20/01/2009 10:14:37 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
20/01/2009 10:14:37 System Restore: enabled
20/01/2009 10:14:40 1.1 Searching for user-mode API hooks
20/01/2009 10:14:40 Analysis: kernel32.dll, export table found in section .text
20/01/2009 10:14:40 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
20/01/2009 10:14:40 Hook kernel32.dll:CreateProcessA (99) blocked
20/01/2009 10:14:40 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
20/01/2009 10:14:40 Hook kernel32.dll:CreateProcessW (103) blocked
20/01/2009 10:14:40 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
20/01/2009 10:14:40 Hook kernel32.dll:FreeLibrary (241) blocked
20/01/2009 10:14:40 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
20/01/2009 10:14:40 Hook kernel32.dll:GetModuleFileNameA (373) blocked
20/01/2009 10:14:40 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
20/01/2009 10:14:40 Hook kernel32.dll:GetModuleFileNameW (374) blocked
20/01/2009 10:14:40 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
20/01/2009 10:14:40 Hook kernel32.dll:GetProcAddress (409) blocked
20/01/2009 10:14:40 Function kernel32.dlloadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
20/01/2009 10:14:40 Hook kernel32.dlloadLibraryA (581) blocked
20/01/2009 10:14:40 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
20/01/2009 10:14:40 Function kernel32.dlloadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
20/01/2009 10:14:40 Hook kernel32.dlloadLibraryExA (582) blocked
20/01/2009 10:14:40 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
20/01/2009 10:14:40 Function kernel32.dlloadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
20/01/2009 10:14:40 Hook kernel32.dlloadLibraryExW (583) blocked
20/01/2009 10:14:40 Function kernel32.dlloadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
20/01/2009 10:14:40 Hook kernel32.dlloadLibraryW (584) blocked
20/01/2009 10:14:40 IAT modification detected: LoadLibraryW - 00F40010<>7C80AEDB
20/01/2009 10:14:40 Analysis: ntdll.dll, export table found in section .text
20/01/2009 10:14:41 Analysis: user32.dll, export table found in section .text
20/01/2009 10:14:41 Analysis: advapi32.dll, export table found in section .text
20/01/2009 10:14:41 Analysis: ws2_32.dll, export table found in section .text
20/01/2009 10:14:42 Analysis: wininet.dll, export table found in section .text
20/01/2009 10:14:42 Analysis: rasapi32.dll, export table found in section .text
20/01/2009 10:14:42 Analysis: urlmon.dll, export table found in section .text
20/01/2009 10:14:42 Analysis: netapi32.dll, export table found in section .text
20/01/2009 10:14:44 >> Danger ! Process masking detected
20/01/2009 10:14:51 1.2 Searching for kernel-mode API hooks
20/01/2009 10:14:51 Driver loaded successfully
20/01/2009 10:14:51 SDT found (RVA=083220)
20/01/2009 10:14:51 Kernel ntoskrnl.exe found in memory at address 804D7000
20/01/2009 10:14:51 SDT = 8055A220
20/01/2009 10:14:51 KiST = 804E26A8 (284)
20/01/2009 10:14:51 Function NtAdjustPrivilegesToken (0B) intercepted (8058D0AD->F2887224), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtClose (19) intercepted (805678DD->F28877F, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtConnectPort (1F) intercepted (805879F7->F2889234), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtCreateFile (25) intercepted (8056CDC0->F2888BE6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtCreateKey (29) intercepted (8057065D->F288699A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtCreateSymbolicLinkObject (34) intercepted (8059F519->F288ABC6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtCreateThread (35) intercepted (8058E64B->F28875F, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtDeleteKey (3F) intercepted (805952CA->F2886DDC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtDeleteValueKey (41) intercepted (80592D5C->F2886FDC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtDeviceIoControlFile (42) intercepted (8058EFB9->F2888EF6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtDuplicateObject (44) intercepted (805715E0->F288B0CE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtEnumerateKey (47) intercepted (80570D64->F28870F2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtEnumerateValueKey (49) intercepted (80590677->F288715A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:52 >>> Function restored successfully !
20/01/2009 10:14:52 >>> Hook code blocked
20/01/2009 10:14:52 Function NtFsControlFile (54) intercepted (8057AAB5->F2888DA, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:53 >>> Function restored successfully !
20/01/2009 10:14:53 >>> Hook code blocked
20/01/2009 10:14:53 Function NtLoadDriver (61) intercepted (805A3B01->F288A66A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:53 >>> Function restored successfully !
20/01/2009 10:14:53 >>> Hook code blocked
20/01/2009 10:14:53 Function NtOpenFile (74) intercepted (8056CD5B->F2888A42), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:53 >>> Function restored successfully !
