Results of system analysis

Kaspersky Virus Removal Tool 2010 9.0.0.722 (database released 24/06/2011; 18:47)

List of processes

File name	PID	Description	Copyright	MD5	Information
c:\windows\explorer.exe Script: Quarantine, Delete, BC delete, Terminate	360	Windows Explorer	© Microsoft Corporation. All rights reserved.	??	2553.50 kb, rsAh, created: 5/19/2011 4:36:27 PM, modified: 2/26/2011 1:33:07 AM Command line: C:\Windows\Explorer.EXE
c:\program files\htc home 1.10\htchome.exe Script: Quarantine, Delete, BC delete, Terminate	2640	HTC Home	Copyright © Stealth 2010	??	327.50 kb, rsAh, created: 6/10/2011 12:47:50 PM, modified: 10/13/2010 12:43:54 PM Command line: "C:\Program Files\HTC Home 1.10\HTCHome.exe"
c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate	5232	Internet Explorer	© Microsoft Corporation. All rights reserved.	??	730.80 kb, rsAh, created: 5/20/2011 11:21:16 PM, modified: 5/20/2011 11:21:16 PM Command line: "C:\Program Files\Internet Explorer\iexplore.exe"
c:\program files\malwarebytes' anti-malware\mbamgui.exe Script: Quarantine, Delete, BC delete, Terminate	2508	Malwarebytes' Anti-Malware	© Malwarebytes Corporation. All rights reserved.	??	439.05 kb, rsAh, created: 6/19/2011 11:14:33 PM, modified: 5/29/2011 9:11:28 AM Command line: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
c:\program files\windows live\mesh\moe.exe Script: Quarantine, Delete, BC delete, Terminate	2856	Mesh Operating Environment	Copyright (c) Microsoft Corporation. All rights reserved.	??	69.84 kb, rsAh, created: 10/19/2010 5:06:01 PM, modified: 10/19/2010 5:06:01 PM Command line: "C:\Program Files\Windows Live\Mesh\MOE.exe" "Global\MOE_STARTUP_COMPLETE_146d973f-e241-434d-93ae-2bf832cd1640_Manan" "Global\MOE_SHUTDOWN_146d973f-e241-434d-93ae-2bf832cd1640_Manan"
c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe Script: Quarantine, Delete, BC delete, Terminate	2712	PresentationFontCache.exe	© Microsoft Corporation. All rights reserved.	??	41.85 kb, rsAh, created: 7/13/2009 8:35:50 PM, modified: 6/10/2009 5:14:51 PM Command line: C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\synaptics\syntp\syntpenh.exe Script: Quarantine, Delete, BC delete, Terminate	2444	Synaptics TouchPad Enhancements	Copyright (C) Synaptics, Inc. 1996-2008	??	1021.29 kb, rsAh, created: 3/28/2008 2:05:00 AM, modified: 3/28/2008 2:05:00 AM Command line: "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
c:\program files\windows live\mesh\wlsync.exe Script: Quarantine, Delete, BC delete, Terminate	2596	Windows Live Mesh	© Microsoft Corporation. All rights reserved.	??	1414.84 kb, rsAh, created: 9/23/2010 1:19:02 AM, modified: 9/23/2010 1:19:02 AM Command line: "C:\Program Files\Windows Live\Mesh\WLSync.exe" /background
Detected:51, recognized as trusted 51

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\e7b5050c2c315562d740c4b9535cf5ce\PresentationCore.ni.dll Script: Quarantine, Delete, BC delete	1706688512	PresentationCore.dll	© Microsoft Corporation. All rights reserved.	--	2640, 2712
C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\29c7c077fc7c8c95e5bef098e1201b10\PresentationFontCache.ni.exe Script: Quarantine, Delete, BC delete	1680408576	PresentationFontCache.exe	© Microsoft Corporation. All rights reserved.	--	2712
C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7114c629020f6bba198a954e4794c979\PresentationFramework.ni.dll Script: Quarantine, Delete, BC delete	1692336128	PresentationFramework.dll	© Microsoft Corporation. All rights reserved.	--	2640
C:\Windows\system32\certvert.dll Script: Quarantine, Delete, BC delete	268435456		Copyright (C) 2000	--	360, 2640, 5232, 2508, 2856, 2444, 2596
Modules detected:649, recognized as trusted 645

