AVZ Antiviral Toolkit log; AVZ version is 4.39
Scanning started at 16.05.2013 18:23:41
Database loaded: signatures - 297614, NN profile(s) - 2, malware removal microprograms - 56, signature database released 16.05.2013 16:00
Heuristic microprograms loaded: 402
PVS microprograms loaded: 9
Digital signatures of system files loaded: 551869
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: disabled
Windows version is: 5.1.2600, Dodatek Service Pack 3 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:CreateProcessA (99) intercepted, method - APICodeHijack.JmpTo[7C80236B]
Function kernel32.dll:CreateProcessW (103) intercepted, method - APICodeHijack.JmpTo[7C802336]
 Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:LdrUnloadDll (80) intercepted, method - APICodeHijack.JmpTo[7C9171CD]
Function ntdll.dll:NtClose (111) intercepted, method - APICodeHijack.JmpTo[7C90CFEE]
Function ntdll.dll:NtReplyWaitReceivePort (286) intercepted, method - APICodeHijack.JmpTo[7C90DA8E]
Function ntdll.dll:NtReplyWaitReceivePortEx (287) intercepted, method - APICodeHijack.JmpTo[7C90DA9E]
Function ntdll.dll:ZwClose (922) intercepted, method - APICodeHijack.JmpTo[7C90CFEE]
Function ntdll.dll:ZwReplyWaitReceivePort (1096) intercepted, method - APICodeHijack.JmpTo[7C90DA8E]
Function ntdll.dll:ZwReplyWaitReceivePortEx (1097) intercepted, method - APICodeHijack.JmpTo[7C90DA9E]
 Analysis: user32.dll, export table found in section .text
Function user32.dll:SetWinEventHook (639) intercepted, method - APICodeHijack.JmpTo[7E3817F7]
Function user32.dll:SetWindowsHookExA (651) intercepted, method - APICodeHijack.JmpTo[7E381211]
Function user32.dll:SetWindowsHookExW (652) intercepted, method - APICodeHijack.JmpTo[7E37820F]
 Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:CreateProcessAsUserA (97) intercepted, method - APICodeHijack.JmpTo[77E00CE8]
Function advapi32.dll:CreateProcessAsUserW (99) intercepted, method - APICodeHijack.JmpTo[77DDA8A9]
Function advapi32.dll:CreateProcessWithLogonW (100) intercepted, method - APICodeHijack.JmpTo[77E05FFD]
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=085700)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 8055C700
   KiST = 805044C4 (284)
Function NtAdjustPrivilegesToken (0B) intercepted (805EC410->B35A64EE), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtClose (19) intercepted (805BC538->B8733E24), hook not defined
Function NtConnectPort (1F) intercepted (805A45D8->B35A579E), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtCreateFile (25) intercepted (805790A2->B35A611C), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtCreateKey (29) intercepted (8062423A->B8733DDE), hook not defined
Function NtCreateSection (32) intercepted (805AB3D0->B8733E2E), hook not defined
Function NtCreateSymbolicLinkObject (34) intercepted (805C3A02->B35A8882), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtCreateThread (35) intercepted (805D1038->B8733DD4), hook not defined
Function NtDeleteKey (3F) intercepted (806246D6->B8733DE3), hook not defined
Function NtDeleteValueKey (41) intercepted (806248A6->B8733DED), hook not defined
Function NtDuplicateObject (44) intercepted (805BE010->B8733E1F), hook not defined
Function NtEnumerateKey (47) intercepted (80624A86->B35A7994), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtEnumerateValueKey (49) intercepted (80624CF0->B35A7BA8), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtLoadDriver (61) intercepted (80584172->B35A8288), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtLoadKey (62) intercepted (8062645E->B8733DF2), hook not defined
Function NtMakeTemporaryObject (69) intercepted (805BC5DC->B35A5A82), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtNotifyChangeKey (6F) intercepted (80626428->B35A8B54), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtNotifyChangeMultipleKeys (70) intercepted (8062505C->B35A7752), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtOpenFile (74) intercepted (8057A1A0->B35A6314), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtOpenKey (77) intercepted (80625618->B35A6DB0), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtOpenProcess (7A) intercepted (805CB456->B8733DC0), hook not defined
Function NtOpenSection (7D) intercepted (805AA3F4->B35A5D36), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtOpenThread (80) intercepted (805CB6E2->B8733DC5), hook not defined
Function NtQueryKey (A0) intercepted (8062595A->B35A7D1A), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtQueryMultipleValueKey (A1) intercepted (80623388->B35A7FCE), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtQueryValueKey (B1) intercepted (8062245E->B8733E47), hook not defined
Function NtRenameKey (C0) intercepted (80623C5C->B35A74A8), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtReplaceKey (C1) intercepted (8062630E->B8733DFC), hook not defined
Function NtRequestWaitReplyPort (C8) intercepted (805A2D7E->B8733E38), hook not defined
Function NtRestoreKey (CC) intercepted (80625C1A->B8733DF7), hook not defined
Function NtSetContextThread (D5) intercepted (805D2C1A->B8733E33), hook not defined
Function NtSetSecurityObject (ED) intercepted (805C0636->B8733E3D), hook not defined
Function NtSetSystemInformation (F0) intercepted (8060FE68->B35A8588), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtSetValueKey (F7) intercepted (806227AC->B8733DE8), hook not defined
Function NtShutdownSystem (F9) intercepted (806130F2->B35A59EC), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Function NtSystemDebugControl (FF) intercepted (8061820E->B8733E42), hook not defined
Function NtTerminateProcess (101) intercepted (805D22D8->B8733DCF), hook not defined
Function NtTerminateThread (102) intercepted (805D24D2->B35A534C), hook C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Functions checked: 284, intercepted: 38, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Analyzing CPU 2
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Driver loaded successfully
 Checking - complete
2. Scanning RAM
 Number of processes found: 30
 Number of modules loaded: 362
Scanning RAM - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\WINDOWS\system32\msv1_0.dll --> Suspicion for Keylogger or Trojan DLL
C:\WINDOWS\system32\msv1_0.dll>>> Behaviour analysis 
 Behaviour typical for keyloggers was not detected
Note: Do NOT delete suspicious files, send them for analysis  (see FAQ for more details),  because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious software
 In the database 317 port descriptions
 Opened at this PC: 33 TCP ports and 7 UDP ports
 Checking - complete; no suspicious ports detected
7. Heuristic system check
>>> Suspicion for service/driver reg key masking "RealNetworks Downloader Resolver Servic"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Usługi terminalowe)
>> Services: potentially dangerous service allowed: Schedule (Harmonogram zadań)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Menedżer sesji pomocy pulpitu zdalnego)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 392, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 16.05.2013 18:24:46
Time of scanning: 00:01:06
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19