Results of system analysis

Kaspersky Virus Removal Tool 2010 9.0.0.722 (database released 03/05/2011; 21:35)

List of processes

File name	PID	Description	Copyright	MD5	Information
c:\program files\flip video\flipshare\flipshareservice.exe Script: Quarantine, Delete, BC delete, Terminate	300	FlipShare Service	Copyright 2002-2010 Cisco Systems, Inc. and/or its affiliated entities	??	445.26 kb, rsAh, created: 5/14/2010 1:59:44 PM, modified: 5/14/2010 1:59:44 PM Command line: "C:\Program Files\Flip Video\FlipShare\FlipShareService.exe"
c:\windows\system32\spoolsv.exe Script: Quarantine, Delete, BC delete, Terminate	1260	Spooler SubSystem App	© Microsoft Corporation. All rights reserved.	??	57.50 kb, rsAh, created: 3/9/2009 8:39:15 PM, modified: 8/17/2010 6:17:06 AM Command line: C:\WINDOWS\system32\spoolsv.exe
Detected:41, recognized as trusted 41

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files\Flip Video\FlipShare\Core.dll Script: Quarantine, Delete, BC delete	268435456	Core Dynamic Link Library	Copyright 2002-2010 Cisco Systems, Inc. and/or its affiliated entities	--	300
C:\Program Files\Flip Video\FlipShare\qca2.dll Script: Quarantine, Delete, BC delete	4653056			--	300
C:\WINDOWS\System32\spool\PRTPROCS\W32X86\hpzppc00.dll Script: Quarantine, Delete, BC delete	21168128		Copyright (C) Hewlett-Packard Corp. 1997-2002	--	1260
Modules detected:391, recognized as trusted 388

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\WINDOWS\System32\Drivers\dump_atapi.sys Script: Quarantine, Delete, BC delete	EF00F000	018000 (98304)
C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Script: Quarantine, Delete, BC delete	F8A87000	002000 (8192)
Modules detected - 126, recognized as trusted - 124

Services

Service	Description	Status	File	Group	Dependencies
Detected - 91, recognized as trusted - 91