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_dumpata.sys Script: Quarantine, Delete, BC delete	94B01000	00B000 (45056)
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, BC delete	94B16000	011000 (69632)
C:\Windows\System32\Drivers\dump_msahci.sys Script: Quarantine, Delete, BC delete	94B0C000	00A000 (40960)
C:\Windows\System32\Drivers\spoq.sys Script: Quarantine, Delete, BC delete	88894000	0F3000 (995328)
Modules detected - 198, recognized as trusted - 194

Services

Service	Description	Status	File	Group	Dependencies
Detected - 159, recognized as trusted - 159

Drivers

Service	Description	Status	File	Group	Dependencies
sptd Driver: Unload, Delete, Disable	sptd	Running	C:\Windows\System32\Drivers\sptd.sys Script: Quarantine, Delete, BC delete	Boot Bus Extender
catchme Driver: Unload, Delete, Disable	catchme	Not started	C:\Users\Manan\AppData\Local\Temp\catchme.sys Script: Quarantine, Delete, BC delete	Base
nmwcd Driver: Unload, Delete, Disable	Nokia USB Phone Parent	Not started	C:\Windows\system32\drivers\ccdcmb.sys Script: Quarantine, Delete, BC delete	Extended Base
nmwcdc Driver: Unload, Delete, Disable	Nokia USB Generic	Not started	C:\Windows\system32\drivers\ccdcmbo.sys Script: Quarantine, Delete, BC delete
pccsmcfd Driver: Unload, Delete, Disable	PCCS Mode Change Filter Driver	Not started	C:\Windows\system32\DRIVERS\pccsmcfd.sys Script: Quarantine, Delete, BC delete
upperdev Driver: Unload, Delete, Disable	upperdev	Not started	C:\Windows\system32\DRIVERS\usbser_lowerflt.sys Script: Quarantine, Delete, BC delete
UsbserFilt Driver: Unload, Delete, Disable	UsbserFilt	Not started	C:\Windows\system32\DRIVERS\usbser_lowerfltj.sys Script: Quarantine, Delete, BC delete
Detected - 265, recognized as trusted - 258

Autoruns

File name	Status	Startup method	Description
C:\Program Files\Hewlett-Packard\HP-MPI\sbin\HPMPIWin32Service.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\HPMPI, EventMessageFile Delete
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
progman.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell Delete
vgafix.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items detected - 583, recognized as trusted - 577

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	Extension module			{2670000A-7350-4f3c-8081-5663EE0C6C49} Delete
	Extension module			{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} Delete
Elements detected - 11, recognized as trusted - 9

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
"C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe" /PhotoViewerComServer {2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} Script: Quarantine, Delete, BC delete	Windows Live Photo Gallery Autoplay Drop Target			{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} Delete
"C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe" /PhotoViewerComServer {00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} Script: Quarantine, Delete, BC delete	Windows Live Photo Gallery Viewer Drop Target			{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} Delete
"C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe" /PhotoViewerComServer {00F374B7-B390-4884-B372-2FC349F2172B} Script: Quarantine, Delete, BC delete	Windows Live Photo Gallery Editor Drop Target			{00F374B7-B390-4884-B372-2FC349F2172B} Delete
Elements detected - 28, recognized as trusted - 25

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Elements detected - 9, recognized as trusted - 9

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 0, recognized as trusted - 0

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 8, recognized as trusted - 8

