21/02/2009 04:56:57 p.m. Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
21/02/2009 04:56:57 p.m. System Restore: enabled
21/02/2009 04:56:57 p.m. 1.1 Searching for user-mode API hooks
21/02/2009 04:56:57 p.m. Analysis: kernel32.dll, export table found in section .text
21/02/2009 04:56:57 p.m. Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
21/02/2009 04:56:57 p.m. Hook kernel32.dll:CreateProcessA (99) blocked
21/02/2009 04:56:57 p.m. Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
21/02/2009 04:56:57 p.m. Hook kernel32.dll:CreateProcessW (103) blocked
21/02/2009 04:56:57 p.m. Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
21/02/2009 04:56:57 p.m. Hook kernel32.dll:FreeLibrary (241) blocked
21/02/2009 04:56:57 p.m. Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
21/02/2009 04:56:57 p.m. Hook kernel32.dll:GetModuleFileNameA (373) blocked
21/02/2009 04:56:57 p.m. Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
21/02/2009 04:56:57 p.m. Hook kernel32.dll:GetModuleFileNameW (374) blocked
21/02/2009 04:56:57 p.m. Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
21/02/2009 04:56:57 p.m. Hook kernel32.dll:GetProcAddress (409) blocked
21/02/2009 04:56:57 p.m. Function kernel32.dlloadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
21/02/2009 04:56:57 p.m. Hook kernel32.dlloadLibraryA (581) blocked
21/02/2009 04:56:57 p.m. >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
21/02/2009 04:56:57 p.m. Function kernel32.dlloadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
21/02/2009 04:56:57 p.m. Hook kernel32.dlloadLibraryExA (582) blocked
21/02/2009 04:56:57 p.m. >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
21/02/2009 04:56:57 p.m. Function kernel32.dlloadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
21/02/2009 04:56:57 p.m. Hook kernel32.dlloadLibraryExW (583) blocked
21/02/2009 04:56:57 p.m. Function kernel32.dlloadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
21/02/2009 04:56:57 p.m. Hook kernel32.dlloadLibraryW (584) blocked
21/02/2009 04:56:57 p.m. IAT modification detected: LoadLibraryW - 00C80010<>7C80AEDB
21/02/2009 04:56:57 p.m. Analysis: ntdll.dll, export table found in section .text
21/02/2009 04:56:57 p.m. Analysis: user32.dll, export table found in section .text
21/02/2009 04:56:57 p.m. Analysis: advapi32.dll, export table found in section .text
21/02/2009 04:56:57 p.m. Analysis: ws2_32.dll, export table found in section .text
21/02/2009 04:56:57 p.m. Analysis: wininet.dll, export table found in section .text
21/02/2009 04:56:57 p.m. Analysis: rasapi32.dll, export table found in section .text
21/02/2009 04:56:57 p.m. Analysis: urlmon.dll, export table found in section .text
21/02/2009 04:56:57 p.m. Analysis: netapi32.dll, export table found in section .text
21/02/2009 04:56:58 p.m. 1.2 Searching for kernel-mode API hooks
21/02/2009 04:56:58 p.m. Driver loaded successfully
21/02/2009 04:56:58 p.m. SDT found (RVA=085700)
21/02/2009 04:56:58 p.m. Kernel ntkrnlpa.exe found in memory at address 804D7000
21/02/2009 04:56:58 p.m. SDT = 8055C700
21/02/2009 04:56:58 p.m. KiST = 80504460 (284)
21/02/2009 04:56:59 p.m. Functions checked: 284, intercepted: 0, restored: 0
21/02/2009 04:56:59 p.m. 1.3 Checking IDT and SYSENTER
21/02/2009 04:56:59 p.m. Analysis for CPU 1
21/02/2009 04:56:59 p.m. Analysis for CPU 2
21/02/2009 04:56:59 p.m. Checking IDT and SYSENTER - complete
21/02/2009 04:57:00 p.m. 1.4 Searching for masking processes and drivers
21/02/2009 04:57:00 p.m. Checking not performed: extended monitoring driver (AVZPM) is not installed
21/02/2009 04:57:00 p.m. Driver loaded successfully
21/02/2009 04:57:00 p.m. 1.5 Checking of IRP handlers
21/02/2009 04:57:00 p.m. Checking - complete
21/02/2009 04:57:00 p.m. C:\WINDOWS\system32\wdmaud.drv --> Suspicion for Keylogger or Trojan DLL
21/02/2009 04:57:00 p.m. C:\WINDOWS\system32\wdmaud.drv>>> Behavioral analysis
21/02/2009 04:57:00 p.m. Behaviour typical for keyloggers not detected
21/02/2009 04:57:00 p.m. Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
21/02/2009 04:57:07 p.m. Latent loading of libraries through AppInit_DLLs suspected: "C:\ARCHIV~1\KASPER~1\KASPER~1\mzvkbd.dll"
21/02/2009 04:57:08 p.m. >> Services: potentially dangerous service allowed: RemoteRegistry (Registro remoto)
21/02/2009 04:57:08 p.m. >> Services: potentially dangerous service allowed: TermService (Servicios de Terminal Server)
21/02/2009 04:57:08 p.m. >> Services: potentially dangerous service allowed: SSDPSRV (Servicio de descubrimientos SSDP)
21/02/2009 04:57:08 p.m. >> Services: potentially dangerous service allowed: Schedule (Programador de tareas)
21/02/2009 04:57:08 p.m. >> Services: potentially dangerous service allowed: mnmsrvc (Escritorio remoto compartido de NetMeeting)
21/02/2009 04:57:08 p.m. >> Services: potentially dangerous service allowed: RDSessMgr (Administrador de sesiуn de Ayuda de escritorio remoto)
21/02/2009 04:57:08 p.m. > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
21/02/2009 04:57:08 p.m. >> Security: disk drives' autorun is enabled
21/02/2009 04:57:08 p.m. >> Security: administrative shares (C$, D$ ...) are enabled
21/02/2009 04:57:08 p.m. >> Security: anonymous user access is enabled
21/02/2009 04:57:08 p.m. >> Security: sending Remote Assistant queries is enabled
21/02/2009 04:57:11 p.m. >> Disable HDD autorun
21/02/2009 04:57:11 p.m. >> Disable autorun from network drives
21/02/2009 04:57:11 p.m. >> Disable CD/DVD autorun
21/02/2009 04:57:11 p.m. >> Disable removable media autorun
21/02/2009 04:57:11 p.m. System Analysis in progress
21/02/2009 04:57:41 p.m. System Analysis - complete
21/02/2009 04:57:41 p.m. Delete file:C:\Documents and Settings\User\Escritorio\Virus Removal Tool\is-RM78S\LOG\avptool_syscheck.htm
21/02/2009 04:57:41 p.m. Delete file:C:\Documents and Settings\User\Escritorio\Virus Removal Tool\is-RM78S\LOG\avptool_syscheck.xml
21/02/2009 04:57:41 p.m. Deleting service/driver: uti3mtk2
21/02/2009 04:57:41 p.m. Delete file:C:\WINDOWS\system32\Drivers\uti3mtk2.sys
21/02/2009 04:57:41 p.m. Deleting service/driver: uji3mtk2
21/02/2009 04:57:41 p.m. Script executed without errors