll:FreeLibrary (241) blocked
07/12/2008 09:28:17 г Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B4CF->61F040FB
07/12/2008 09:28:17 г Hook kernel32.dll:GetModuleFileNameA (372) blocked
07/12/2008 09:28:17 г Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B3D5->61F041A0
07/12/2008 09:28:17 г Hook kernel32.dll:GetModuleFileNameW (373) blocked
07/12/2008 09:28:17 г Function kernel32.dll:GetProcAddress (40 intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADA0->61F04648
07/12/2008 09:28:17 г Hook kernel32.dll:GetProcAddress (40 blocked
07/12/2008 09:28:17 г Function kernel32.dlloadLibraryA (57 intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F
07/12/2008 09:28:17 г Hook kernel32.dlloadLibraryA (57 blocked
07/12/2008 09:28:17 г >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
07/12/2008 09:28:17 г Function kernel32.dlloadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF
07/12/2008 09:28:17 г Hook kernel32.dlloadLibraryExA (579) blocked
07/12/2008 09:28:17 г >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
07/12/2008 09:28:17 г Function kernel32.dlloadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A
07/12/2008 09:28:17 г Hook kernel32.dlloadLibraryExW (580) blocked
07/12/2008 09:28:17 г Function kernel32.dlloadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE4B->61F03D0C
07/12/2008 09:28:17 г Hook kernel32.dlloadLibraryW (581) blocked
07/12/2008 09:28:17 г IAT modification detected: LoadLibraryW - 01160010<>7C80AE4B
07/12/2008 09:28:17 г Analysis: ntdll.dll, export table found in section .text
07/12/2008 09:28:17 г Function ntdll.dll:NtQuerySystemInformation (263) intercepted, method APICodeHijack.JmpTo[00EE0002]
07/12/2008 09:28:17 г >>> Rootkit code in function NtQuerySystemInformation blocked
07/12/2008 09:28:17 г Analysis: user32.dll, export table found in section .text
07/12/2008 09:28:17 г Analysis: advapi32.dll, export table found in section .text
07/12/2008 09:28:17 г Analysis: ws2_32.dll, export table found in section .text
07/12/2008 09:28:17 г Analysis: wininet.dll, export table found in section .text
07/12/2008 09:28:17 г Analysis: rasapi32.dll, export table found in section .text
07/12/2008 09:28:17 г Analysis: urlmon.dll, export table found in section .text
07/12/2008 09:28:17 г Analysis: netapi32.dll, export table found in section .text
07/12/2008 09:28:18 г >> Danger ! Process masking detected
07/12/2008 09:28:32 г >>>> Suspicion for process masking 436 c:\windows\system32\mpk\mpk.exe
07/12/2008 09:28:32 г 1.2 Searching for kernel-mode API hooks
07/12/2008 09:28:32 г Driver loaded successfully
07/12/2008 09:28:32 г SDT found (RVA=0846E0)
07/12/2008 09:28:32 г Kernel ntkrnlpa.exe found in memory at address 804D7000
07/12/2008 09:28:32 г SDT = 8055B6E0
07/12/2008 09:28:32 г KiST = 80503960 (284)
07/12/2008 09:28:32 г Function NtCreateKey (29) intercepted (80622110->F73BF0B0), hook C:\WINDOWS\system32\Drivers\sptd.sys
07/12/2008 09:28:32 г >>> Function restored successfully !
07/12/2008 09:28:32 г >>> Hook code blocked
07/12/2008 09:28:32 г Function NtEnumerateKey (47) intercepted (80622950->F73C3D1C), hook C:\WINDOWS\system32\Drivers\sptd.sys
07/12/2008 09:28:32 г >>> Function restored successfully !
07/12/2008 09:28:32 г >>> Hook code blocked
07/12/2008 09:28:32 г Function NtEnumerateValueKey (49) intercepted (80622BBA->F73C40BC), hook C:\WINDOWS\system32\Drivers\sptd.sys
07/12/2008 09:28:32 г >>> Function restored successfully !
07/12/2008 09:28:32 г >>> Hook code blocked
07/12/2008 09:28:32 г Function NtOpenKey (77) intercepted (806234A6->F73BF090), hook C:\WINDOWS\system32\Drivers\sptd.sys
07/12/2008 09:28:32 г >>> Function restored successfully !
07/12/2008 09:28:32 г >>> Hook code blocked
07/12/2008 09:28:32 г Function NtQueryKey (A0) intercepted (806237CA->F73C4194), hook C:\WINDOWS\system32\Drivers\sptd.sys
07/12/2008 09:28:32 г >>> Function restored successfully !
07/12/2008 09:28:32 г >>> Hook code blocked
07/12/2008 09:28:32 г Function NtQueryValueKey (B1) intercepted (806201CA->F73C4014), hook C:\WINDOWS\system32\Drivers\sptd.sys
07/12/2008 09:28:32 г >>> Function restored successfully !
