file of system analysis

[itsupport]

help on this?

<AVZ_CollectSysInfo>
--------------------
Start time: 1/15/2009 11:36:35 AM
Duration: 00:03:28
Finish time: 1/15/2009 11:40:03 AM


<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
1/15/2009 11:36:37 AM Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
1/15/2009 11:36:37 AM System Restore: enabled
1/15/2009 11:36:38 AM 1.1 Searching for user-mode API hooks
1/15/2009 11:36:39 AM Analysis: kernel32.dll, export table found in section .text
1/15/2009 11:36:39 AM Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
1/15/2009 11:36:39 AM Hook kernel32.dll:CreateProcessA (99) blocked
1/15/2009 11:36:39 AM Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
1/15/2009 11:36:39 AM Hook kernel32.dll:CreateProcessW (103) blocked
1/15/2009 11:36:39 AM Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AA66->61F041FC
1/15/2009 11:36:39 AM Hook kernel32.dll:FreeLibrary (241) blocked
1/15/2009 11:36:39 AM Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B357->61F040FB
1/15/2009 11:36:39 AM Hook kernel32.dll:GetModuleFileNameA (372) blocked
1/15/2009 11:36:39 AM Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B25D->61F041A0
1/15/2009 11:36:39 AM Hook kernel32.dll:GetModuleFileNameW (373) blocked
1/15/2009 11:36:39 AM Function kernel32.dll:GetProcAddress (40 intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC28->61F04648
1/15/2009 11:36:39 AM Hook kernel32.dll:GetProcAddress (40 blocked
1/15/2009 11:36:39 AM Function kernel32.dlloadLibraryA (57 intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F
1/15/2009 11:36:39 AM Hook kernel32.dlloadLibraryA (57 blocked
1/15/2009 11:36:39 AM >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
1/15/2009 11:36:39 AM Function kernel32.dlloadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF
1/15/2009 11:36:39 AM Hook kernel32.dlloadLibraryExA (579) blocked
1/15/2009 11:36:39 AM >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
1/15/2009 11:36:39 AM Function kernel32.dlloadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A
1/15/2009 11:36:39 AM Hook kernel32.dlloadLibraryExW (580) blocked
1/15/2009 11:36:39 AM Function kernel32.dlloadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ACD3->61F03D0C
1/15/2009 11:36:39 AM Hook kernel32.dlloadLibraryW (581) blocked
1/15/2009 11:36:39 AM IAT modification detected: LoadLibraryW - 00BE0010<>7C80ACD3
1/15/2009 11:36:39 AM Analysis: ntdll.dll, export table found in section .text
1/15/2009 11:36:39 AM Analysis: user32.dll, export table found in section .text
1/15/2009 11:36:39 AM Analysis: advapi32.dll, export table found in section .text
1/15/2009 11:36:39 AM Analysis: ws2_32.dll, export table found in section .text
1/15/2009 11:36:39 AM Analysis: wininet.dll, export table found in section .text
1/15/2009 11:36:40 AM Analysis: rasapi32.dll, export table found in section .text
1/15/2009 11:36:40 AM Analysis: urlmon.dll, export table found in section .text
1/15/2009 11:36:40 AM Analysis: netapi32.dll, export table found in section .text
1/15/2009 11:36:40 AM 1.2 Searching for kernel-mode API hooks
1/15/2009 11:36:41 AM Driver loaded successfully
1/15/2009 11:36:41 AM SDT found (RVA=0846E0)
1/15/2009 11:36:41 AM Kernel ntkrnlpa.exe found in memory at address 804D7000
1/15/2009 11:36:41 AM SDT = 8055B6E0
1/15/2009 11:36:41 AM KiST = 80503734 (284)
1/15/2009 11:36:42 AM Functions checked: 284, intercepted: 0, restored: 0
1/15/2009 11:36:42 AM 1.3 Checking IDT and SYSENTER
1/15/2009 11:36:42 AM Analysis for CPU 1
1/15/2009 11:36:42 AM Analysis for CPU 2
1/15/2009 11:36:42 AM Checking IDT and SYSENTER - complete
1/15/2009 11:36:42 AM 1.4 Searching for masking processes and drivers
1/15/2009 11:36:42 AM Checking not performed: extended monitoring driver (AVZPM) is not installed
1/15/2009 11:36:42 AM Driver loaded successfully
1/15/2009 11:36:42 AM 1.5 Checking of IRP handlers
1/15/2009 11:36:42 AM Checking - complete
1/15/2009 11:36:44 AM C:\WINDOWS\system32\avgrsstx.dll --> Suspicion for Keylogger or Trojan DLL
1/15/2009 11:36:44 AM C:\WINDOWS\system32\avgrsstx.dll>>> Behavioral analysis
1/15/2009 11:36:44 AM Behaviour typical for keyloggers not detected
1/15/2009 11:36:46 AM Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
1/15/2009 11:36:54 AM Latent loading of libraries through AppInit_DLLs suspected: "avgrsstx.dll acaptuser32.dll"
1/15/2009 11:36:55 AM >> Services: potentially dangerous service allowed: TermService (Terminal Services)
1/15/2009 11:36:55 AM >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
1/15/2009 11:36:55 AM >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
1/15/2009 11:36:55 AM >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
1/15/2009 11:36:55 AM >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
1/15/2009 11:36:55 AM > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
1/15/2009 11:36:55 AM >> Security: disk drives' autorun is enabled
1/15/2009 11:36:55 AM >> Security: administrative shares (C$, D$ ...) are enabled
1/15/2009 11:36:55 AM >> Security: anonymous user access is enabled
1/15/2009 11:36:55 AM >> Security: sending Remote Assistant queries is enabled
1/15/2009 11:36:58 AM >> Disable HDD autorun
1/15/2009 11:36:58 AM >> Disable autorun from network drives
1/15/2009 11:36:59 AM >> Disable CD/DVD autorun
1/15/2009 11:36:59 AM >> Disable removable media autorun
1/15/2009 11:36:59 AM >> Windows Update is disabled
1/15/2009 11:36:59 AM System Analysis in progress
1/15/2009 11:40:03 AM System Analysis - complete
1/15/2009 11:40:03 AM Delete file:C:\Documents and Settings\It support\Desktop\Virus Removal Tool\is-LNJ84\LOG\avptool_syscheck.htm
1/15/2009 11:40:03 AM Delete file:C:\Documents and Settings\It support\Desktop\Virus Removal Tool\is-LNJ84\LOG\avptool_syscheck.xml
1/15/2009 11:40:03 AM Deleting service/driver: utm4ntmw
1/15/2009 11:40:03 AM Delete file:C:\WINDOWS\system32\Drivers\utm4ntmw.sys
1/15/2009 11:40:03 AM Deleting service/driver: ujm4ntmw
1/15/2009 11:40:03 AM Script executed without errors

[RiC]

Welcome.
Full logfile inside avptool_syscheck.zip in Avptools folder, attach this file to you post.

[drongo]

Read this: http://virusinfo.info/faq.php?faq=vb...b3_attachments