<AVZ_CollectSysInfo>
--------------------
Start time: 03/01/2010 11:32:39 ص
Duration: 00:02:06
Finish time: 03/01/2010 11:34:45 ص
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
03/01/2010 11:32:40 ص Windows version: Windows Vista (TM) Ultimate, Build=6001, SP="Service Pack 1"
03/01/2010 11:32:41 ص System Restore: enabled
03/01/2010 11:32:45 ص 1.1 Searching for user-mode API hooks
03/01/2010 11:32:45 ص Analysis: kernel32.dll, export table found in section .text
03/01/2010 11:32:45 ص Function kernel32.dll:CreateProcessA (151) intercepted, method ProcAddressHijack.GetProcAddress ->76321C36->61F03F42
03/01/2010 11:32:45 ص Hook kernel32.dll:CreateProcessA (151) blocked
03/01/2010 11:32:45 ص Function kernel32.dll:CreateProcessW (154) intercepted, method ProcAddressHijack.GetProcAddress ->76321C01->61F04040
03/01/2010 11:32:45 ص Hook kernel32.dll:CreateProcessW (154) blocked
03/01/2010 11:32:46 ص Function kernel32.dll:FreeLibrary (335) intercepted, method ProcAddressHijack.GetProcAddress ->763608F8->61F041FC
03/01/2010 11:32:46 ص Hook kernel32.dll:FreeLibrary (335) blocked
03/01/2010 11:32:46 ص Function kernel32.dll:GetModuleFileNameA (503) intercepted, method ProcAddressHijack.GetProcAddress ->7636440D->61F040FB
03/01/2010 11:32:46 ص Hook kernel32.dll:GetModuleFileNameA (503) blocked
03/01/2010 11:32:46 ص Function kernel32.dll:GetModuleFileNameW (504) intercepted, method ProcAddressHijack.GetProcAddress ->763658E5->61F041A0
03/01/2010 11:32:46 ص Hook kernel32.dll:GetModuleFileNameW (504) blocked
03/01/2010 11:32:46 ص Function kernel32.dll:GetProcAddress (54 intercepted, method ProcAddressHijack.GetProcAddress ->7636B8B6->61F04648
03/01/2010 11:32:46 ص Hook kernel32.dll:GetProcAddress (54 blocked
03/01/2010 11:32:47 ص Function kernel32.dlloadLibraryA (759) intercepted, method ProcAddressHijack.GetProcAddress ->76349491->61F03C6F
03/01/2010 11:32:47 ص Hook kernel32.dlloadLibraryA (759) blocked
03/01/2010 11:32:47 ص >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
03/01/2010 11:32:47 ص Function kernel32.dlloadLibraryExA (760) intercepted, method ProcAddressHijack.GetProcAddress ->76349469->61F03DAF
03/01/2010 11:32:47 ص Hook kernel32.dlloadLibraryExA (760) blocked
03/01/2010 11:32:47 ص >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
03/01/2010 11:32:47 ص Function kernel32.dlloadLibraryExW (761) intercepted, method ProcAddressHijack.GetProcAddress ->763430C3->61F03E5A
03/01/2010 11:32:47 ص Hook kernel32.dlloadLibraryExW (761) blocked
03/01/2010 11:32:47 ص Function kernel32.dlloadLibraryW (762) intercepted, method ProcAddressHijack.GetProcAddress ->7634361F->61F03D0C
03/01/2010 11:32:48 ص Hook kernel32.dlloadLibraryW (762) blocked
03/01/2010 11:32:48 ص IAT modification detected: LoadLibraryW - 018D0010<>7634361F
03/01/2010 11:32:48 ص Analysis: ntdll.dll, export table found in section .text
03/01/2010 11:32:48 ص Analysis: user32.dll, export table found in section .text
03/01/2010 11:32:48 ص Analysis: advapi32.dll, export table found in section .text
03/01/2010 11:32:48 ص Analysis: ws2_32.dll, export table found in section .text
03/01/2010 11:32:49 ص Analysis: wininet.dll, export table found in section .text
03/01/2010 11:32:54 ص Analysis: rasapi32.dll, export table found in section .text
03/01/2010 11:32:55 ص Analysis: urlmon.dll, export table found in section .text
03/01/2010 11:32:55 ص Analysis: netapi32.dll, export table found in section .text
03/01/2010 11:32:59 ص 1.2 Searching for kernel-mode API hooks
03/01/2010 11:33:00 ص Driver loaded successfully
03/01/2010 11:33:00 ص SDT found (RVA=137B00)
03/01/2010 11:33:00 ص Kernel ntkrnlpa.exe found in memory at address 81C04000
03/01/2010 11:33:00 ص SDT = 81D3BB00
03/01/2010 11:33:00 ص KiST = 81CBC8E0 (391)
03/01/2010 11:33:01 ص Functions checked: 391, intercepted: 0, restored: 0
03/01/2010 11:33:01 ص 1.3 Checking IDT and SYSENTER
03/01/2010 11:33:01 ص Analysis for CPU 1
03/01/2010 11:33:01 ص Analysis for CPU 2
03/01/2010 11:33:01 ص Checking IDT and SYSENTER - complete
03/01/2010 11:33:04 ص 1.4 Searching for masking processes and drivers
03/01/2010 11:33:04 ص Checking not performed: extended monitoring driver (AVZPM) is not installed
03/01/2010 11:33:04 ص Driver loaded successfully
03/01/2010 11:33:04 ص 1.5 Checking of IRP handlers