07/12/2008 09:28:32 г >>> Hook code blocked
07/12/2008 09:28:32 г Function NtSetValueKey (F7) intercepted (806207D0->F73C4226), hook C:\WINDOWS\system32\Drivers\sptd.sys
07/12/2008 09:28:32 г >>> Function restored successfully !
07/12/2008 09:28:32 г >>> Hook code blocked
07/12/2008 09:28:33 г Functions checked: 284, intercepted: 7, restored: 7
07/12/2008 09:28:33 г 1.3 Checking IDT and SYSENTER
07/12/2008 09:28:33 г Analysis for CPU 1
07/12/2008 09:28:34 г >>> Danger - possible CPU address substitution[1].IDT[06] = [F65B316D] C:\WINDOWS\system32\drivers\Haspnt.sys, driver recognized as trusted
07/12/2008 09:28:34 г >>> Danger - possible CPU address substitution[1].IDT[0E] = [F65B2FC2] C:\WINDOWS\system32\drivers\Haspnt.sys, driver recognized as trusted
07/12/2008 09:28:34 г Analysis for CPU 2
07/12/2008 09:28:34 г >>> Danger - possible CPU address substitution[2].IDT[06] = [F65B316D] C:\WINDOWS\system32\drivers\Haspnt.sys, driver recognized as trusted
07/12/2008 09:28:34 г >>> Danger - possible CPU address substitution[2].IDT[0E] = [F65B2FC2] C:\WINDOWS\system32\drivers\Haspnt.sys, driver recognized as trusted
07/12/2008 09:28:34 г Checking IDT and SYSENTER - complete
07/12/2008 09:28:35 г 1.4 Searching for masking processes and drivers
07/12/2008 09:28:35 г Checking not performed: extended monitoring driver (AVZPM) is not installed
07/12/2008 09:28:35 г Driver loaded successfully
07/12/2008 09:28:35 г 1.5 Checking of IRP handlers
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_CREATE] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_CLOSE] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_WRITE] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_SET_EA] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\ntfs[IRP_MJ_PNP] = 865761D8 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_CREATE] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_CLOSE] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_WRITE] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_QUERY_EA] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_SET_EA] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г \FileSystem\FastFat[IRP_MJ_PNP] = 85DA4990 -> hook not defined
07/12/2008 09:28:35 г Checking - complete
07/12/2008 09:28:36 г C:\WINDOWS\system32\MPK\MPK.dll --> Suspicion for Keylogger or Trojan DLL
07/12/2008 09:28:36 г C:\WINDOWS\system32\MPK\MPK.dll>>> Behavioral analysis
07/12/2008 09:28:36 г 1. Reacts to events: keyboard
07/12/2008 09:28:36 г 2. Sends data to process: 436 C:\WINDOWS\system32\MPK\MPK.exe (window = "101")
07/12/2008 09:28:36 г 3. Sends data to process: 436 C:\WINDOWS\system32\MPK\MPK.exe (window = "106")
07/12/2008 09:28:36 г C:\WINDOWS\system32\MPK\MPK.dll>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
07/12/2008 09:28:41 г Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
07/12/2008 09:29:01 г Latent loading of libraries through AppInit_DLLs suspected: "wbsys.dll"
07/12/2008 09:29:02 г >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
07/12/2008 09:29:02 г >> Services: potentially dangerous service allowed: TermService (Terminal Services)
07/12/2008 09:29:02 г >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
07/12/2008 09:29:02 г >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
07/12/2008 09:29:02 г >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
07/12/2008 09:29:02 г >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
07/12/2008 09:29:02 г > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
07/12/2008 09:29:02 г >> Security: disk drives' autorun is enabled
07/12/2008 09:29:02 г >> Security: administrative shares (C$, D$ ...) are enabled
07/12/2008 09:29:02 г >> Security: anonymous user access is enabled
07/12/2008 09:29:03 г >> Security: sending Remote Assistant queries is enabled
07/12/2008 09:29:04 г >> Abnormal SCR files association
07/12/2008 09:29:10 г >> Service termination timeout is out of admissible values
07/12/2008 09:29:10 г >> Disable HDD autorun
07/12/2008 09:29:10 г >> Disable autorun from network drives
07/12/2008 09:29:11 г >> Disable CD/DVD autorun
07/12/2008 09:29:11 г >> Disable removable media autorun
07/12/2008 09:29:11 г System Analysis in progress
07/12/2008 09:30:26 г System Analysis - complete
07/12/2008 09:30:26 г Delete file:C:\Documents and Settings\s\Desktop\Virus Removal Tool\is-8LPGP\LOG\avptool_syscheck.htm
07/12/2008 09:30:26 г Delete file:C:\Documents and Settings\s\Desktop\Virus Removal Tool\is-8LPGP\LOG\avptool_syscheck.xml
07/12/2008 09:30:26 г Deleting service/driver: utm3mtq4
07/12/2008 09:30:26 г Delete file:C:\WINDOWS\system32\Drivers\utm3mtq4.sys
07/12/2008 09:30:26 г Deleting service/driver: ujm3mtq4
07/12/2008 09:30:26 г Script executed without errors