titusferguson
06.04.2009, 21:30
Hello
I have recently been having trouble with my PC. Firewall is repeatedly turned off when I reboot - webpages don't load - AVG will not update - and all new links in firefox open in a new tab.
I ran Kapersky and this is the resulting log:
<AVZ_CollectSysInfo>
--------------------
Start time: 4/6/2009 1:20:06 PM
Duration: 00:02:26
Finish time: 4/6/2009 1:22:32 PM
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
4/6/2009 1:20:08 PM Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
4/6/2009 1:20:08 PM System Restore: enabled
4/6/2009 1:20:09 PM 1.1 Searching for user-mode API hooks
4/6/2009 1:20:09 PM Analysis: kernel32.dll, export table found in section .text
4/6/2009 1:20:09 PM Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
4/6/2009 1:20:09 PM Hook kernel32.dll:CreateProcessA (99) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
4/6/2009 1:20:09 PM Hook kernel32.dll:CreateProcessW (103) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
4/6/2009 1:20:09 PM Hook kernel32.dll:FreeLibrary (241) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
4/6/2009 1:20:09 PM Hook kernel32.dll:GetModuleFileNameA (373) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
4/6/2009 1:20:09 PM Hook kernel32.dll:GetModuleFileNameW (374) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
4/6/2009 1:20:09 PM Hook kernel32.dll:GetProcAddress (409) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
4/6/2009 1:20:09 PM Hook kernel32.dll:LoadLibraryA (581) blocked
4/6/2009 1:20:09 PM >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
4/6/2009 1:20:09 PM Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
4/6/2009 1:20:09 PM Hook kernel32.dll:LoadLibraryExA (582) blocked
4/6/2009 1:20:09 PM >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
4/6/2009 1:20:09 PM Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
4/6/2009 1:20:09 PM Hook kernel32.dll:LoadLibraryExW (583) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
4/6/2009 1:20:09 PM Hook kernel32.dll:LoadLibraryW (584) blocked
4/6/2009 1:20:09 PM IAT modification detected: LoadLibraryW - 00C00010<>7C80AEDB
4/6/2009 1:20:09 PM Analysis: ntdll.dll, export table found in section .text
4/6/2009 1:20:09 PM Analysis: user32.dll, export table found in section .text
4/6/2009 1:20:09 PM Analysis: advapi32.dll, export table found in section .text
4/6/2009 1:20:09 PM Analysis: ws2_32.dll, export table found in section .text
4/6/2009 1:20:09 PM Analysis: wininet.dll, export table found in section .text
4/6/2009 1:20:10 PM Analysis: rasapi32.dll, export table found in section .text
4/6/2009 1:20:10 PM Analysis: urlmon.dll, export table found in section .text
4/6/2009 1:20:10 PM Analysis: netapi32.dll, export table found in section .text
4/6/2009 1:20:11 PM 1.2 Searching for kernel-mode API hooks
4/6/2009 1:20:11 PM Driver loaded successfully
4/6/2009 1:20:11 PM SDT found (RVA=085700)
4/6/2009 1:20:11 PM Kernel ntkrnlpa.exe found in memory at address 804D7000
4/6/2009 1:20:11 PM SDT = 8055C700
4/6/2009 1:20:11 PM KiST = 80504460 (284)
4/6/2009 1:20:12 PM Function NtCreateKey (29) intercepted (80623792->BA0F887E), hook C:\WINDOWS\system32\Drivers\Lbd.sys
4/6/2009 1:20:12 PM >>> Function restored successfully !
4/6/2009 1:20:12 PM >>> Hook code blocked
4/6/2009 1:20:12 PM Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp 89AD966C
4/6/2009 1:20:12 PM >>> Function restored successfully !
4/6/2009 1:20:12 PM Function NtFlushInstructionCache (4E) - machine code modification Method of JmpTo. jmp 89AD84D4
4/6/2009 1:20:12 PM >>> Function restored successfully !
4/6/2009 1:20:12 PM Function NtSetValueKey (F7) intercepted (80621D18->BA0F8C10), hook C:\WINDOWS\system32\Drivers\Lbd.sys
4/6/2009 1:20:12 PM >>> Function restored successfully !
4/6/2009 1:20:12 PM >>> Hook code blocked
4/6/2009 1:20:12 PM Function IofCallDriver (804EF1A6) - machine code modification Method of JmpTo. jmp 89BA4A63
4/6/2009 1:20:12 PM >>> Function restored successfully !
4/6/2009 1:20:12 PM Function IofCompleteRequest (804EF236) - machine code modification Method of JmpTo. jmp 89BA4ACB
4/6/2009 1:20:12 PM >>> Function restored successfully !
