AVZ Antiviral Toolkit log; AVZ version is 4.41 Scanning started at 28.09.2013 20:16:21 Database loaded: signatures - 297614, NN profile(s) - 2, malware removal microprograms - 56, signature database released 28.09.2013 16:00 Heuristic microprograms loaded: 405 PVS microprograms loaded: 9 Digital signatures of system files loaded: 592220 Heuristic analyzer mode: Medium heuristics mode Malware removal mode: enabled Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights System Restore: enabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=085700) Kernel ntkrnlpa.exe found in memory at address 804D7000 SDT = 8055C700 KiST = 80504570 (284) Function NtAdjustPrivilegesToken (0B) intercepted (805EC440->B8EA09E4), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtClose (19) intercepted (805BC564->B8E3C410), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtConnectPort (1F) intercepted (805A4604->B8E53588), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtCreateEvent (23) intercepted (8060F0E0->B8E3C988), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtCreateKey (29) intercepted (8062426A->B9EB50E0), hook spvb.sys Function NtCreateMutant (2B) intercepted (80617822->B8E3C86E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtCreatePort (2E) intercepted (805A5120->B8E538AE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtCreateProcess (2F) intercepted (805D1280->B8EA295E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtCreateProcessEx (30) intercepted (805D11CA->B8EA2B7A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtCreateSection (32) intercepted (805AB3FC->B8EA3A3E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtCreateSemaphore (33) intercepted (806151E0->B8E3CAA8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtCreateThread (35) intercepted (805D1068->B8EA303E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtCreateWaitablePort (38) intercepted (805A5144->B8E5397C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtDebugActiveProcess (39) intercepted (80643CB2->B8EA2804), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtDeleteKey (3F) intercepted (80624706->B8E4D60E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtDeleteValueKey (41) intercepted (806248D6->B8E4EDF6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtDeviceIoControlFile (42) intercepted (80579268->B8E3C454), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtDuplicateObject (44) intercepted (805BE03C->B8EA0B26), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtEnumerateKey (47) intercepted (80624AB6->B8E4E602), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtEnumerateValueKey (49) intercepted (80624D20->B8E4EF96), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtLoadDriver (61) intercepted (80584172->B8EA078E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtLoadKey (62) intercepted (8062648E->B8E4E146), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtLoadKey2 (63) intercepted (8062609A->B8E4E39E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtMapViewOfSection (6C) intercepted (805B206E->B8EA3836), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtNotifyChangeKey (6F) intercepted (80626458->B8E51D4A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtOpenEvent (72) intercepted (8060F1E0->B8E3CA1E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtOpenKey (77) intercepted (80625648->B9EB50C0), hook spvb.sys Function NtOpenMutant (78) intercepted (806178FA->B8E3C8FE), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtOpenProcess (7A) intercepted (805CB486->B8EA23AC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtOpenSection (7D) intercepted (805AA420->B8EA3CEA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtOpenSemaphore (7E) intercepted (806152DA->B8E3CB3E), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtOpenThread (80) intercepted (805CB712->B8EA2D9A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtQueryKey (A0) intercepted (8062598A->B8E4D442), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtQueryMultipleValueKey (A1) intercepted (806233B8->B8E4EC04), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtQueryObject (A3) intercepted (805C5300->B8E51F58), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtQueryValueKey (B1) intercepted (8062248E->B8E4E9F8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtQueueApcThread (B4) intercepted (805D2786->B8EA36EA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtRenameKey (C0) intercepted (80623C8C->B8E4D722), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtReplaceKey (C1) intercepted (8062633E->B8E4DD94), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtReplyPort (C2) intercepted (805A5520->B8E53BBC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtReplyWaitReceivePort (C3) intercepted (805A64E8->B8E53A4A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtReplyWaitReceivePortEx (C4) intercepted (805A5EF0->B8E53B00), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtRequestWaitReplyPort (C8) intercepted (805A2DAA->B8E53C2C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtRestoreKey (CC) intercepted (80625C4A->B8E4DF9A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtResumeThread (CE) intercepted (805D4A48->B8EA3414), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtSaveKey (CF) intercepted (80625D46->B8E4D8C6), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtSaveKeyEx (D0) intercepted (80625E2C->B8E4DA5C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtSaveMergedKeys (D1) intercepted (80625F54->B8E4DBF8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtSecureConnectPort (D2) intercepted (805A3D98->B8E53716), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtSetContextThread (D5) intercepted (805D2C4A->B8EA3572), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtSetInformationToken (E6) intercepted (805FA790->B8E3CBC8), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtSetSystemInformation (F0) intercepted (8060FE98->B8EA0898), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtSetValueKey (F7) intercepted (806227DC->B8E4E7C2), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtSuspendProcess (FD) intercepted (805D4B10->B8EA254C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtSuspendThread (FE) intercepted (805D4982->B8EA32BC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtSystemDebugControl (FF) intercepted (8061823E->B8E3CBDA), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtTerminateProcess (101) intercepted (805D2308->B8EA26AC), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtTerminateThread (102) intercepted (805D2502->B8EA2F3A), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtUnmapViewOfSection (10B) intercepted (805B2E7C->B8EA3E52), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Function NtWriteVirtualMemory (115) intercepted (805B4400->B8EA3B7C), hook C:\WINDOWS\system32\DRIVERS\klif.sys, driver recognized as trusted Functions checked: 284, intercepted: 60, restored: 0 1.3 Checking IDT and SYSENTER Analyzing CPU 1 Analyzing CPU 2 Analyzing CPU 3 Analyzing CPU 4 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed 1.5 Checking IRP handlers Driver loaded successfully \FileSystem\ntfs[IRP_MJ_CREATE] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_CLOSE] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_WRITE] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8AECA1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 8AECA1F8 -> hook not defined Checking - complete 2. Scanning RAM Number of processes found: 20 Number of modules loaded: 262 Scanning RAM - complete 3. Scanning disks Direct reading: C:\cmdcons\SYSTEM32\NTDLL.DLL Direct reading: C:\cmdcons\SYSTEM32\SMSS.EXE Direct reading: C:\WINDOWS\system32\drivers\sptd.sys Direct reading: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdrv.dll Direct reading: C:\WINDOWS\system32\spool\drivers\w32x86\3\mxdwdui.dll Direct reading: C:\WINDOWS\system32\spool\drivers\w32x86\3\PCL5ERES.DLL Direct reading: C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL Direct reading: C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL Direct reading: C:\WINDOWS\system32\spool\drivers\w32x86\3\unires.dll Direct reading: C:\WINDOWS\system32\spool\drivers\w32x86\3\vpr_drv.dll Direct reading: C:\WINDOWS\system32\spool\drivers\w32x86\3\vpr_ui.dll Direct reading: C:\WINDOWS\system32\spool\drivers\w32x86\3\XpsSvcs.dll Direct reading: C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll Direct reading: C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious software Checking - disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Services Terminal Server) >> Services: potentially dangerous service allowed: SSDPSRV (Service de découvertes SSDP) >> Services: potentially dangerous service allowed: Alerter (Avertissement) >> Services: potentially dangerous service allowed: Schedule (Planificateur de tâches) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: anonymous user access is enabled Checking - complete 9. Troubleshooting wizard >> Service termination timeout is out of admissible values Checking - complete Files scanned: 112696, extracted from archives: 93171, malicious software found 0, suspicions - 0 Scanning finished at 28.09.2013 20:20:12 Time of scanning: 00:03:52 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://forum.kaspersky.com/index.php?showforum=19 For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/