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 32, recognized as trusted - 32
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [764] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
2048 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
10000 LISTENING 0.0.0.0 0 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 LISTENING 0.0.0.0 0 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 2.49.68.17 62086 [0]
18532 TIME_WAIT 2.49.113.123 63365 [0]
18532 TIME_WAIT 2.49.138.3 57209 [0]
18532 TIME_WAIT 2.50.141.236 3390 [0]
18532 TIME_WAIT 2.50.141.236 3398 [0]
18532 TIME_WAIT 2.88.116.103 1281 [0]
18532 TIME_WAIT 2.91.24.212 23058 [0]
18532 TIME_WAIT 2.106.239.80 2464 [0]
18532 TIME_WAIT 14.201.194.119 63133 [0]
18532 ESTABLISHED 24.0.35.155 64597 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 24.6.159.66 55121 [0]
18532 SYN_RECEIVED 24.6.159.66 55469 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 24.57.248.205 61651 [0]
18532 TIME_WAIT 24.80.101.106 27629 [0]
18532 TIME_WAIT 24.80.101.106 27643 [0]
18532 TIME_WAIT 24.108.12.26 62222 [0]
18532 TIME_WAIT 24.109.54.220 54210 [0]
18532 TIME_WAIT 24.138.35.210 63711 [0]
18532 ESTABLISHED 24.141.152.142 52440 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 24.142.22.71 55039 [0]
18532 TIME_WAIT 24.143.226.103 4478 [0]
18532 ESTABLISHED 24.184.118.90 57419 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 24.188.104.252 55119 [0]
18532 TIME_WAIT 24.188.104.252 55247 [0]
18532 TIME_WAIT 24.200.71.64 61222 [0]
18532 TIME_WAIT 24.213.76.18 64365 [0]
18532 SYN_RECEIVED 24.213.76.18 64425 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 24.226.62.255 1380 [0]
18532 TIME_WAIT 27.32.176.138 1448 [0]
18532 TIME_WAIT 41.68.12.54 26824 [0]
18532 TIME_WAIT 41.68.12.54 26922 [0]
18532 FIN_WAIT2 41.132.15.176 53878 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 41.218.237.12 20479 [0]
18532 TIME_WAIT 41.242.122.134 27150 [0]
18532 TIME_WAIT 46.40.21.117 50125 [0]
18532 TIME_WAIT 46.184.200.235 64715 [0]
18532 TIME_WAIT 46.184.200.235 64757 [0]
18532 TIME_WAIT 50.36.165.82 50054 [0]
18532 TIME_WAIT 50.36.165.82 50287 [0]
18532 TIME_WAIT 50.36.185.29 50627 [0]
18532 TIME_WAIT 50.88.230.71 55475 [0]
18532 TIME_WAIT 50.98.224.245 38812 [0]
18532 TIME_WAIT 58.96.52.228 62884 [0]
18532 TIME_WAIT 58.182.120.139 49585 [0]
18532 TIME_WAIT 58.182.208.238 1314 [0]
18532 TIME_WAIT 58.182.208.238 1359 [0]
18532 TIME_WAIT 59.189.60.192 52700 [0]
18532 TIME_WAIT 60.240.204.239 64595 [0]
18532 FIN_WAIT 60.240.204.239 64823 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 60.241.234.230 54995 [0]
18532 ESTABLISHED 65.52.69.65 61478 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 65.94.57.185 1062 [0]
18532 TIME_WAIT 65.94.57.185 1121 [0]
18532 TIME_WAIT 65.94.57.185 4981 [0]
18532 TIME_WAIT 65.94.99.47 63603 [0]
18532 TIME_WAIT 65.94.99.47 63686 [0]
18532 TIME_WAIT 65.198.187.1 16354 [0]
