<AVZ_CollectSysInfo>
--------------------
Start time: 30/06/2009 08:04:31 م
Duration: 00:03:10
Finish time: 30/06/2009 08:07:41 م
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
30/06/2009 08:04:33 م Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
30/06/2009 08:04:33 م System Restore: Disabled
30/06/2009 08:04:35 م 1.1 Searching for user-mode API hooks
30/06/2009 08:04:35 م Analysis: kernel32.dll, export table found in section .text
30/06/2009 08:04:35 م Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
30/06/2009 08:04:35 م Hook kernel32.dll:CreateProcessA (99) blocked
30/06/2009 08:04:35 م Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
30/06/2009 08:04:35 م Hook kernel32.dll:CreateProcessW (103) blocked
30/06/2009 08:04:35 م Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
30/06/2009 08:04:35 م Hook kernel32.dll:FreeLibrary (241) blocked
30/06/2009 08:04:35 م Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
30/06/2009 08:04:35 م Hook kernel32.dll:GetModuleFileNameA (373) blocked
30/06/2009 08:04:35 م Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
30/06/2009 08:04:35 م Hook kernel32.dll:GetModuleFileNameW (374) blocked
30/06/2009 08:04:35 م Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
30/06/2009 08:04:35 م Hook kernel32.dll:GetProcAddress (409) blocked
30/06/2009 08:04:35 م Function kernel32.dlloadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
30/06/2009 08:04:35 م Hook kernel32.dlloadLibraryA (581) blocked
30/06/2009 08:04:35 م >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
30/06/2009 08:04:35 م Function kernel32.dlloadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
30/06/2009 08:04:35 م Hook kernel32.dlloadLibraryExA (582) blocked
30/06/2009 08:04:35 م >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
30/06/2009 08:04:35 م Function kernel32.dlloadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
30/06/2009 08:04:35 م Hook kernel32.dlloadLibraryExW (583) blocked
30/06/2009 08:04:35 م Function kernel32.dlloadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
30/06/2009 08:04:35 م Hook kernel32.dlloadLibraryW (584) blocked
30/06/2009 08:04:35 م IAT modification detected: LoadLibraryW - 01360010<>7C80AEDB
30/06/2009 08:04:35 م Analysis: ntdll.dll, export table found in section .text
30/06/2009 08:04:35 م Analysis: user32.dll, export table found in section .text
30/06/2009 08:04:35 م Analysis: advapi32.dll, export table found in section .text
30/06/2009 08:04:35 م Analysis: ws2_32.dll, export table found in section .text
30/06/2009 08:04:35 م Analysis: wininet.dll, export table found in section .text
30/06/2009 08:04:35 م Analysis: rasapi32.dll, export table found in section .text
30/06/2009 08:04:35 م Analysis: urlmon.dll, export table found in section .text
30/06/2009 08:04:35 م Analysis: netapi32.dll, export table found in section .text
30/06/2009 08:04:37 م 1.2 Searching for kernel-mode API hooks
30/06/2009 08:04:42 م Driver loaded successfully
30/06/2009 08:04:42 م SDT found (RVA=085700)
30/06/2009 08:04:42 م Kernel ntkrnlpa.exe found in memory at address 804D7000
30/06/2009 08:04:42 م SDT = 8055C700
30/06/2009 08:04:42 م KiST = 80504450 (284)
30/06/2009 08:04:43 م Function NtAdjustPrivilegesToken (0B) intercepted (805EBB32->F3ADF35A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtClose (19) intercepted (805BC4EC->F3ADFA66), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtConnectPort (1F) intercepted (805A45B4->F3AE05EC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtCreateEvent (23) intercepted (8060E602->F3AE0B20), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtCreateFile (25) intercepted (80579084->F3ADFD5, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtCreateKey (29) intercepted (80623786->F3ADE44C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtCreateMutant (2B) intercepted (80616D52->F3AE09F, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtCreateNamedPipeFile (2C) intercepted (805790BE->F3ADDCF6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtCreatePort (2E) intercepted (805A50D0->F3AE08B4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtCreateSection (32) intercepted (805AB3AE->F3ADF0EE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtCreateSemaphore (33) intercepted (80614702->F3AE0C52), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtCreateSymbolicLinkObject (34) intercepted (805C39B6->F3AE23EE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtCreateThread (35) intercepted (805D0FD4->F3ADF866), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtCreateWaitablePort (3 intercepted (805A50F4->F3AE0956), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtDeleteKey (3F) intercepted (80623C16->F3ADEA0C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtDeleteValueKey (41) intercepted (80623DE6->F3ADECE4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtDeviceIoControlFile (42) intercepted (8057924A->F3AE01FC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtDuplicateObject (44) intercepted (805BDFC4->F3AE2960), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtEnumerateKey (47) intercepted (80623FC6->F3ADEE26), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtEnumerateValueKey (49) intercepted (80624230->F3ADEED0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtFsControlFile (54) intercepted (8057927E->F3ADFFF6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtLoadDriver (61) intercepted (8058413A->F3AE1E86), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtLoadKey (62) intercepted (80625982->F3ADE42, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtLoadKey2 (63) intercepted (8062558E->F3ADE43A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtNotifyChangeKey (6F) intercepted (8062594C->F3ADF01C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtOpenEvent (72) intercepted (8060E702->F3AE0BC2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtOpenFile (74) intercepted (8057A182->F3ADFAE, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtOpenKey (77) intercepted (80624B58->F3ADE5F0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtOpenMutant (7 intercepted (80616E2A->F3AE0A90), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtOpenProcess (7A) intercepted (805CB3FC->F3ADF55A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtOpenSection (7D) intercepted (805AA3D2->F3AE241, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtOpenSemaphore (7E) intercepted (806147FC->F3AE0CF4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:43 م >>> Function restored successfully !
30/06/2009 08:04:43 م >>> Hook code blocked
30/06/2009 08:04:43 م Function NtOpenThread (80) intercepted (805CB688->F3ADF47E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtQueryKey (A0) intercepted (80624E7E->F3ADEF7A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtQueryMultipleValueKey (A1) intercepted (806228D4->F3ADEBA2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtQueryValueKey (B1) intercepted (806219BE->F3ADE8A, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtQueueApcThread (B4) intercepted (805D1232->F3AE210, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtRenameKey (C0) intercepted (806231A8->F3ADEB20), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtReplaceKey (C1) intercepted (80625832->F3ADE0AE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtReplyPort (C2) intercepted (805A54D0->F3AE107E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtReplyWaitReceivePort (C3) intercepted (805A6498->F3AE0F44), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtRequestWaitReplyPort (C intercepted (805A2D5A->F3AE1C10), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtRestoreKey (CC) intercepted (8062513E->F3ADE210), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtResumeThread (CE) intercepted (805D4976->F3AE2840), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtSaveKey (CF) intercepted (8062523A->F3ADDEB0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtSecureConnectPort (D2) intercepted (805A3D48->F3AE02F2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtSetContextThread (D5) intercepted (805D16F6->F3ADF964), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtSetInformationToken (E6) intercepted (805F9E60->F3AE15D2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtSetSecurityObject (ED) intercepted (805C05EA->F3AE1F80), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtSetSystemInformation (F0) intercepted (8060F3BA->F3AE24A2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtSetValueKey (F7) intercepted (80621D0C->F3ADE730), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtSuspendProcess (FD) intercepted (805D4A3E->F3AE2586), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtSuspendThread (FE) intercepted (805D48B0->F3AE26B2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtSystemDebugControl (FF) intercepted (8061776E->F3AE1DB2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtTerminateProcess (101) intercepted (805D299E->F3ADF6CA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtTerminateThread (102) intercepted (805D2B98->F3ADF62, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function NtWriteVirtualMemory (115) intercepted (805B4394->F3ADF7A, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م >>> Hook code blocked
30/06/2009 08:04:44 م Function FsRtlCheckLockForReadAccess (804EAF74) - machine code modification Method of JmpTo. jmp F3AD4410 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:44 م Function IoIsOperationSynchronous (804EF902) - machine code modification Method of JmpTo. jmp F3AD47CA \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
30/06/2009 08:04:44 م >>> Function restored successfully !