Drivers

Service	Description	Status	File	Group	Dependencies
Abiosdsk Driver: Unload, Delete, Disable	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, BC delete	Primary disk
Atdisk Driver: Unload, Delete, Disable	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, BC delete	Primary disk
bvrp_pci Driver: Unload, Delete, Disable	bvrp_pci	Not started	bvrp_pci.sys Script: Quarantine, Delete, BC delete
Changer Driver: Unload, Delete, Disable	Changer	Not started	Changer.sys Script: Quarantine, Delete, BC delete	Filter
iAimTV2 Driver: Unload, Delete, Disable	iAimTV2	Not started	C:\WINDOWS\system32\DRIVERS\wATV03nt.sys Script: Quarantine, Delete, BC delete
lbrtfdc Driver: Unload, Delete, Disable	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, BC delete	System Bus Extender
MpKsl038d792c Driver: Unload, Delete, Disable	MpKsl038d792c	Not started	C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB592FE3-C184-4B4D-B905-A9D66DE8BAA9}\MpKsl038d792c.sys Script: Quarantine, Delete, BC delete
MpKsl117020bb Driver: Unload, Delete, Disable	MpKsl117020bb	Not started	c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{27CF1C9F-E459-4965-8675-52CED00C5192}\MpKsl117020bb.sys Script: Quarantine, Delete, BC delete
MpKsl20b0e284 Driver: Unload, Delete, Disable	MpKsl20b0e284	Not started	C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B48D4D73-8A57-4EB1-8999-C0BF8AFBA83D}\MpKsl20b0e284.sys Script: Quarantine, Delete, BC delete
MpKsl5bf7e0ab Driver: Unload, Delete, Disable	MpKsl5bf7e0ab	Not started	c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4688F051-1D96-47B1-B55E-1B0569F46529}\MpKsl5bf7e0ab.sys Script: Quarantine, Delete, BC delete
MpKsl5ed032d0 Driver: Unload, Delete, Disable	MpKsl5ed032d0	Not started	c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{40A82DC3-9EB6-4B78-B5AC-DABC628D99BF}\MpKsl5ed032d0.sys Script: Quarantine, Delete, BC delete
MpKsl66f8d53a Driver: Unload, Delete, Disable	MpKsl66f8d53a	Not started	c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D6BF2015-11DD-41EE-8211-4663D05B7047}\MpKsl66f8d53a.sys Script: Quarantine, Delete, BC delete
MpKsl8519000f Driver: Unload, Delete, Disable	MpKsl8519000f	Not started	c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9195D7E8-8789-4159-AE28-B8B8658B9766}\MpKsl8519000f.sys Script: Quarantine, Delete, BC delete
MpKslbce10372 Driver: Unload, Delete, Disable	MpKslbce10372	Not started	c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F233C158-32C1-41E1-813F-44947382A43D}\MpKslbce10372.sys Script: Quarantine, Delete, BC delete
MpKslddc63e5d Driver: Unload, Delete, Disable	MpKslddc63e5d	Not started	C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B48D4D73-8A57-4EB1-8999-C0BF8AFBA83D}\MpKslddc63e5d.sys Script: Quarantine, Delete, BC delete
MpKslec5ac98c Driver: Unload, Delete, Disable	MpKslec5ac98c	Not started	c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{92BEEF95-E094-4791-969E-B9284DBDFBA2}\MpKslec5ac98c.sys Script: Quarantine, Delete, BC delete
PCIDump Driver: Unload, Delete, Disable	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, BC delete	PCI Configuration
PDCOMP Driver: Unload, Delete, Disable	PDCOMP	Not started	PDCOMP.sys Script: Quarantine, Delete, BC delete
PDFRAME Driver: Unload, Delete, Disable	PDFRAME	Not started	PDFRAME.sys Script: Quarantine, Delete, BC delete
PDRELI Driver: Unload, Delete, Disable	PDRELI	Not started	PDRELI.sys Script: Quarantine, Delete, BC delete
PDRFRAME Driver: Unload, Delete, Disable	PDRFRAME	Not started	PDRFRAME.sys Script: Quarantine, Delete, BC delete
Simbad Driver: Unload, Delete, Disable	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, BC delete	Filter
WDICA Driver: Unload, Delete, Disable	WDICA	Not started	WDICA.sys Script: Quarantine, Delete, BC delete
Detected - 220, recognized as trusted - 197

Autoruns

File name	Status	Startup method	Description
C:\Program Files\America Online 8.0\aol.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\America Online 8.0.lnk,
C:\WINDOWS\System32\PrintFilterPipelineSvc.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc, EventMessageFile Delete
C:\WINDOWS\System32\appmgmts.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll Delete
C:\WINDOWS\System32\appmgmts.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Application Management, EventMessageFile Delete
C:\WINDOWS\System32\appmgr.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Software Installation, EventMessageFile Delete
C:\WINDOWS\System32\fdeploy.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\File Deployment, EventMessageFile Delete
C:\WINDOWS\System32\fdeploy.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Folder Redirection, EventMessageFile Delete
C:\WINDOWS\System32\hidserv.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HidServ\Parameters, ServiceDll Delete
C:\WINDOWS\System32\igmpv2.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile Delete
C:\WINDOWS\System32\ipbootp.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile Delete
C:\WINDOWS\System32\iprip2.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile Delete
C:\WINDOWS\System32\ntbackup.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\ntbackup, EventMessageFile Delete
C:\WINDOWS\System32\ospf.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile Delete
C:\WINDOWS\System32\ospfmib.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile Delete
C:\WINDOWS\System32\polagent.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile Delete
C:\WINDOWS\System32\tssdis.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile Delete
C:\WINDOWS\system32\MsSip1.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL Delete
C:\WINDOWS\system32\MsSip2.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL Delete
C:\WINDOWS\system32\MsSip3.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL Delete
C:\WINDOWS\system32\asr_pfu.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Asr\Commands, ASR protected file utility Delete
C:\WINDOWS\system32\mspmspsv.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WmdmPmSp, EventMessageFile Delete
C:\WINDOWS\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\WINDOWS\system32\stisvc.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile Delete
appmgmts.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}, DLLName Delete
kbd101.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN Delete
kbd101a.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-1539591278-2751312794-419274642-1008\Control Panel\IOProcs, MVB Delete
vgafix.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items detected - 591, recognized as trusted - 557