18532 TIME_WAIT 65.198.187.1 16869 [0]
18532 ESTABLISHED 66.44.119.128 56127 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 66.66.115.227 62781 [0]
18532 TIME_WAIT 66.66.115.227 62839 [0]
18532 ESTABLISHED 66.183.100.78 57743 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 67.149.217.20 50616 [0]
18532 TIME_WAIT 67.149.217.20 50787 [0]
18532 TIME_WAIT 67.171.176.205 35969 [0]
18532 TIME_WAIT 67.171.176.205 60973 [0]
18532 TIME_WAIT 67.180.107.104 35642 [0]
18532 TIME_WAIT 67.180.107.104 35848 [0]
18532 TIME_WAIT 67.181.107.35 54862 [0]
18532 TIME_WAIT 67.190.12.11 51225 [0]
18532 TIME_WAIT 67.202.108.71 42299 [0]
18532 ESTABLISHED 67.219.75.141 27154 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 68.39.65.146 54588 [0]
18532 TIME_WAIT 68.45.245.153 61699 [0]
18532 TIME_WAIT 68.52.239.198 61478 [0]
18532 TIME_WAIT 68.62.251.13 50601 [0]
18532 TIME_WAIT 68.62.251.13 50649 [0]
18532 TIME_WAIT 68.144.213.41 61259 [0]
18532 TIME_WAIT 68.149.15.64 61149 [0]
18532 TIME_WAIT 68.151.228.210 3549 [0]
18532 TIME_WAIT 69.80.16.78 62941 [0]
18532 TIME_WAIT 69.80.16.78 62998 [0]
18532 ESTABLISHED 69.138.115.133 4657 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 69.158.133.73 4063 [0]
18532 TIME_WAIT 69.178.67.61 63924 [0]
18532 TIME_WAIT 69.204.108.24 50482 [0]
18532 TIME_WAIT 69.255.233.149 61815 [0]
18532 TIME_WAIT 70.20.24.31 59880 [0]
18532 TIME_WAIT 70.27.137.234 51653 [0]
18532 TIME_WAIT 70.29.23.92 61611 [0]
18532 TIME_WAIT 70.29.23.92 61827 [0]
18532 TIME_WAIT 70.77.199.58 59211 [0]
18532 TIME_WAIT 70.77.199.58 59213 [0]
18532 ESTABLISHED 70.111.91.169 50011 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 70.112.16.45 60683 [0]
18532 TIME_WAIT 70.116.9.20 54272 [0]
18532 TIME_WAIT 70.117.6.122 56163 [0]
18532 TIME_WAIT 70.117.6.122 56420 [0]
18532 TIME_WAIT 71.7.172.27 59189 [0]
18532 ESTABLISHED 71.22.163.106 51148 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 71.54.73.150 18900 [0]
18532 TIME_WAIT 71.93.197.44 52362 [0]
18532 TIME_WAIT 71.93.197.44 52373 [0]
18532 TIME_WAIT 71.104.5.233 50266 [0]
18532 TIME_WAIT 71.142.197.87 52042 [0]
18532 TIME_WAIT 71.180.106.194 53627 [0]
18532 TIME_WAIT 71.224.58.226 1963 [0]
18532 TIME_WAIT 71.238.185.70 65233 [0]
18532 TIME_WAIT 72.12.134.138 60862 [0]
18532 TIME_WAIT 72.39.124.105 57375 [0]
18532 TIME_WAIT 72.94.62.249 58850 [0]
18532 TIME_WAIT 72.94.62.249 58854 [0]
18532 TIME_WAIT 72.200.202.160 54552 [0]
18532 TIME_WAIT 72.200.202.160 54781 [0]
18532 TIME_WAIT 72.225.43.87 4766 [0]
18532 TIME_WAIT 72.227.140.167 60691 [0]
18532 TIME_WAIT 72.252.106.77 63826 [0]
18532 TIME_WAIT 72.252.106.77 64143 [0]
18532 TIME_WAIT 74.15.133.239 49457 [0]
18532 TIME_WAIT 74.46.66.201 61312 [0]
18532 TIME_WAIT 74.66.238.140 33525 [0]
18532 TIME_WAIT 74.66.238.140 41363 [0]
18532 TIME_WAIT 74.78.19.126 58211 [0]
18532 TIME_WAIT 74.102.198.207 64529 [0]