03/01/2010 11:33:04 ص \driver\tcpip[IRP_MJ_CREATE_NAMED_PIPE] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:04 ص \driver\tcpip[IRP_MJ_READ] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:05 ص \driver\tcpip[IRP_MJ_WRITE] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:05 ص \driver\tcpip[IRP_MJ_QUERY_INFORMATION] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:05 ص \driver\tcpip[IRP_MJ_SET_INFORMATION] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:05 ص \driver\tcpip[IRP_MJ_QUERY_EA] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:05 ص \driver\tcpip[IRP_MJ_SET_EA] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:06 ص \driver\tcpip[IRP_MJ_FLUSH_BUFFERS] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:06 ص \driver\tcpip[IRP_MJ_QUERY_VOLUME_INFORMATION] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:06 ص \driver\tcpip[IRP_MJ_SET_VOLUME_INFORMATION] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:06 ص \driver\tcpip[IRP_MJ_DIRECTORY_CONTROL] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:06 ص \driver\tcpip[IRP_MJ_FILE_SYSTEM_CONTROL] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:07 ص \driver\tcpip[IRP_MJ_SHUTDOWN] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:07 ص \driver\tcpip[IRP_MJ_LOCK_CONTROL] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:07 ص \driver\tcpip[IRP_MJ_CREATE_MAILSLOT] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:07 ص \driver\tcpip[IRP_MJ_QUERY_SECURITY] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:07 ص \driver\tcpip[IRP_MJ_SET_SECURITY] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:08 ص \driver\tcpip[IRP_MJ_POWER] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:08 ص \driver\tcpip[IRP_MJ_SYSTEM_CONTROL] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:08 ص \driver\tcpip[IRP_MJ_DEVICE_CHANGE] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:08 ص \driver\tcpip[IRP_MJ_QUERY_QUOTA] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:08 ص \driver\tcpip[IRP_MJ_SET_QUOTA] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:09 ص \driver\tcpip[IRP_MJ_PNP] = 81C29FDF -> C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
03/01/2010 11:33:09 ص Checking - complete
03/01/2010 11:33:11 ص C:\Program Files\VerbAce Research\VerbAce-Pro\HookDll.dll --> Suspicion for Keylogger or Trojan DLL
03/01/2010 11:33:11 ص C:\Program Files\VerbAce Research\VerbAce-Pro\HookDll.dll>>> Behavioral analysis
03/01/2010 11:33:11 ص Behaviour typical for keyloggers not detected
03/01/2010 11:33:12 ص Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
03/01/2010 11:33:23 ص >>> C:\Program Files\DAP\DAPNS.DLL HSC: suspicion for Adware.SpeedBit
03/01/2010 11:33:23 ص >>> C:\PROGRA~1\DAP\dapie.dll HSC: suspicion for Adware.SpeedBit
03/01/2010 11:33:23 ص >>> C:\PROGRA~1\DAP\dapie.dll HSC: suspicion for Adware.SpeedBit
03/01/2010 11:33:25 ص >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-26
03/01/2010 11:33:25 ص >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
03/01/2010 11:33:25 ص >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
03/01/2010 11:33:25 ص > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
03/01/2010 11:33:25 ص >> Security: disk drives' autorun is enabled
03/01/2010 11:33:25 ص >> Security: administrative shares (C$, D$ ...) are enabled
03/01/2010 11:33:25 ص >> Security: anonymous user access is enabled
03/01/2010 11:33:25 ص >> Security: sending Remote Assistant queries is enabled
03/01/2010 11:33:29 ص >> Disable HDD autorun
03/01/2010 11:33:29 ص >> Disable autorun from network drives
03/01/2010 11:33:29 ص >> Disable CD/DVD autorun
03/01/2010 11:33:29 ص >> Disable removable media autorun
03/01/2010 11:33:29 ص >> Windows Update is disabled
03/01/2010 11:33:30 ص System Analysis in progress
03/01/2010 11:34:45 ص System Analysis - complete
03/01/2010 11:34:45 ص Delete file:C:\Users\Smile\Desktop\Virus Removal Tool\is-ET86U\LOG\avptool_syscheck.htm
03/01/2010 11:34:45 ص Delete file:C:\Users\Smile\Desktop\Virus Removal Tool\is-ET86U\LOG\avptool_syscheck.xml
03/01/2010 11:34:45 ص Deleting service/driver: utezmtaz
03/01/2010 11:34:45 ص Delete file:C:\Windows\system32\Drivers\utezmtaz.sys
03/01/2010 11:34:45 ص Deleting service/driver: ujezmtaz
03/01/2010 11:34:45 ص Script executed without errors