30/06/2009 08:04:45 م Functions checked: 284, intercepted: 57, restored: 59
30/06/2009 08:04:45 م 1.3 Checking IDT and SYSENTER
30/06/2009 08:04:45 م Analysis for CPU 1
30/06/2009 08:04:45 م Analysis for CPU 2
30/06/2009 08:04:45 م Checking IDT and SYSENTER - complete
30/06/2009 08:04:47 م 1.4 Searching for masking processes and drivers
30/06/2009 08:04:47 م Checking not performed: extended monitoring driver (AVZPM) is not installed
30/06/2009 08:04:47 م Driver loaded successfully
30/06/2009 08:04:47 م 1.5 Checking of IRP handlers
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_CREATE] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_CLOSE] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_WRITE] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_SET_EA] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\ntfs[IRP_MJ_PNP] = 86A22EB0 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_CREATE] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_CLOSE] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_WRITE] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_QUERY_EA] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_SET_EA] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \FileSystem\FastFat[IRP_MJ_PNP] = 86DC8C78 -> hook not defined
30/06/2009 08:04:47 م \driver\disk[IRP_MJ_CREATE] = 86DC8EB0 -> hook not defined
30/06/2009 08:04:47 م \driver\disk[IRP_MJ_CLOSE] = 86DC8EB0 -> hook not defined
30/06/2009 08:04:47 م \driver\disk[IRP_MJ_READ] = 86DC8EB0 -> hook not defined
30/06/2009 08:04:47 م \driver\disk[IRP_MJ_WRITE] = 86DC8EB0 -> hook not defined
30/06/2009 08:04:47 م \driver\disk[IRP_MJ_PNP] = 86DC8EB0 -> hook not defined
30/06/2009 08:04:47 م Checking - complete
30/06/2009 08:04:49 م C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll --> Suspicion for Keylogger or Trojan DLL
30/06/2009 08:04:49 م C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll>>> Behavioral analysis
30/06/2009 08:04:49 م 1. Reacts to events: keyboard
30/06/2009 08:04:49 م 2. Sends data to process: 2804 C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-LIV6G\is-LIV6G.exe (window = "13% - <AVZ_CollectSysInfo>")
30/06/2009 08:04:49 م 3. Determines the window which has input focus
30/06/2009 08:04:49 م C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
30/06/2009 08:04:49 م C:\Program Files\Unlocker\UnlockerHook.dll --> Suspicion for Keylogger or Trojan DLL
30/06/2009 08:04:49 م C:\Program Files\Unlocker\UnlockerHook.dll>>> Behavioral analysis
30/06/2009 08:04:49 م 1. Reacts to events: keyboard, mouse
30/06/2009 08:04:49 م C:\Program Files\Unlocker\UnlockerHook.dll>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
30/06/2009 08:04:52 م Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
30/06/2009 08:05:07 م Latent loading of libraries through AppInit_DLLs suspected: "c:\progra~1\bandoo\bndhook.dll ,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGR A~1\KASPER~1\KASPER~1\mzvkbd3.dll"
30/06/2009 08:05:08 م Danger - process debugger "notepad.exe" = "C:\WINDOWS\system32\Notepad2.exe"
30/06/2009 08:05:08 م >>> C:\WINDOWS\system32\Notepad2.exe HSC: suspicion for Danger - process debugger "notepad.exe" (high degree of probability)
30/06/2009 08:05:09 م >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
30/06/2009 08:05:09 م >> Services: potentially dangerous service allowed: TermService (Terminal Services)
30/06/2009 08:05:09 م >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
30/06/2009 08:05:09 م >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
30/06/2009 08:05:09 م >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
30/06/2009 08:05:09 م >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
30/06/2009 08:05:09 م > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
30/06/2009 08:05:09 م >> Security: disk drives' autorun is enabled
30/06/2009 08:05:09 م >> Security: administrative shares (C$, D$ ...) are enabled
30/06/2009 08:05:09 م >> Security: sending Remote Assistant queries is enabled
30/06/2009 08:05:09 م >> Security: automatic logon is enabled
30/06/2009 08:05:11 م >> Abnormal REG files association
30/06/2009 08:05:13 م >> System process debugger detected
30/06/2009 08:05:16 م >> Disable HDD autorun
30/06/2009 08:05:16 م >> Disable autorun from network drives
30/06/2009 08:05:16 م >> Disable CD/DVD autorun
30/06/2009 08:05:16 م >> Disable removable media autorun
30/06/2009 08:05:16 م System Analysis in progress
30/06/2009 08:07:41 م System Analysis - complete
30/06/2009 08:07:41 م Delete file:C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-LIV6G\LOG\avptool_syscheck.htm
30/06/2009 08:07:41 م Delete file:C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-LIV6G\LOG\avptool_syscheck.xml
30/06/2009 08:07:41 م Deleting service/driver: utixnjc5
30/06/2009 08:07:41 م Delete file:C:\WINDOWS\system32\Drivers\utixnjc5.sys
30/06/2009 08:07:41 م Deleting service/driver: ujixnjc5
30/06/2009 08:07:41 م Script executed without errors