4/6/2009 1:20:12 PM Functions checked: 284, intercepted: 2, restored: 6
4/6/2009 1:20:12 PM 1.3 Checking IDT and SYSENTER
4/6/2009 1:20:12 PM Analysis for CPU 1
4/6/2009 1:20:12 PM Analysis for CPU 2
4/6/2009 1:20:12 PM Checking IDT and SYSENTER - complete
4/6/2009 1:20:13 PM 1.4 Searching for masking processes and drivers
4/6/2009 1:20:13 PM Checking not performed: extended monitoring driver (AVZPM) is not installed
4/6/2009 1:20:13 PM Driver loaded successfully
4/6/2009 1:20:13 PM 1.5 Checking of IRP handlers
4/6/2009 1:20:13 PM Checking - complete
4/6/2009 1:20:13 PM C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL --> Suspicion for Keylogger or Trojan DLL
4/6/2009 1:20:13 PM C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL>>> Behavioral analysis
4/6/2009 1:20:13 PM 1. Reacts to events: keyboard, mouse
4/6/2009 1:20:13 PM C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
4/6/2009 1:20:21 PM Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
4/6/2009 1:20:29 PM >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: TermService (Terminal Services)
4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
4/6/2009 1:20:29 PM > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
4/6/2009 1:20:29 PM >> Security: disk drives' autorun is enabled
4/6/2009 1:20:29 PM >> Security: administrative shares (C$, D$ ...) are enabled
4/6/2009 1:20:29 PM >> Security: anonymous user access is enabled
4/6/2009 1:20:29 PM >> Security: terminal connections to the PC are allowed
4/6/2009 1:20:29 PM >> Security: sending Remote Assistant queries is enabled
4/6/2009 1:20:32 PM >> Disable CD/DVD autorun
4/6/2009 1:20:33 PM System Analysis in progress
4/6/2009 1:22:32 PM System Analysis - complete
4/6/2009 1:22:32 PM Delete file:C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-F8L9H\LOG\avptool_syscheck.htm
4/6/2009 1:22:32 PM Delete file:C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-F8L9H\LOG\avptool_syscheck.xml
4/6/2009 1:22:32 PM Deleting service/driver: uti3otqy
4/6/2009 1:22:32 PM Delete file:C:\WINDOWS\system32\Drivers\uti3otqy.sys
4/6/2009 1:22:32 PM Deleting service/driver: uji3otqy
4/6/2009 1:22:32 PM Script executed without errors
---------
Thanks in advance for your help!
I have recently been having trouble with my PC. Firewall is repeatedly turned off when I reboot - webpages don't load - AVG will not update - and all new links in firefox open in a new tab.
I ran Kapersky and this is the resulting log:
<AVZ_CollectSysInfo>
--------------------
Start time: 4/6/2009 1:20:06 PM
Duration: 00:02:26
Finish time: 4/6/2009 1:22:32 PM
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
4/6/2009 1:20:08 PM Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
4/6/2009 1:20:08 PM System Restore: enabled
4/6/2009 1:20:09 PM 1.1 Searching for user-mode API hooks
4/6/2009 1:20:09 PM Analysis: kernel32.dll, export table found in section .text
4/6/2009 1:20:09 PM Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42
4/6/2009 1:20:09 PM Hook kernel32.dll:CreateProcessA (99) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040
4/6/2009 1:20:09 PM Hook kernel32.dll:CreateProcessW (103) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC6E->61F041FC
4/6/2009 1:20:09 PM Hook kernel32.dll:FreeLibrary (241) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B55F->61F040FB
4/6/2009 1:20:09 PM Hook kernel32.dll:GetModuleFileNameA (373) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B465->61F041A0
4/6/2009 1:20:09 PM Hook kernel32.dll:GetModuleFileNameW (374) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->61F04648
4/6/2009 1:20:09 PM Hook kernel32.dll:GetProcAddress (409) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F
4/6/2009 1:20:09 PM Hook kernel32.dll:LoadLibraryA (581) blocked
4/6/2009 1:20:09 PM >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
4/6/2009 1:20:09 PM Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF
4/6/2009 1:20:09 PM Hook kernel32.dll:LoadLibraryExA (582) blocked
4/6/2009 1:20:09 PM >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
4/6/2009 1:20:09 PM Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A
4/6/2009 1:20:09 PM Hook kernel32.dll:LoadLibraryExW (583) blocked
4/6/2009 1:20:09 PM Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->61F03D0C
4/6/2009 1:20:09 PM Hook kernel32.dll:LoadLibraryW (584) blocked
4/6/2009 1:20:09 PM IAT modification detected: LoadLibraryW - 00C00010<>7C80AEDB
4/6/2009 1:20:09 PM Analysis: ntdll.dll, export table found in section .text
4/6/2009 1:20:09 PM Analysis: user32.dll, export table found in section .text
4/6/2009 1:20:09 PM Analysis: advapi32.dll, export table found in section .text
4/6/2009 1:20:09 PM Analysis: ws2_32.dll, export table found in section .text
4/6/2009 1:20:09 PM Analysis: wininet.dll, export table found in section .text
4/6/2009 1:20:10 PM Analysis: rasapi32.dll, export table found in section .text
4/6/2009 1:20:10 PM Analysis: urlmon.dll, export table found in section .text
4/6/2009 1:20:10 PM Analysis: netapi32.dll, export table found in section .text
4/6/2009 1:20:11 PM 1.2 Searching for kernel-mode API hooks
4/6/2009 1:20:11 PM Driver loaded successfully
4/6/2009 1:20:11 PM SDT found (RVA=085700)
4/6/2009 1:20:11 PM Kernel ntkrnlpa.exe found in memory at address 804D7000
4/6/2009 1:20:11 PM SDT = 8055C700
4/6/2009 1:20:11 PM KiST = 80504460 (284)
4/6/2009 1:20:12 PM Function NtCreateKey (29) intercepted (80623792->BA0F887E), hook C:\WINDOWS\system32\Drivers\Lbd.sys
4/6/2009 1:20:12 PM >>> Function restored successfully !
