   AVZ  4.32
   01.11.2009 16:53:28
 :  - 247554,  - 2,   - 56,   31.10.2009 09:42
  : 374
  : 9
    : 151774
  :   
 : 
 Windows: 5.1.2600, Service Pack 2 ; AVZ    
 : 
1.  RootKit  ,   API
1.1   API,   UserMode
  kernel32.dll,      .text
  ntdll.dll,      .text
  user32.dll,      .text
  advapi32.dll,      .text
  ws2_32.dll,      .text
  wininet.dll,      .text
  rasapi32.dll,      .text
  urlmon.dll,      .text
  netapi32.dll,      .text
1.2   API,   KernelMode
   
 SDT  (RVA=082480)
  ntoskrnl.exe      804D7000
   SDT = 80559480
   KiST = 804E26A8 (284)
 NtConnectPort (1F)  (805894AD->BA7430D2),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtCreateFile (25)  (80570D48->BA745302),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtCreateKey (29)  (8056E761->F7C39CB6),   
 NtCreatePort (2E)  (805963A9->BA74302C),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtCreateSection (32)  (8056441B->BA743AAE),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtCreateThread (35)  (8057B1C5->F7C39CAC),   
 NtDeleteFile (3E)  (805D3C07->BA744CB0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtDeleteKey (3F)  (80590F78->F7C39CBB),   
 NtDeleteValueKey (41)  (8058E9FA->F7C39CC5),   
 NtEnumerateKey (47)  (8056EE68->F742ECA2),  spoy.sys
 NtEnumerateValueKey (49)  (8057EB28->F742F030),  spoy.sys
 NtLoadKey (62)  (805AACF0->F7C39CCA),   
 NtOpenKey (77)  (80567AFB->F74110C0),  spoy.sys
 NtOpenProcess (7A)  (80573C96->F7C39C98),   
 NtOpenSection (7D)  (8057769B->BA7439E0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtOpenThread (80)  (80588974->F7C39C9D),   
 NtQueryKey (A0)  (8056EB71->F742F108),  spoy.sys
 NtQueryValueKey (B1)  (8056B0BB->F742EF88),  spoy.sys
 NtReplaceKey (C1)  (8064D232->F7C39CD4),   
 NtRestoreKey (CC)  (8064BD56->F7C39CCF),   
 NtSetContextThread (D5)  (8062C143->BA742BB4),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtSetInformationFile (E0)  (80577E2C->BA744DE0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtSetValueKey (F7)  (80574C1D->F7C39CC0),   
 NtShutdownSystem (F9)  (80645557->BA743FA0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtTerminateProcess (101)  (80582C2B->F7C39CA7),   
 NtWriteFile (112)  (805780D5->BA74514A),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtWriteFileGather (113)  (805D62EE->BA744FB4),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 : 284, : 27, : 0
1.3  IDT  SYSENTER
    1
  IDT  SYSENTER 
1.4     
   ,       AVZPM
   
1.5   IRP
\FileSystem\ntfs[IRP_MJ_CREATE] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_CLOSE] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_WRITE] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_EA] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 82F6E1F8 ->   
\FileSystem\ntfs[IRP_MJ_PNP] = 82F6E1F8 ->   
  
2.  
   : 31
   : 266
  
3.  
  C:\Documents and Settings\King Maxim\Local Settings\Application Data\Opera\Opera\vps\0000\wb.vx
  C:\Documents and Settings\King Maxim\Local Settings\Application Data\Opera\Opera\vps\0001\wb.vx
  C:\Documents and Settings\King Maxim\Local Settings\Application Data\Opera\Opera\vps\0002\wb.vx
  C:\Documents and Settings\King Maxim\Local Settings\Application Data\Opera\Opera\vps\0003\wb.vx
  C:\Documents and Settings\King Maxim\Local Settings\Application Data\Opera\Opera\vps\0004\wb.vx
  C:\Documents and Settings\King Maxim\Local Settings\Application Data\Opera\Opera\vps\0005\wb.vx
  C:\Documents and Settings\King Maxim\Local Settings\Application Data\Opera\Opera\vps\0006\wb.vx
  C:\Documents and Settings\King Maxim\Local Settings\Application Data\Opera\Opera\vps\0007\wb.vx
  C:\Documents and Settings\King Maxim\Local Settings\Application Data\Opera\Opera\vps\0008\wb.vx
  C:\Documents and Settings\King Maxim\Local Settings\Application Data\Opera\Opera\vps\0009\wb.vx
  C:\Documents and Settings\King Maxim\Local Settings\Temp\~DF4169.tmp
  C:\Program Files\Opera\skin\standard_skin.zip
  C:\Program Files\Total Commander\Plugins\wlx\Imagine\Imagine.dll
  C:\Program Files\uTorrent Extreme Leecher Edition\Azureus 2504\uTorrent Extreme LE (Original).exe
  C:\WINDOWS\system32\drivers\sptd.sys
D:\PDA\\FAQ_sgh_i710.chm/{CHM}//Tip & Tweak (настройка и твики системы)/Убираем выскакивающее сообщение о переадресации.files/dci710notify.exe >>>  -    CHM  - ,    
D:\PDA\\spb.mobile.shell.3.kg.rar/{RAR}/cr-keymaker.exe >>>>> Trojan-Downloader.Win32.Agent.bzoe 
4.  Winsock Layered Service Provider (SPI/LSP)
 LSP NameSpace: "mdnsNSP" -->   C:\Program Files\Bonjour\mdnsNSP.dll
  !    SPI/LSP.   - 1
5.    // (Keylogger,  DLL)
6.    TCP/UDP,   
   
7. c  
  Winlogon\Shell,     "explorer.exe rundll32.exe dckp.suo printer"
 
8.   
>> :     SSDPSRV (  SSDP)
>> :     Alerter ()
> :   -           (,     ...)!
>> :     CDROM
>> :      
 
9.     
 >>     
 >>     HDD
 >>      
 >>      
 
 : 85370,   : 59260,    1,  - 0
   01.11.2009 17:46:51
  00:53:25
            ,
      - http://virusinfo.info