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	BHO			{02478D38-C3F9-4efb-9B51-7695ECA05670} Delete
	Toolbar			{EF99BD32-C1FB-11D2-892F-0090271D4F88} Delete
	Extension module			{4528BBE0-4E08-11D5-AD55-00010333D0AD} Delete
	Extension module			{92780B25-18CC-41C8-B9BE-3C9C571A8263} Delete
	Extension module			{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} Delete
	Explorer Bar			{4528BBE0-4E08-11D5-AD55-00010333D0AD} Delete
	Explorer Bar			{32683183-48a0-441b-a342-7c2a440a9478} Delete
Elements detected - 16, recognized as trusted - 9

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	Display Panning CPL Extension			{42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
	Shell extensions for file compression			{764BF0E1-F219-11ce-972D-00AA00A14F56} Delete
	Encryption Context Menu			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Delete
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
	Media Band			{32683183-48a0-441b-a342-7c2a440a9478} Delete
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete
	Shell Extensions for RealOne Player			{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} Delete
	Yahoo! Mail			{5464D816-CF16-4784-B9F3-75C0DB52B499} Delete
	IE User Assist			{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} Delete
Elements detected - 211, recognized as trusted - 202

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Elements detected - 10, recognized as trusted - 10

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 2, recognized as trusted - 2

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 3, recognized as trusted - 3

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 15, recognized as trusted - 15
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 6230 [688] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 2288 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 36888 [4] System
Script: Quarantine, Delete, BC delete, Terminate
1043 ESTABLISHED 127.0.0.1 1044 [3424] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1044 ESTABLISHED 127.0.0.1 1043 [3424] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1045 ESTABLISHED 127.0.0.1 1046 [3424] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1046 ESTABLISHED 127.0.0.1 1045 [3424] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1129 TIME_WAIT 74.125.224.79 80 [0]
1130 ESTABLISHED 74.125.53.139 80 [3424] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1131 ESTABLISHED 74.125.224.41 443 [3424] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
5152 CLOSE_WAIT 127.0.0.1 1047 [952] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate
5152 CLOSE_WAIT 127.0.0.1 1048 [952] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate
5152 LISTENING 0.0.0.0 39134 [952] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [792] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
123 LISTENING -- -- [792] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [480] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1020] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1020] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [480] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
DirectAnimation Java Classes
Delete file://C:\WINDOWS\Java\classes\dajava.cab
Microsoft XML Parser for Java
Delete file://C:\WINDOWS\Java\classes\xmldso.cab
{33564D57-0000-0010-8000-00AA00389B71}
Delete http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
Delete http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
Elements detected - 8, recognized as trusted - 4

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 26, recognized as trusted - 26

Active Setup

File name Description Manufacturer CLSID
Elements detected - 15, recognized as trusted - 15

HOSTS file

Hosts file record
яю1

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Elements detected - 31, recognized as trusted - 28

Suspicious objects

File Description Type
C:\WINDOWS\system32\drivers\OADriver.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
C:\WINDOWS\system32\drivers\OAmon.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook

Main script of analysis Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3" System Restore: enabled 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Function kernel32.dll:CreateFileW (83) intercepted, method CodeHijack (method not defined) IAT modification detected: CreateProcessA - 00CC0010<>7C80236B IAT modification detected: GetModuleFileNameA - 00CC0080<>7C80B56F IAT modification detected: GetModuleFileNameW - 00CC00F0<>7C80B475 IAT modification detected: CreateProcessW - 00CC0160<>7C802336 IAT modification detected: LoadLibraryW - 00CC0240<>7C80AEEB IAT modification detected: LoadLibraryA - 00CC0320<>7C801D7B IAT modification detected: GetProcAddress - 00CC0390<>7C80AE40 IAT modification detected: FreeLibrary - 00CC0400<>7C80AC7E Analysis: ntdll.dll, export table found in section .text Function ntdll.dll:NtCreateSymbolicLinkObject (139) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwCreateSymbolicLinkObject (950) intercepted, method CodeHijack (method not defined) Analysis: user32.dll, export table found in section .text Function user32.dll:DdeClientTransaction (106) intercepted, method CodeHijack (method not defined) Function user32.dll:ExitWindowsEx (226) intercepted, method CodeHijack (method not defined) Function user32.dll:RegisterHotKey (543) intercepted, method CodeHijack (method not defined) Analysis: advapi32.dll, export table found in section .text Function advapi32.dll:CreateServiceA (102) intercepted, method CodeHijack (method not defined) Function advapi32.dll:CreateServiceW (103) intercepted, method CodeHijack (method not defined) Function advapi32.dll:InitiateSystemShutdownA (309) intercepted, method CodeHijack (method not defined) Function advapi32.dll:InitiateSystemShutdownExA (310) intercepted, method CodeHijack (method not defined) Function advapi32.dll:InitiateSystemShutdownExW (311) intercepted, method CodeHijack (method not defined) Function advapi32.dll:InitiateSystemShutdownW (312) intercepted, method CodeHijack (method not defined) Analysis: ws2_32.dll, export table found in section .text Function ws2_32.dll:WSAAsyncSelect (101) intercepted, method CodeHijack (method not defined) Function ws2_32.dll:WSAGetOverlappedResult (43) intercepted, method CodeHijack (method not defined) Function ws2_32.dll:WSARecv (71) intercepted, method CodeHijack (method not defined) Function ws2_32.dll:WSASend (76) intercepted, method CodeHijack (method not defined) Function ws2_32.dll:closesocket (3) intercepted, method CodeHijack (method not defined) Function ws2_32.dll:connect (4) intercepted, method CodeHijack (method not defined) Function ws2_32.dll:ioctlsocket (10) intercepted, method CodeHijack (method not defined) Function ws2_32.dll:recv (16) intercepted, method CodeHijack (method not defined) Function ws2_32.dll:select (18) intercepted, method CodeHijack (method not defined) Function ws2_32.dll:send (19) intercepted, method CodeHijack (method not defined) Function ws2_32.dll:sendto (20) intercepted, method CodeHijack (method not defined) Function ws2_32.dll:socket (23) intercepted, method CodeHijack (method not defined) Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text Function netapi32.dll:NetScheduleJobAdd (204) intercepted, method CodeHijack (method not defined) 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=083220) Kernel ntoskrnl.exe found in memory at address 804D7000 SDT = 8055A220 KiST = 804E26B8 (284) Function NtAllocateVirtualMemory (11) intercepted (80568FCA->EF68342C), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtAssignProcessToJobObject (13) intercepted (805A253D->EF682928), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtConnectPort (1F) intercepted (8058C63A->EF68164C), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateFile (25) intercepted (8056CF98->EF688316), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateKey (29) intercepted (80570833->EF68A242), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreatePort (2E) intercepted (80597609->EF68146A), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateProcess (2F) intercepted (805B14AC->EF682EE8), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateProcessEx (30) intercepted (8057FE4C->EF67F978), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateSection (32) intercepted (805652B3->EF67F4F2), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateThread (35) intercepted (80587A3C->EF680634), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtDebugActiveProcess (39) intercepted (8065B541->EF680D22), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtDuplicateObject (44) intercepted (805717C5->EF68132C), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtLoadDriver (61) intercepted (805A3B73->EF682350), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtOpenFile (74) intercepted (8056CF33->EF688694), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtOpenProcess (7A) intercepted (805719AC->EF680308), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtOpenSection (7D) intercepted (805711B4->EF67F7B4), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtOpenThread (80) intercepted (8058E5C4->EF6808B0), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtProtectVirtualMemory (89) intercepted (80571E96->EF6826DA), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtQueueApcThread (B4) intercepted (8058A487->EF682A44), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtRequestPort (C7) intercepted (805DD6A4->EF681CB0), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtRequestWaitReplyPort (C8) intercepted (80576EC6->EF682018), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtRestoreKey (CC) intercepted (8064EFDD->EF68810E), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtResumeThread (CE) intercepted (805880AF->EF6810CE), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSecureConnectPort (D2) intercepted (805888DA->EF68186E), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSetContextThread (D5) intercepted (8062E057->EF680BCC), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSetSystemInformation (F0) intercepted (805A7C5F->EF6830E0), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtShutdownSystem (F9) intercepted (806474BB->EF68228A), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSuspendProcess (FD) intercepted (8062FC39->EF6811FE), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSuspendThread (FE) intercepted (805E053E->EF680F7A), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSystemDebugControl (FF) intercepted (8064A01B->EF680E40), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtTerminateProcess (101) intercepted (805824CC->EF680472), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtTerminateThread (102) intercepted (8057BA6F->EF680A66), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtUnloadDriver (106) intercepted (80619F32->EF682518), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtWriteVirtualMemory (115) intercepted (8057E60A->EF682804), hook C:\WINDOWS\system32\drivers\OADriver.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Functions checked: 284, intercepted: 34, restored: 34 1.3 Checking IDT and SYSENTER Analysis for CPU 1 CmpCallCallBacks = 0013AA8E Disable callback OK Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Searching for masking processes and drivers - complete Driver loaded successfully 1.5 Checking of IRP handlers \driver\tcpip[IRP_MJ_CREATE] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_CREATE_NAMED_PIPE] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_CLOSE] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_READ] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_WRITE] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_QUERY_INFORMATION] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_SET_INFORMATION] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_QUERY_EA] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_SET_EA] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_FLUSH_BUFFERS] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_QUERY_VOLUME_INFORMATION] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_SET_VOLUME_INFORMATION] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_DIRECTORY_CONTROL] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_FILE_SYSTEM_CONTROL] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_DEVICE_CONTROL] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_SHUTDOWN] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_LOCK_CONTROL] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_CLEANUP] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_CREATE_MAILSLOT] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_QUERY_SECURITY] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_SET_SECURITY] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_POWER] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_SYSTEM_CONTROL] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_DEVICE_CHANGE] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_QUERY_QUOTA] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted \driver\tcpip[IRP_MJ_SET_QUOTA] = F8688DF2 -> C:\WINDOWS\system32\drivers\OAmon.sys, driver recognized as trusted Checking - complete [?? - AVZ1749]: wuauserv ImagePath="" >> Services: potentially dangerous service allowed: TermService (Terminal Services) Error [2, SC_EXT_ADDITEMST] >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service) Error [2, SC_EXT_ADDITEMST] >> Services: potentially dangerous service allowed: Schedule (Task Scheduler) Error [2, SC_EXT_ADDITEMST] > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled Error [2, SC_EXT_ADDITEMST] >> Security: administrative shares (C$, D$ ...) are enabled Error [2, SC_EXT_ADDITEMST] >> Security: anonymous user access is enabled Error [2, SC_EXT_ADDITEMST] Error [2, SC_EXT_ADDITEMST] >> Security: sending Remote Assistant queries is enabled >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun System Analysis in progress
System Analysis - complete
Script commands

Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
Registry cleanup after deleting files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service Schedule (Task Scheduler)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries
File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	6230	[688] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
139	LISTENING	0.0.0.0	2288	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	0.0.0.0	36888	[4] System Script: Quarantine, Delete, BC delete, Terminate
1043	ESTABLISHED	127.0.0.1	1044	[3424] c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, BC delete, Terminate
1044	ESTABLISHED	127.0.0.1	1043	[3424] c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, BC delete, Terminate
1045	ESTABLISHED	127.0.0.1	1046	[3424] c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, BC delete, Terminate
1046	ESTABLISHED	127.0.0.1	1045	[3424] c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, BC delete, Terminate
1129	TIME_WAIT	74.125.224.79	80	[0]
1130	ESTABLISHED	74.125.53.139	80	[3424] c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, BC delete, Terminate
1131	ESTABLISHED	74.125.224.41	443	[3424] c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, BC delete, Terminate
5152	CLOSE_WAIT	127.0.0.1	1047	[952] c:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, BC delete, Terminate
5152	CLOSE_WAIT	127.0.0.1	1048	[952] c:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, BC delete, Terminate
5152	LISTENING	0.0.0.0	39134	[952] c:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123	LISTENING	--	--	[792] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
123	LISTENING	--	--	[792] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
500	LISTENING	--	--	[480] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1020] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1020] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
4500	LISTENING	--	--	[480] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate