<AVZ_CollectSysInfo>
--------------------
Start time: 03/10/2009 09:19:14
Duration: 00:06:19
Finish time: 03/10/2009 09:25:33
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
03/10/2009 09:19:24 Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
03/10/2009 09:19:24 System Restore: enabled
03/10/2009 09:19:28 1.1 Searching for user-mode API hooks
03/10/2009 09:19:29 Analysis: kernel32.dll, export table found in section .text
03/10/2009 09:19:29 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
03/10/2009 09:19:29 Hook kernel32.dll:CreateProcessA (99) blocked
03/10/2009 09:19:29 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
03/10/2009 09:19:29 Hook kernel32.dll:CreateProcessW (103) blocked
03/10/2009 09:19:29 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC7E->61F041FC
03/10/2009 09:19:29 Hook kernel32.dll:FreeLibrary (241) blocked
03/10/2009 09:19:29 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B56F->61F040FB
03/10/2009 09:19:29 Hook kernel32.dll:GetModuleFileNameA (373) blocked
03/10/2009 09:19:29 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B475->61F041A0
03/10/2009 09:19:29 Hook kernel32.dll:GetModuleFileNameW (374) blocked
03/10/2009 09:19:29 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE40->61F04648
03/10/2009 09:19:29 Hook kernel32.dll:GetProcAddress (409) blocked
03/10/2009 09:19:29 Function kernel32.dlloadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
03/10/2009 09:19:29 Hook kernel32.dlloadLibraryA (581) blocked
03/10/2009 09:19:29 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
03/10/2009 09:19:29 Function kernel32.dlloadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
03/10/2009 09:19:29 Hook kernel32.dlloadLibraryExA (582) blocked
03/10/2009 09:19:29 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
03/10/2009 09:19:29 Function kernel32.dlloadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
03/10/2009 09:19:29 Hook kernel32.dlloadLibraryExW (583) blocked
03/10/2009 09:19:29 Function kernel32.dlloadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEEB->61F03D0C
03/10/2009 09:19:29 Hook kernel32.dlloadLibraryW (584) blocked
03/10/2009 09:19:29 IAT modification detected: LoadLibraryW - 00380010<>7C80AEEB
03/10/2009 09:19:29 Analysis: ntdll.dll, export table found in section .text
03/10/2009 09:19:29 Analysis: user32.dll, export table found in section .text
03/10/2009 09:19:29 Analysis: advapi32.dll, export table found in section .text
03/10/2009 09:19:29 Analysis: ws2_32.dll, export table found in section .text
03/10/2009 09:19:29 Analysis: wininet.dll, export table found in section .text
03/10/2009 09:19:30 Analysis: rasapi32.dll, export table found in section .text
03/10/2009 09:19:30 Analysis: urlmon.dll, export table found in section .text
03/10/2009 09:19:30 Analysis: netapi32.dll, export table found in section .text
03/10/2009 09:19:32 1.2 Searching for kernel-mode API hooks
03/10/2009 09:19:43 Driver loaded successfully
03/10/2009 09:19:43 SDT found (RVA=083220)
03/10/2009 09:19:43 Kernel ntoskrnl.exe found in memory at address 804D7000
03/10/2009 09:19:43 SDT = 8055A220
03/10/2009 09:19:43 KiST = 804E26A8 (284)
03/10/2009 09:19:47 Function NtAdjustPrivilegesToken (0B) intercepted (8058D0AD->F66DE36E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:47 >>> Function restored successfully !
03/10/2009 09:19:47 >>> Hook code blocked
03/10/2009 09:19:47 Function NtClose (19) intercepted (805678DD->F66DEA86), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:47 >>> Function restored successfully !
03/10/2009 09:19:47 >>> Hook code blocked
03/10/2009 09:19:47 Function NtConnectPort (1F) intercepted (805879F7->F66DF60C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:47 >>> Function restored successfully !
03/10/2009 09:19:47 >>> Hook code blocked
03/10/2009 09:19:47 Function NtCreateEvent (23) intercepted (8056D57A->F66DFB40), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:47 >>> Function restored successfully !
03/10/2009 09:19:47 >>> Hook code blocked
03/10/2009 09:19:47 Function NtCreateFile (25) intercepted (8056CDC0->F66DED7, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:47 >>> Function restored successfully !
03/10/2009 09:19:47 >>> Hook code blocked
03/10/2009 09:19:47 Function NtCreateKey (29) intercepted (8057065D->F66DD460), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtCreateMutant (2B) intercepted (80578037->F66DFA1, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtCreateNamedPipeFile (2C) intercepted (80583F4B->F66DCD0A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtCreatePort (2E) intercepted (805975C1->F66DF8D4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtCreateSection (32) intercepted (805652B3->F66DE102), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtCreateSemaphore (33) intercepted (8057243B->F66DFC72), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtCreateSymbolicLinkObject (34) intercepted (8059F519->F66E140E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtCreateThread (35) intercepted (8058E64B->F66DE886), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtCreateWaitablePort (3 intercepted (805DB134->F66DF976), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtDeleteKey (3F) intercepted (805952CA->F66DDA20), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtDeleteValueKey (41) intercepted (80592D5C->F66DDCF, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtDeviceIoControlFile (42) intercepted (8058EFB9->F66DF21C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtDuplicateObject (44) intercepted (805715E0->F66E1980), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtEnumerateKey (47) intercepted (80570D64->F66DDE3A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtEnumerateValueKey (49) intercepted (80590677->F66DDEE4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtFsControlFile (54) intercepted (8057AAB5->F66DF016), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtLoadDriver (61) intercepted (805A3B01->F66E0EA6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtLoadKey (62) intercepted (805AED6D->F66DD43C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:48 Function NtLoadKey2 (63) intercepted (805AEBAA->F66DD44E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:48 >>> Function restored successfully !
03/10/2009 09:19:48 >>> Hook code blocked
03/10/2009 09:19:49 Function NtNotifyChangeKey (6F) intercepted (8058A699->F66DE030), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:49 Function NtOpenEvent (72) intercepted (8057DCE7->F66DFBE2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:49 Function NtOpenFile (74) intercepted (8056CD5B->F66DEB0, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:49 Function NtOpenKey (77) intercepted (80568D59->F66DD604), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:49 Function NtOpenMutant (7 intercepted (805780E5->F66DFAB0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:49 Function NtOpenProcess (7A) intercepted (805717C7->F66DE56E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:49 Function NtOpenSection (7D) intercepted (80570FD7->F66E143, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:49 Function NtOpenSemaphore (7E) intercepted (8059EFD5->F66DFD14), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:49 Function NtOpenThread (80) intercepted (8058A1C9->F66DE492), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:49 Function NtQueryKey (A0) intercepted (80570A6D->F66DDF8E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:49 Function NtQueryMultipleValueKey (A1) intercepted (8064E300->F66DDBB6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:49 Function NtQueryValueKey (B1) intercepted (8056A1F2->F66DD8BC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:49 Function NtQueueApcThread (B4) intercepted (80591097->F66E112, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:49 >>> Function restored successfully !
03/10/2009 09:19:49 >>> Hook code blocked
03/10/2009 09:19:50 Function NtRenameKey (C0) intercepted (8064E77C->F66DDB34), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtReplaceKey (C1) intercepted (8064F0DC->F66DD0C2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtReplyPort (C2) intercepted (8057CCE4->F66E009E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtReplyWaitReceivePort (C3) intercepted (8056B82E->F66DFF64), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtRequestWaitReplyPort (C intercepted (80576CE6->F66E0C30), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtRestoreKey (CC) intercepted (8064EC71->F66DD224), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtResumeThread (CE) intercepted (8058ECBE->F66E1860), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtSaveKey (CF) intercepted (8064ED72->F66DCEC4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtSecureConnectPort (D2) intercepted (8058F4EA->F66DF312), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtSetContextThread (D5) intercepted (8062DD17->F66DE984), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtSetInformationToken (E6) intercepted (805A8700->F66E05F2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtSetSecurityObject (ED) intercepted (8059B1AB->F66E0FA0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtSetSystemInformation (F0) intercepted (805A7BED->F66E14C2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtSetValueKey (F7) intercepted (80572889->F66DD744), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:50 >>> Function restored successfully !
03/10/2009 09:19:50 >>> Hook code blocked
03/10/2009 09:19:50 Function NtSuspendProcess (FD) intercepted (8062F8F9->F66E15A6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:51 >>> Function restored successfully !
03/10/2009 09:19:51 >>> Hook code blocked
03/10/2009 09:19:51 Function NtSuspendThread (FE) intercepted (805E046E->F66E16D2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:51 >>> Function restored successfully !
03/10/2009 09:19:51 >>> Hook code blocked
03/10/2009 09:19:51 Function NtSystemDebugControl (FF) intercepted (80649CD9->F66E0DD2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:51 >>> Function restored successfully !
03/10/2009 09:19:51 >>> Hook code blocked
03/10/2009 09:19:51 Function NtTerminateProcess (101) intercepted (805822EC->F66DE6EA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:51 >>> Function restored successfully !
03/10/2009 09:19:51 >>> Hook code blocked
03/10/2009 09:19:51 Function NtTerminateThread (102) intercepted (8057B88F->F66DE63C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:51 >>> Function restored successfully !
03/10/2009 09:19:51 >>> Hook code blocked
03/10/2009 09:19:51 Function NtWriteVirtualMemory (115) intercepted (8057E42A->F66DE7C, hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:51 >>> Function restored successfully !
03/10/2009 09:19:51 >>> Hook code blocked
03/10/2009 09:19:51 Function FsRtlCheckLockForReadAccess (80512919) - machine code modification Method of JmpTo. jmp F66D3424 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:51 >>> Function restored successfully !
03/10/2009 09:19:52 Function IoIsOperationSynchronous (804E875A) - machine code modification Method of JmpTo. jmp F66D37DE \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted
03/10/2009 09:19:52 >>> Function restored successfully !
03/10/2009 09:19:55 Functions checked: 284, intercepted: 57, restored: 59
03/10/2009 09:19:55 1.3 Checking IDT and SYSENTER
03/10/2009 09:19:55 Analysis for CPU 1
03/10/2009 09:19:55 Checking IDT and SYSENTER - complete
03/10/2009 09:19:57 1.4 Searching for masking processes and drivers
03/10/2009 09:19:57 Checking not performed: extended monitoring driver (AVZPM) is not installed
03/10/2009 09:19:57 Driver loaded successfully
03/10/2009 09:19:57 1.5 Checking of IRP handlers
03/10/2009 09:19:57 Checking - complete
03/10/2009 09:19:59 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCP80.dll --> Suspicion for Keylogger or Trojan DLL
03/10/2009 09:19:59 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCP80.dll>>> Behavioral analysis
03/10/2009 09:19:59 Behaviour typical for keyloggers not detected
03/10/2009 09:19:59 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll --> Suspicion for Keylogger or Trojan DLL
03/10/2009 09:19:59 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll>>> Behavioral analysis
03/10/2009 09:19:59 Behaviour typical for keyloggers not detected
03/10/2009 0905 C:\PROGRA~1\MYWEBS~1\bar\1.bin\f3hkstub.dll --> Suspicion for Keylogger or Trojan DLL
03/10/2009 0905 C:\PROGRA~1\MYWEBS~1\bar\1.bin\f3hkstub.dll>>> Behavioral analysis
03/10/2009 0905 1. Reacts to events: keyboard
03/10/2009 0905 C:\PROGRA~1\MYWEBS~1\bar\1.bin\f3hkstub.dll>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
03/10/2009 0905 C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoestb.dll --> Suspicion for Keylogger or Trojan DLL
03/10/2009 0905 C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoestb.dll>>> Behavioral analysis
03/10/2009 0905 Behaviour typical for keyloggers not detected
03/10/2009 0908 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
03/10/2009 0919 >>> C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL HSC: suspicion for Spy.MyWay, AdvWare.GoWebSite (high degree of probability)
03/10/2009 0919 >>> C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL HSC: suspicion for Spy.MyWebSearch (high degree of probability)
03/10/2009 0919 >>> C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL HSC: suspicion for Spy.MyWebSearch
03/10/2009 0920 >>> C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL HSC: suspicion for Spy.MyWebSearch
03/10/2009 0935 Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll"
03/10/2009 0937 >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
03/10/2009 0937 >>> D:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
03/10/2009 0937 >> Services: potentially dangerous service allowed: RemoteRegistry (Accиs а distance au Registre)
03/10/2009 0937 >> Services: potentially dangerous service allowed: TermService (Services Terminal Server)
03/10/2009 0937 >> Services: potentially dangerous service allowed: SSDPSRV (Service de dйcouvertes SSDP)
03/10/2009 0937 >> Services: potentially dangerous service allowed: Schedule (Planificateur de tвches)
03/10/2009 0937 >> Services: potentially dangerous service allowed: mnmsrvc (Partage de Bureau а distance NetMeeting)
03/10/2009 0937 >> Services: potentially dangerous service allowed: RDSessMgr (Gestionnaire de session d'aide sur le Bureau а distance)
03/10/2009 0937 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
03/10/2009 0937 >> Security: disk drives' autorun is enabled
03/10/2009 0938 >> Security: anonymous user access is enabled
03/10/2009 0938 >> Security: terminal connections to the PC are allowed
03/10/2009 0938 >> Security: sending Remote Assistant queries is enabled
03/10/2009 0938 >> Security: automatic logon is enabled
03/10/2009 0947 >> Explorer - folder properties access blocked
03/10/2009 0948 >> Disable HDD autorun
03/10/2009 0948 >> Disable autorun from network drives
03/10/2009 0948 >> Disable CD/DVD autorun
03/10/2009 0948 >> Disable removable media autorun
03/10/2009 0948 System Analysis in progress
03/10/2009 09:25:32 System Analysis - complete
03/10/2009 09:25:32 Delete file:C:\Documents and Settings\Administrateur\Bureau\Virus Removal Tool\is-QRJVT\LOG\avptool_syscheck.htm
03/10/2009 09:25:32 Delete file:C:\Documents and Settings\Administrateur\Bureau\Virus Removal Tool\is-QRJVT\LOG\avptool_syscheck.xml
03/10/2009 09:25:33 Deleting service/driver: ute4ndyy
03/10/2009 09:25:33 Delete file:C:\WINDOWS\system32\Drivers\ute4ndyy.sys
03/10/2009 09:25:33 Deleting service/driver: uje4ndyy
03/10/2009 09:25:33 Script executed without errors