# Forum in English  > Internet security for beginners  > Viruses, Adware, Spyware, Hijackers  >  Results of my Scan

## titusferguson

Hello

I have recently been having trouble with my PC. Firewall is repeatedly turned off when I reboot - webpages don't load - AVG will not update - and all new links in firefox open in a new tab.

I ran Kapersky and this is the resulting log:



```
<AVZ_CollectSysInfo>
--------------------
Start time:    4/6/2009 1:20:06 PM
Duration:    00:02:26
Finish time:    4/6/2009 1:22:32 PM


<AVZ_CollectSysInfo>
--------------------
Time    Event
----    -----
4/6/2009 1:20:08 PM    Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
4/6/2009 1:20:08 PM    System Restore: enabled
4/6/2009 1:20:09 PM    1.1 Searching for user-mode API hooks
4/6/2009 1:20:09 PM     Analysis: kernel32.dll, export table found in section .text
4/6/2009 1:20:09 PM    Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
4/6/2009 1:20:09 PM    Hook kernel32.dll:CreateProcessA (99) blocked
4/6/2009 1:20:09 PM    Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
4/6/2009 1:20:09 PM    Hook kernel32.dll:CreateProcessW (103) blocked
4/6/2009 1:20:09 PM    Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
4/6/2009 1:20:09 PM    Hook kernel32.dll:FreeLibrary (241) blocked
4/6/2009 1:20:09 PM    Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
4/6/2009 1:20:09 PM    Hook kernel32.dll:GetModuleFileNameA (373) blocked
4/6/2009 1:20:09 PM    Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
4/6/2009 1:20:09 PM    Hook kernel32.dll:GetModuleFileNameW (374) blocked
4/6/2009 1:20:09 PM    Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
4/6/2009 1:20:09 PM    Hook kernel32.dll:GetProcAddress (409) blocked
4/6/2009 1:20:09 PM    Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
4/6/2009 1:20:09 PM    Hook kernel32.dll:LoadLibraryA (581) blocked
4/6/2009 1:20:09 PM     >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement  !!)
4/6/2009 1:20:09 PM    Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
4/6/2009 1:20:09 PM    Hook kernel32.dll:LoadLibraryExA (582) blocked
4/6/2009 1:20:09 PM     >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
4/6/2009 1:20:09 PM    Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
4/6/2009 1:20:09 PM    Hook kernel32.dll:LoadLibraryExW (583) blocked
4/6/2009 1:20:09 PM    Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
4/6/2009 1:20:09 PM    Hook kernel32.dll:LoadLibraryW (584) blocked
4/6/2009 1:20:09 PM    IAT modification detected: LoadLibraryW - 00C00010<>7C80AEDB
4/6/2009 1:20:09 PM     Analysis: ntdll.dll, export table found in section .text
4/6/2009 1:20:09 PM     Analysis: user32.dll, export table found in section .text
4/6/2009 1:20:09 PM     Analysis: advapi32.dll, export table found in section .text
4/6/2009 1:20:09 PM     Analysis: ws2_32.dll, export table found in section .text
4/6/2009 1:20:09 PM     Analysis: wininet.dll, export table found in section .text
4/6/2009 1:20:10 PM     Analysis: rasapi32.dll, export table found in section .text
4/6/2009 1:20:10 PM     Analysis: urlmon.dll, export table found in section .text
4/6/2009 1:20:10 PM     Analysis: netapi32.dll, export table found in section .text
4/6/2009 1:20:11 PM    1.2 Searching for kernel-mode API hooks
4/6/2009 1:20:11 PM     Driver loaded successfully
4/6/2009 1:20:11 PM     SDT found (RVA=085700)
4/6/2009 1:20:11 PM     Kernel ntkrnlpa.exe found in memory at address 804D7000
4/6/2009 1:20:11 PM       SDT = 8055C700
4/6/2009 1:20:11 PM       KiST = 80504460 (284)
4/6/2009 1:20:12 PM    Function NtCreateKey (29) intercepted (80623792->BA0F887E), hook C:\WINDOWS\system32\Drivers\Lbd.sys
4/6/2009 1:20:12 PM    >>> Function restored successfully !
4/6/2009 1:20:12 PM    >>> Hook code blocked
4/6/2009 1:20:12 PM    Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp 89AD966C
4/6/2009 1:20:12 PM    >>> Function restored successfully !
4/6/2009 1:20:12 PM    Function NtFlushInstructionCache (4E) - machine code modification Method of JmpTo. jmp 89AD84D4
4/6/2009 1:20:12 PM    >>> Function restored successfully !
4/6/2009 1:20:12 PM    Function NtSetValueKey (F7) intercepted (80621D18->BA0F8C10), hook C:\WINDOWS\system32\Drivers\Lbd.sys
4/6/2009 1:20:12 PM    >>> Function restored successfully !
4/6/2009 1:20:12 PM    >>> Hook code blocked
4/6/2009 1:20:12 PM    Function IofCallDriver (804EF1A6) - machine code modification Method of JmpTo. jmp 89BA4A63 
4/6/2009 1:20:12 PM    >>> Function restored successfully !
4/6/2009 1:20:12 PM    Function IofCompleteRequest (804EF236) - machine code modification Method of JmpTo. jmp 89BA4ACB 
4/6/2009 1:20:12 PM    >>> Function restored successfully !
4/6/2009 1:20:12 PM    Functions checked: 284, intercepted: 2, restored: 6
4/6/2009 1:20:12 PM    1.3 Checking IDT and SYSENTER
4/6/2009 1:20:12 PM     Analysis for CPU 1
4/6/2009 1:20:12 PM     Analysis for CPU 2
4/6/2009 1:20:12 PM     Checking IDT and SYSENTER - complete
4/6/2009 1:20:13 PM    1.4 Searching for masking processes and drivers
4/6/2009 1:20:13 PM     Checking not performed: extended monitoring driver (AVZPM) is not installed
4/6/2009 1:20:13 PM     Driver loaded successfully
4/6/2009 1:20:13 PM    1.5 Checking of IRP handlers
4/6/2009 1:20:13 PM     Checking - complete
4/6/2009 1:20:13 PM    C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL --> Suspicion for Keylogger or Trojan DLL
4/6/2009 1:20:13 PM    C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL>>> Behavioral analysis 
4/6/2009 1:20:13 PM      1. Reacts to events: keyboard, mouse
4/6/2009 1:20:13 PM    C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
4/6/2009 1:20:21 PM    Note: Do NOT delete suspicious files, send them for analysis  (see FAQ for more details),  because there are lots of useful hooking DLLs
4/6/2009 1:20:29 PM    >>> C:\autorun.inf HSC: suspicion for  hidden autorun (high degree of probability)
4/6/2009 1:20:29 PM    >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
4/6/2009 1:20:29 PM    >> Services: potentially dangerous service allowed: TermService (Terminal Services)
4/6/2009 1:20:29 PM    >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
4/6/2009 1:20:29 PM    >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
4/6/2009 1:20:29 PM    >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
4/6/2009 1:20:29 PM    >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
4/6/2009 1:20:29 PM    > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
4/6/2009 1:20:29 PM    >> Security: disk drives' autorun is enabled
4/6/2009 1:20:29 PM    >> Security: administrative shares (C$, D$ ...) are enabled
4/6/2009 1:20:29 PM    >> Security: anonymous user access is enabled
4/6/2009 1:20:29 PM    >> Security: terminal connections to the PC are allowed
4/6/2009 1:20:29 PM    >> Security: sending Remote Assistant queries is enabled
4/6/2009 1:20:32 PM     >>  Disable CD/DVD autorun
4/6/2009 1:20:33 PM    System Analysis in progress
4/6/2009 1:22:32 PM    System Analysis - complete
4/6/2009 1:22:32 PM    Delete file:C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-F8L9H\LOG\avptool_syscheck.htm
4/6/2009 1:22:32 PM    Delete file:C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-F8L9H\LOG\avptool_syscheck.xml
4/6/2009 1:22:32 PM    Deleting service/driver: uti3otqy
4/6/2009 1:22:32 PM    Delete file:C:\WINDOWS\system32\Drivers\uti3otqy.sys
4/6/2009 1:22:32 PM    Deleting service/driver: uji3otqy
4/6/2009 1:22:32 PM    Script executed without errors
```

---------

Thanks in advance for your help!

----------


## Rene-gad

http://virusinfo.info/showthread.php?t=9184

----------