18532 TIME_WAIT 74.102.198.207 64707 [0]
18532 TIME_WAIT 74.247.60.44 59063 [0]
18532 TIME_WAIT 75.74.106.71 58671 [0]
18532 TIME_WAIT 75.82.219.52 56414 [0]
18532 TIME_WAIT 75.111.128.175 43229 [0]
18532 TIME_WAIT 75.143.146.8 2171 [0]
18532 TIME_WAIT 75.146.104.90 54413 [0]
18532 TIME_WAIT 75.155.139.128 55848 [0]
18532 TIME_WAIT 75.155.139.128 55908 [0]
18532 TIME_WAIT 76.11.122.103 1252 [0]
18532 TIME_WAIT 76.11.122.103 1328 [0]
18532 TIME_WAIT 76.20.243.23 57067 [0]
18532 TIME_WAIT 76.64.23.39 61543 [0]
18532 TIME_WAIT 76.69.195.192 51452 [0]
18532 TIME_WAIT 76.124.235.24 54442 [0]
18532 TIME_WAIT 76.170.73.86 55626 [0]
18532 TIME_WAIT 76.192.245.60 62872 [0]
18532 TIME_WAIT 76.192.245.60 63022 [0]
18532 TIME_WAIT 76.211.237.220 53592 [0]
18532 TIME_WAIT 77.99.71.213 65407 [0]
18532 TIME_WAIT 77.215.173.2 16756 [0]
18532 TIME_WAIT 77.215.242.2 28995 [0]
18532 TIME_WAIT 78.101.219.121 52998 [0]
18532 TIME_WAIT 78.129.4.20 57059 [0]
18532 TIME_WAIT 78.188.10.58 61514 [0]
18532 ESTABLISHED 78.248.125.178 58608 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 79.178.9.219 56588 [0]
18532 TIME_WAIT 79.183.199.103 55268 [0]
18532 TIME_WAIT 80.0.154.213 60945 [0]
18532 TIME_WAIT 80.57.129.185 56034 [0]
18532 TIME_WAIT 80.57.129.185 56230 [0]
18532 TIME_WAIT 80.121.44.49 57520 [0]
18532 TIME_WAIT 80.192.154.65 54103 [0]
18532 TIME_WAIT 80.192.154.65 54201 [0]
18532 TIME_WAIT 81.100.26.25 25751 [0]
18532 TIME_WAIT 81.155.28.12 59836 [0]
18532 TIME_WAIT 81.155.28.12 60028 [0]
18532 TIME_WAIT 82.170.37.143 14625 [0]
18532 TIME_WAIT 82.170.37.143 14708 [0]
18532 TIME_WAIT 83.166.208.60 63768 [0]
18532 TIME_WAIT 83.227.200.131 49959 [0]
18532 TIME_WAIT 83.227.200.131 52643 [0]
18532 TIME_WAIT 83.248.164.163 62557 [0]
18532 TIME_WAIT 83.248.164.163 62891 [0]
18532 TIME_WAIT 84.235.73.171 57444 [0]
18532 TIME_WAIT 85.246.197.140 50186 [0]
18532 TIME_WAIT 85.246.197.140 50333 [0]
18532 TIME_WAIT 86.5.60.55 53061 [0]
18532 TIME_WAIT 86.30.142.114 54482 [0]
18532 TIME_WAIT 86.30.142.114 54662 [0]
18532 TIME_WAIT 86.138.129.234 51871 [0]
18532 TIME_WAIT 86.161.169.1 1024 [0]
18532 TIME_WAIT 87.91.112.65 61569 [0]
18532 TIME_WAIT 87.112.119.204 49398 [0]
18532 TIME_WAIT 87.194.34.105 57852 [0]
18532 TIME_WAIT 87.194.34.105 57946 [0]
18532 TIME_WAIT 87.200.42.243 62209 [0]
18532 TIME_WAIT 87.210.160.70 63839 [0]
18532 TIME_WAIT 87.210.160.70 64141 [0]
18532 TIME_WAIT 88.193.171.206 49741 [0]
18532 TIME_WAIT 88.196.233.204 49236 [0]
18532 TIME_WAIT 88.196.233.204 65348 [0]
18532 TIME_WAIT 89.34.46.133 60564 [0]
18532 ESTABLISHED 89.142.31.44 49804 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 89.172.202.230 55426 [0]
18532 TIME_WAIT 89.212.43.172 51663 [0]
18532 TIME_WAIT 89.237.130.18 50660 [0]
18532 ESTABLISHED 90.199.34.175 60226 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 ESTABLISHED 90.200.103.83 49445 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 90.200.161.58 53874 [0]
18532 TIME_WAIT 90.219.238.242 61204 [0]
18532 TIME_WAIT 92.16.6.127 58436 [0]
18532 TIME_WAIT 92.96.222.244 61200 [0]
18532 TIME_WAIT 92.96.222.244 61542 [0]
18532 TIME_WAIT 92.97.154.36 49417 [0]
18532 TIME_WAIT 92.97.154.36 49646 [0]
18532 TIME_WAIT 92.97.244.78 54756 [0]
18532 TIME_WAIT 92.97.244.78 54916 [0]
18532 TIME_WAIT 92.98.92.40 51240 [0]
18532 TIME_WAIT 92.98.92.40 51324 [0]
18532 TIME_WAIT 92.241.90.242 5932 [0]
18532 ESTABLISHED 92.241.90.242 5991 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 93.97.29.231 62644 [0]
18532 TIME_WAIT 94.14.254.225 60651 [0]
18532 TIME_WAIT 94.99.3.87 53823 [0]
18532 TIME_WAIT 94.170.143.126 58396 [0]
18532 TIME_WAIT 94.170.143.126 58519 [0]
18532 TIME_WAIT 94.195.191.59 53210 [0]
18532 TIME_WAIT 94.195.191.59 53587 [0]
18532 TIME_WAIT 94.202.191.172 60130 [0]
18532 TIME_WAIT 94.208.24.95 41418 [0]
18532 TIME_WAIT 94.208.24.95 46832 [0]
18532 ESTABLISHED 96.48.8.105 62642 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 96.48.77.177 58425 [0]
18532 TIME_WAIT 96.48.77.177 58717 [0]
18532 ESTABLISHED 96.49.37.76 61988 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 96.49.187.184 54779 [0]
18532 TIME_WAIT 96.51.216.21 55442 [0]
18532 TIME_WAIT 96.52.228.247 60330 [0]
18532 TIME_WAIT 96.54.14.156 54951 [0]
18532 TIME_WAIT 96.54.14.156 55121 [0]
18532 TIME_WAIT 96.54.102.189 58691 [0]
18532 ESTABLISHED 96.61.169.101 57746 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 96.245.61.154 51716 [0]
18532 TIME_WAIT 97.102.30.36 63125 [0]
18532 TIME_WAIT 98.18.46.203 61566 [0]
18532 TIME_WAIT 98.28.232.100 49689 [0]
18532 TIME_WAIT 98.111.164.252 3447 [0]
18532 TIME_WAIT 98.116.76.59 58752 [0]
18532 TIME_WAIT 98.116.76.59 59108 [0]
18532 TIME_WAIT 98.116.175.134 50805 [0]
18532 TIME_WAIT 98.164.254.68 61728 [0]
18532 ESTABLISHED 98.165.132.222 49273 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 98.165.248.59 65274 [0]
18532 TIME_WAIT 98.196.16.135 1192 [0]
18532 TIME_WAIT 98.227.95.110 50981 [0]
18532 TIME_WAIT 98.243.71.150 55391 [0]
18532 TIME_WAIT 98.252.207.182 43391 [0]
18532 TIME_WAIT 99.163.95.194 60240 [0]
18532 TIME_WAIT 99.163.95.194 60466 [0]
18532 TIME_WAIT 99.199.50.182 60105 [0]
18532 TIME_WAIT 99.227.252.139 56493 [0]
18532 TIME_WAIT 99.227.252.139 56630 [0]
18532 TIME_WAIT 99.227.252.139 56770 [0]
18532 TIME_WAIT 99.239.181.39 57589 [0]
18532 TIME_WAIT 99.242.90.7 62560 [0]
18532 TIME_WAIT 99.242.165.179 65331 [0]
18532 TIME_WAIT 99.242.165.179 65510 [0]
18532 TIME_WAIT 99.246.60.176 61770 [0]
18532 TIME_WAIT 99.250.11.60 50919 [0]
18532 TIME_WAIT 99.250.11.60 50923 [0]
18532 TIME_WAIT 99.250.39.66 61457 [0]
18532 TIME_WAIT 99.250.39.66 61534 [0]
18532 TIME_WAIT 108.60.168.179 61619 [0]
18532 TIME_WAIT 108.67.53.214 56618 [0]
18532 TIME_WAIT 109.78.3.224 41977 [0]
18532 TIME_WAIT 109.132.229.218 9101 [0]
18532 TIME_WAIT 111.93.213.167 50667 [0]