4/6/2009 1:20:12 PM >>> Hook code blocked
4/6/2009 1:20:12 PM Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp 89AD966C
4/6/2009 1:20:12 PM >>> Function restored successfully !
4/6/2009 1:20:12 PM Function NtFlushInstructionCache (4E) - machine code modification Method of JmpTo. jmp 89AD84D4
4/6/2009 1:20:12 PM >>> Function restored successfully !
4/6/2009 1:20:12 PM Function NtSetValueKey (F7) intercepted (80621D18->BA0F8C10), hook C:\WINDOWS\system32\Drivers\Lbd.sys
4/6/2009 1:20:12 PM >>> Function restored successfully !
4/6/2009 1:20:12 PM >>> Hook code blocked
4/6/2009 1:20:12 PM Function IofCallDriver (804EF1A6) - machine code modification Method of JmpTo. jmp 89BA4A63
4/6/2009 1:20:12 PM >>> Function restored successfully !
4/6/2009 1:20:12 PM Function IofCompleteRequest (804EF236) - machine code modification Method of JmpTo. jmp 89BA4ACB
4/6/2009 1:20:12 PM >>> Function restored successfully !
4/6/2009 1:20:12 PM Functions checked: 284, intercepted: 2, restored: 6
4/6/2009 1:20:12 PM 1.3 Checking IDT and SYSENTER
4/6/2009 1:20:12 PM Analysis for CPU 1
4/6/2009 1:20:12 PM Analysis for CPU 2
4/6/2009 1:20:12 PM Checking IDT and SYSENTER - complete
4/6/2009 1:20:13 PM 1.4 Searching for masking processes and drivers
4/6/2009 1:20:13 PM Checking not performed: extended monitoring driver (AVZPM) is not installed
4/6/2009 1:20:13 PM Driver loaded successfully
4/6/2009 1:20:13 PM 1.5 Checking of IRP handlers
4/6/2009 1:20:13 PM Checking - complete
4/6/2009 1:20:13 PM C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL --> Suspicion for Keylogger or Trojan DLL
4/6/2009 1:20:13 PM C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL>>> Behavioral analysis
4/6/2009 1:20:13 PM 1. Reacts to events: keyboard, mouse
4/6/2009 1:20:13 PM C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL>>> Neural net: file with probability 0.00% like a typical keyboard/mouse events interceptor
4/6/2009 1:20:21 PM Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
4/6/2009 1:20:29 PM >>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: TermService (Terminal Services)
4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
4/6/2009 1:20:29 PM >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
4/6/2009 1:20:29 PM > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
4/6/2009 1:20:29 PM >> Security: disk drives' autorun is enabled
4/6/2009 1:20:29 PM >> Security: administrative shares (C$, D$ ...) are enabled
4/6/2009 1:20:29 PM >> Security: anonymous user access is enabled
4/6/2009 1:20:29 PM >> Security: terminal connections to the PC are allowed
4/6/2009 1:20:29 PM >> Security: sending Remote Assistant queries is enabled
4/6/2009 1:20:32 PM >> Disable CD/DVD autorun
4/6/2009 1:20:33 PM System Analysis in progress
4/6/2009 1:22:32 PM System Analysis - complete
4/6/2009 1:22:32 PM Delete file:C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-F8L9H\LOG\avptool_syscheck.htm
4/6/2009 1:22:32 PM Delete file:C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-F8L9H\LOG\avptool_syscheck.xml
4/6/2009 1:22:32 PM Deleting service/driver: uti3otqy
4/6/2009 1:22:32 PM Delete file:C:\WINDOWS\system32\Drivers\uti3otqy.sys
4/6/2009 1:22:32 PM Deleting service/driver: uji3otqy
4/6/2009 1:22:32 PM Script executed without errors
---------
Thanks in advance for your help!