20/01/2009 10:14:53 >>> Hook code blocked
20/01/2009 10:14:53 Function NtOpenKey (77) intercepted (80568D59->F2886AFC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:53 >>> Function restored successfully !
20/01/2009 10:14:53 >>> Hook code blocked
20/01/2009 10:14:53 Function NtOpenProcess (7A) intercepted (805717C7->F28873FC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:53 >>> Function restored successfully !
20/01/2009 10:14:53 >>> Hook code blocked
20/01/2009 10:14:53 Function NtOpenSection (7D) intercepted (80570FD7->F288ABF0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:53 >>> Function restored successfully !
20/01/2009 10:14:53 >>> Hook code blocked
20/01/2009 10:14:53 Function NtOpenThread (80) intercepted (8058A1C9->F288734, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:53 >>> Function restored successfully !
20/01/2009 10:14:53 >>> Hook code blocked
20/01/2009 10:14:53 Function NtQueryKey (A0) intercepted (80570A6D->F28871C2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:53 >>> Function restored successfully !
20/01/2009 10:14:53 >>> Hook code blocked
20/01/2009 10:14:53 Function NtQueryMultipleValueKey (A1) intercepted (8064E338->F2886EC6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:53 >>> Function restored successfully !
20/01/2009 10:14:53 >>> Hook code blocked
20/01/2009 10:14:54 Function NtQueryValueKey (B1) intercepted (8056A1F2->F2886CA4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:54 >>> Function restored successfully !
20/01/2009 10:14:54 >>> Hook code blocked
20/01/2009 10:14:54 Function NtQueueApcThread (B4) intercepted (80591097->F288A8D2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:54 >>> Function restored successfully !
20/01/2009 10:14:54 >>> Hook code blocked
20/01/2009 10:14:54 Function NtReplaceKey (C1) intercepted (8064F112->F288661C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:54 >>> Function restored successfully !
20/01/2009 10:14:54 >>> Hook code blocked
20/01/2009 10:14:54 Function NtRequestWaitReplyPort (C intercepted (80576CE6->F2889ABE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:54 >>> Function restored successfully !
20/01/2009 10:14:54 >>> Hook code blocked
20/01/2009 10:14:54 Function NtRestoreKey (CC) intercepted (8064ECA9->F288677E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:54 >>> Function restored successfully !
20/01/2009 10:14:54 >>> Hook code blocked
20/01/2009 10:14:54 Function NtResumeThread (CE) intercepted (8058ECBE->F288AFA0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:54 >>> Function restored successfully !
20/01/2009 10:14:54 >>> Hook code blocked
20/01/2009 10:14:54 Function NtSaveKey (CF) intercepted (8064EDAA->F288641A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:54 >>> Function restored successfully !
20/01/2009 10:14:54 >>> Hook code blocked
20/01/2009 10:14:54 Function NtSecureConnectPort (D2) intercepted (8058F4EA->F28890D6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:54 >>> Function restored successfully !
20/01/2009 10:14:54 >>> Hook code blocked
20/01/2009 10:14:55 Function NtSetContextThread (D5) intercepted (8062DCF7->F28876F6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:55 >>> Function restored successfully !
20/01/2009 10:14:55 >>> Hook code blocked
20/01/2009 10:14:55 Function NtSetSecurityObject (ED) intercepted (8059B1AB->F288A764), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:55 >>> Function restored successfully !
20/01/2009 10:14:55 >>> Hook code blocked
20/01/2009 10:14:55 Function NtSetSystemInformation (F0) intercepted (805A7BED->F288AC1A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:55 >>> Function restored successfully !
20/01/2009 10:14:55 >>> Hook code blocked
20/01/2009 10:14:55 Function NtSetValueKey (F7) intercepted (80572889->F2886B52), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:55 >>> Function restored successfully !
20/01/2009 10:14:55 >>> Hook code blocked
20/01/2009 10:14:55 Function NtSuspendProcess (FD) intercepted (8062F8D9->F288ACFE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:55 >>> Function restored successfully !
20/01/2009 10:14:55 >>> Hook code blocked
20/01/2009 10:14:55 Function NtSuspendThread (FE) intercepted (805E046E->F288AE2A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:55 >>> Function restored successfully !
20/01/2009 10:14:55 >>> Hook code blocked
20/01/2009 10:14:55 Function NtSystemDebugControl (FF) intercepted (80649CFB->F288A596), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:55 >>> Function restored successfully !
20/01/2009 10:14:55 >>> Hook code blocked
20/01/2009 10:14:55 Function NtTerminateProcess (101) intercepted (805822EC->F28874C, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:55 >>> Function restored successfully !
