Код:2009-10-30 23:11:18 Windows version: Microsoft Windows XP, Build=2600, SP="Dodatek Service Pack 3" 2009-10-30 23:11:18 System Restore: enabled 2009-10-30 23:11:20 1.1 Searching for user-mode API hooks 2009-10-30 23:11:20 Analysis: kernel32.dll, export table found in section .text 2009-10-30 23:11:20 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C80236B->61F03F42 2009-10-30 23:11:20 Hook kernel32.dll:CreateProcessA (99) blocked 2009-10-30 23:11:20 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802336->61F04040 2009-10-30 23:11:20 Hook kernel32.dll:CreateProcessW (103) blocked 2009-10-30 23:11:20 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC7E->61F041FC 2009-10-30 23:11:20 Hook kernel32.dll:FreeLibrary (241) blocked 2009-10-30 23:11:20 Function kernel32.dll:GetModuleFileNameA (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B56F->61F040FB 2009-10-30 23:11:20 Hook kernel32.dll:GetModuleFileNameA (373) blocked 2009-10-30 23:11:20 Function kernel32.dll:GetModuleFileNameW (374) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B475->61F041A0 2009-10-30 23:11:20 Hook kernel32.dll:GetModuleFileNameW (374) blocked 2009-10-30 23:11:20 Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE40->61F04648 2009-10-30 23:11:20 Hook kernel32.dll:GetProcAddress (409) blocked 2009-10-30 23:11:20 Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->61F03C6F 2009-10-30 23:11:20 Hook kernel32.dll:LoadLibraryA (581) blocked 2009-10-30 23:11:20 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!) 2009-10-30 23:11:20 Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->61F03DAF 2009-10-30 23:11:20 Hook kernel32.dll:LoadLibraryExA (582) blocked 2009-10-30 23:11:20 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!) 2009-10-30 23:11:20 Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->61F03E5A 2009-10-30 23:11:20 Hook kernel32.dll:LoadLibraryExW (583) blocked 2009-10-30 23:11:20 Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEEB->61F03D0C 2009-10-30 23:11:20 Hook kernel32.dll:LoadLibraryW (584) blocked 2009-10-30 23:11:20 IAT modification detected: LoadLibraryW - 00C50010<>7C80AEEB 2009-10-30 23:11:20 Analysis: ntdll.dll, export table found in section .text 2009-10-30 23:11:20 Analysis: user32.dll, export table found in section .text 2009-10-30 23:11:20 Analysis: advapi32.dll, export table found in section .text 2009-10-30 23:11:20 Analysis: ws2_32.dll, export table found in section .text 2009-10-30 23:11:20 Analysis: wininet.dll, export table found in section .text 2009-10-30 23:11:20 Analysis: rasapi32.dll, export table found in section .text 2009-10-30 23:11:20 Analysis: urlmon.dll, export table found in section .text 2009-10-30 23:11:20 Analysis: netapi32.dll, export table found in section .text 2009-10-30 23:11:22 1.2 Searching for kernel-mode API hooks 2009-10-30 23:11:22 Driver loaded successfully 2009-10-30 23:11:22 SDT found (RVA=083220) 2009-10-30 23:11:22 Kernel ntoskrnl.exe found in memory at address 804D7000 2009-10-30 23:11:22 SDT = 8055A220 2009-10-30 23:11:22 KiST = 804E26A8 (284) 2009-10-30 23:11:24 Function NtAdjustPrivilegesToken (0B) intercepted (8058E481->F6A915EE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:24 >>> Function restored successfully ! 2009-10-30 23:11:24 >>> Hook code blocked 2009-10-30 23:11:24 Function NtClose (19) intercepted (80567A7D->F6A91E6E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:24 >>> Function restored successfully ! 2009-10-30 23:11:24 >>> Hook code blocked 2009-10-30 23:11:24 Function NtConnectPort (1F) intercepted (80588DCB->F6A92984), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:24 >>> Function restored successfully ! 2009-10-30 23:11:24 >>> Hook code blocked 2009-10-30 23:11:24 Function NtCreateEvent (23) intercepted (8056FDCA->F6A92EF6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:24 >>> Function restored successfully ! 2009-10-30 23:11:24 >>> Hook code blocked 2009-10-30 23:11:24 Function NtCreateFile (25) intercepted (8056F610->F6A92150), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:24 >>> Function restored successfully ! 2009-10-30 23:11:24 >>> Hook code blocked 2009-10-30 23:11:24 Function NtCreateKey (29) intercepted (80572EAD->F6A90498), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:24 >>> Function restored successfully ! 2009-10-30 23:11:24 >>> Hook code blocked 2009-10-30 23:11:24 Function NtCreateMutant (2B) intercepted (8057AB4F->F6A92DCE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:24 >>> Function restored successfully ! 2009-10-30 23:11:24 >>> Hook code blocked 2009-10-30 23:11:24 Function NtCreateNamedPipeFile (2C) intercepted (8058531F->F6A911F4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:24 >>> Function restored successfully ! 2009-10-30 23:11:24 >>> Hook code blocked 2009-10-30 23:11:24 Function NtCreatePort (2E) intercepted (805975C1->F6A92C8A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:24 >>> Function restored successfully ! 2009-10-30 23:11:24 >>> Hook code blocked 2009-10-30 23:11:24 Function NtCreateSection (32) intercepted (805652B3->F6A913B0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:24 >>> Function restored successfully ! 2009-10-30 23:11:24 >>> Hook code blocked 2009-10-30 23:11:24 Function NtCreateSemaphore (33) intercepted (80579605->F6A93028), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:24 >>> Function restored successfully ! 2009-10-30 23:11:24 >>> Hook code blocked 2009-10-30 23:11:24 Function NtCreateSymbolicLinkObject (34) intercepted (8059F519->F6A94C6A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:24 >>> Function restored successfully ! 2009-10-30 23:11:24 >>> Hook code blocked 2009-10-30 23:11:25 Function NtCreateThread (35) intercepted (8057BD8A->F6A91B0C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtCreateWaitablePort (38) intercepted (805DB12C->F6A92D2C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtDebugActiveProcess (39) intercepted (8065B1F5->F6A9465C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtDeleteKey (3F) intercepted (805952CE->F6A90A5C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtDeleteValueKey (41) intercepted (80592D60->F6A90DEA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtDeviceIoControlFile (42) intercepted (8057CB40->F6A925D8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtDuplicateObject (44) intercepted (80573FF9->F6A9562C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtEnumerateKey (47) intercepted (805735B4->F6A90F2C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtEnumerateValueKey (49) intercepted (80590679->F6A90FD6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtFsControlFile (54) intercepted (8057A667->F6A923E4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtLoadDriver (61) intercepted (805A3B11->F6A946EE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtLoadKey (62) intercepted (805AED7D->F6A90474), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtLoadKey2 (63) intercepted (805AEBBA->F6A90486), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtMapViewOfSection (6C) intercepted (80578A91->F6A94D1E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtNotifyChangeKey (6F) intercepted (8058BA6D->F6A91122), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtOpenEvent (72) intercepted (8057F73C->F6A92F98), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtOpenFile (74) intercepted (8056F5AB->F6A91EF0), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:25 >>> Function restored successfully ! 2009-10-30 23:11:25 >>> Hook code blocked 2009-10-30 23:11:25 Function NtOpenKey (77) intercepted (80568EF9->F6A9063E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtOpenMutant (78) intercepted (8057ABFD->F6A92E66), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtOpenProcess (7A) intercepted (805741E0->F6A917F4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtOpenSection (7D) intercepted (8056E213->F6A94C94), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtOpenSemaphore (7E) intercepted (8059EFD5->F6A930CA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtOpenThread (80) intercepted (8058B59D->F6A91718), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtQueryKey (A0) intercepted (805732BD->F6A91080), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtQueryMultipleValueKey (A1) intercepted (8064E33C->F6A90CA8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtQuerySection (A7) intercepted (8057E904->F6A95036), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtQueryValueKey (B1) intercepted (8056A392->F6A908F8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtQueueApcThread (B4) intercepted (80591099->F6A94984), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtRenameKey (C0) intercepted (8064E7B8->F6A90B70), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtReplaceKey (C1) intercepted (8064F118->F6A90312), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtReplyPort (C2) intercepted (8057E113->F6A93454), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtReplyWaitReceivePort (C3) intercepted (8056B9CE->F6A9331A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtRequestWaitReplyPort (C8) intercepted (8056DA30->F6A943FC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtRestoreKey (CC) intercepted (8064ECAD->F6A97E8E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:26 >>> Function restored successfully ! 2009-10-30 23:11:26 >>> Hook code blocked 2009-10-30 23:11:26 Function NtResumeThread (CE) intercepted (8057C3FD->F6A9550E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtSaveKey (CF) intercepted (8064EDAE->F6A902AA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtSecureConnectPort (D2) intercepted (8058F4EC->F6A926BE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtSetContextThread (D5) intercepted (8062DD53->F6A91D2A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtSetInformationToken (E6) intercepted (805A8710->F6A93CAC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtSetSecurityObject (ED) intercepted (8059B1AB->F6A947E8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtSetSystemInformation (F0) intercepted (805A7BFD->F6A95176), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtSetValueKey (F7) intercepted (80579A53->F6A90780), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtSuspendProcess (FD) intercepted (8062F935->F6A9525A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtSuspendThread (FE) intercepted (805E0466->F6A95382), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtSystemDebugControl (FF) intercepted (80649D15->F6A94588), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtTerminateProcess (101) intercepted (805836C0->F6A9196C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtTerminateThread (102) intercepted (8057B4A6->F6A918C2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtUnmapViewOfSection (10B) intercepted (80578616->F6A94EEC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:27 Function NtWriteVirtualMemory (115) intercepted (8057F1A8->F6A91A4C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:27 >>> Function restored successfully ! 2009-10-30 23:11:27 >>> Hook code blocked 2009-10-30 23:11:28 Function FsRtlCheckLockForReadAccess (80512919) - machine code modification Method of JmpTo. jmp F6A86572 \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:28 >>> Function restored successfully ! 2009-10-30 23:11:28 Function IoIsOperationSynchronous (804E875A) - machine code modification Method of JmpTo. jmp F6A8694C \SystemRoot\system32\DRIVERS\klif.sys, driver recognized as trusted 2009-10-30 23:11:28 >>> Function restored successfully ! 2009-10-30 23:11:31 Functions checked: 284, intercepted: 61, restored: 63 2009-10-30 23:11:31 1.3 Checking IDT and SYSENTER 2009-10-30 23:11:31 Analysis for CPU 1 2009-10-30 23:11:31 Checking IDT and SYSENTER - complete 2009-10-30 23:11:33 1.4 Searching for masking processes and drivers 2009-10-30 23:11:33 Checking not performed: extended monitoring driver (AVZPM) is not installed 2009-10-30 23:11:33 Driver loaded successfully 2009-10-30 23:11:33 1.5 Checking of IRP handlers 2009-10-30 23:11:33 Checking - complete 2009-10-30 23:11:34 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll --> Suspicion for Keylogger or Trojan DLL 2009-10-30 23:11:34 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll>>> Behavioral analysis 2009-10-30 23:11:34 Behaviour typical for keyloggers not detected 2009-10-30 23:11:34 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll --> Suspicion for Keylogger or Trojan DLL 2009-10-30 23:11:34 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll>>> Behavioral analysis 2009-10-30 23:11:34 Behaviour typical for keyloggers not detected 2009-10-30 23:11:34 C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll --> Suspicion for Keylogger or Trojan DLL 2009-10-30 23:11:34 C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll>>> Behavioral analysis 2009-10-30 23:11:34 Behaviour typical for keyloggers not detected 2009-10-30 23:11:35 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 2009-10-30 23:11:47 Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll" 2009-10-30 23:11:48 >> Services: potentially dangerous service allowed: RemoteRegistry (Rejestr zdalny) 2009-10-30 23:11:48 >> Services: potentially dangerous service allowed: TermService (Usіugi terminalowe) 2009-10-30 23:11:48 >> Services: potentially dangerous service allowed: SSDPSRV (Usіuga odnajdywania SSDP) 2009-10-30 23:11:48 >> Services: potentially dangerous service allowed: Schedule (Harmonogram zadaс) 2009-10-30 23:11:48 >> Services: potentially dangerous service allowed: RDSessMgr (Menedїer sesji pomocy pulpitu zdalnego) 2009-10-30 23:11:48 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! 2009-10-30 23:11:48 >> Security: administrative shares (C$, D$ ...) are enabled 2009-10-30 23:11:48 >> Security: anonymous user access is enabled 2009-10-30 23:11:53 System Analysis in progress 2009-10-30 23:13:11 System Analysis - complete 2009-10-30 23:13:11 Delete file:C:\Documents and Settings\Rusher\Pulpit\Virus Removal Tool\is-3G43G\LOG\avptool_syscheck.htm 2009-10-30 23:13:11 Delete file:C:\Documents and Settings\Rusher\Pulpit\Virus Removal Tool\is-3G43G\LOG\avptool_syscheck.xml 2009-10-30 23:13:11 Deleting service/driver: ute4mzu2 2009-10-30 23:13:11 Delete file:C:\WINDOWS\system32\Drivers\ute4mzu2.sys 2009-10-30 23:13:11 Deleting service/driver: uje4mzu2 2009-10-30 23:13:11 Script executed without errors