20/01/2009 10:14:55 >>> Hook code blocked
20/01/2009 10:14:55 Function NtWriteVirtualMemory (115) intercepted (8057E42A->F288753A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:55 >>> Function restored successfully !
20/01/2009 10:14:55 >>> Hook code blocked
20/01/2009 10:14:55 Function FsRtlCheckLockForReadAccess (80512919) - machine code modification Method of JmpTo. jmp F289E874 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:55 >>> Function restored successfully !
20/01/2009 10:14:55 Function IoIsOperationSynchronous (804E875A) - machine code modification Method of JmpTo. jmp F289EC2E \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
20/01/2009 10:14:55 >>> Function restored successfully !
20/01/2009 10:14:56 Functions checked: 284, intercepted: 39, restored: 41
20/01/2009 10:14:56 1.3 Checking IDT and SYSENTER
20/01/2009 10:14:56 Analysis for CPU 1
20/01/2009 10:14:56 Checking IDT and SYSENTER - complete
20/01/2009 10:14:58 1.4 Searching for masking processes and drivers
20/01/2009 10:14:58 Checking not performed: extended monitoring driver (AVZPM) is not installed
20/01/2009 10:14:58 Driver loaded successfully
20/01/2009 10:14:58 1.5 Checking of IRP handlers
20/01/2009 10:14:58 Checking - complete
20/01/2009 10:14:59 C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll --> Suspicion for Keylogger or Trojan DLL
20/01/2009 10:14:59 C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll>>> Behavioral analysis
20/01/2009 10:14:59 Behaviour typical for keyloggers not detected
20/01/2009 10:14:59 C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll --> Suspicion for Keylogger or Trojan DLL
20/01/2009 10:14:59 C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll>>> Behavioral analysis
20/01/2009 10:14:59 Behaviour typical for keyloggers not detected
20/01/2009 10:14:59 C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll --> Suspicion for Keylogger or Trojan DLL
20/01/2009 10:14:59 C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll>>> Behavioral analysis
20/01/2009 10:14:59 Behaviour typical for keyloggers not detected
20/01/2009 10:14:59 C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll --> Suspicion for Keylogger or Trojan DLL
20/01/2009 10:14:59 C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll>>> Behavioral analysis
20/01/2009 10:14:59 Behaviour typical for keyloggers not detected
20/01/2009 10:14:59 C:\Program Files\O2\bin\sprthook.dll --> Suspicion for Keylogger or Trojan DLL
20/01/2009 10:14:59 C:\Program Files\O2\bin\sprthook.dll>>> Behavioral analysis
20/01/2009 10:14:59 1. Reacts to events: keyboard, mouse
20/01/2009 10:14:59 C:\Program Files\O2\bin\sprthook.dll>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
20/01/2009 10:15:01 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
20/01/2009 10:15:18 Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGR A~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASP ER~1\KASPER~1\kloehk.dll,C:\PROGRA~1\KASPER~1\KASP ER~1\mzvkbd3.dll"
20/01/2009 10:15:19 >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
20/01/2009 10:15:19 >> Services: potentially dangerous service allowed: TermService (Terminal Services)
20/01/2009 10:15:19 >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
20/01/2009 10:15:19 >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
20/01/2009 10:15:19 >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
20/01/2009 10:15:19 >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
20/01/2009 10:15:19 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
20/01/2009 10:15:19 >> Security: disk drives' autorun is enabled
20/01/2009 10:15:19 >> Security: administrative shares (C$, D$ ...) are enabled
20/01/2009 10:15:19 >> Security: anonymous user access is enabled
20/01/2009 10:15:20 >> Security: sending Remote Assistant queries is enabled
20/01/2009 10:15:26 >> Disable HDD autorun
20/01/2009 10:15:26 >> Disable autorun from network drives
20/01/2009 10:15:26 >> Disable CD/DVD autorun
20/01/2009 10:15:26 >> Disable removable media autorun
20/01/2009 10:15:26 System Analysis in progress
20/01/2009 10:22:24 System Analysis - complete
20/01/2009 10:22:25 Delete file:C:\Documents and Settings\xp\Desktop\Virus Removal Tool\is-GBQHG\LOG\avptool_syscheck.htm
20/01/2009 10:22:25 Delete file:C:\Documents and Settings\xp\Desktop\Virus Removal Tool\is-GBQHG\LOG\avptool_syscheck.xml
20/01/2009 10:22:25 Deleting service/driver: utqxmji2
20/01/2009 10:22:25 Delete file:C:\WINDOWS\system32\Drivers\utqxmji2.sys
20/01/2009 10:22:25 Deleting service/driver: ujqxmji2
20/01/2009 10:22:25 Script executed without errors