18532 TIME_WAIT 111.118.150.224 27823 [0]
18532 TIME_WAIT 111.240.52.54 24490 [0]
18532 ESTABLISHED 112.198.64.43 26783 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 112.202.179.127 55949 [0]
18532 TIME_WAIT 112.202.179.127 56002 [0]
18532 TIME_WAIT 113.20.19.186 62896 [0]
18532 TIME_WAIT 114.76.140.213 1966 [0]
18532 TIME_WAIT 114.76.140.213 2020 [0]
18532 TIME_WAIT 114.182.157.85 55637 [0]
18532 TIME_WAIT 114.182.157.85 55762 [0]
18532 TIME_WAIT 116.88.209.234 61825 [0]
18532 TIME_WAIT 118.209.184.129 61165 [0]
18532 TIME_WAIT 118.209.184.129 61248 [0]
18532 TIME_WAIT 119.224.218.126 60579 [0]
18532 TIME_WAIT 119.225.8.2 44602 [0]
18532 ESTABLISHED 119.235.54.104 4083 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 120.28.190.138 55325 [0]
18532 TIME_WAIT 120.61.2.241 12066 [0]
18532 TIME_WAIT 121.7.60.49 53867 [0]
18532 TIME_WAIT 121.7.60.49 53964 [0]
18532 TIME_WAIT 121.45.159.149 49702 [0]
18532 ESTABLISHED 121.45.222.185 1432 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 121.213.160.57 65212 [0]
18532 TIME_WAIT 121.213.160.57 65265 [0]
18532 TIME_WAIT 121.219.154.27 64631 [0]
18532 TIME_WAIT 121.219.154.27 64692 [0]
18532 TIME_WAIT 121.219.154.27 64728 [0]
18532 SYN_RECEIVED 122.109.108.150 56419 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 122.174.89.235 58956 [0]
18532 TIME_WAIT 122.174.89.235 59003 [0]
18532 TIME_WAIT 123.236.184.3 56395 [0]
18532 TIME_WAIT 124.43.233.157 64927 [0]
18532 TIME_WAIT 124.148.220.104 39811 [0]
18532 TIME_WAIT 124.168.244.188 59533 [0]
18532 TIME_WAIT 124.168.244.188 59600 [0]
18532 TIME_WAIT 124.169.209.162 2911 [0]
18532 TIME_WAIT 124.169.232.106 2363 [0]
18532 TIME_WAIT 124.176.252.1 49806 [0]
18532 TIME_WAIT 124.176.252.1 50061 [0]
18532 SYN_RECEIVED 124.190.234.51 62603 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 131.227.236.123 54987 [0]
18532 TIME_WAIT 137.229.110.24 61347 [0]
18532 TIME_WAIT 137.229.110.24 61771 [0]
18532 TIME_WAIT 142.163.134.149 60085 [0]
18532 TIME_WAIT 145.107.8.102 51032 [0]
18532 TIME_WAIT 145.107.8.102 51214 [0]
18532 TIME_WAIT 151.95.27.20 58964 [0]
18532 TIME_WAIT 151.95.27.20 59216 [0]
18532 TIME_WAIT 168.167.195.208 54744 [0]
18532 TIME_WAIT 168.167.195.208 54877 [0]
18532 TIME_WAIT 173.33.90.63 1326 [0]
18532 TIME_WAIT 173.34.56.108 60951 [0]
18532 FIN_WAIT 173.35.92.196 56705 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 173.35.115.25 60857 [0]
18532 TIME_WAIT 173.35.168.209 4309 [0]
18532 TIME_WAIT 173.52.78.122 63230 [0]
18532 TIME_WAIT 173.52.78.122 63334 [0]
18532 TIME_WAIT 173.56.112.217 57115 [0]
18532 ESTABLISHED 173.75.190.226 64955 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 173.163.192.58 60794 [0]
18532 TIME_WAIT 173.163.192.58 60901 [0]
18532 TIME_WAIT 173.179.168.94 62681 [0]
18532 TIME_WAIT 173.179.168.94 62894 [0]
18532 TIME_WAIT 173.183.37.192 60685 [0]
18532 TIME_WAIT 173.183.37.192 61604 [0]
18532 TIME_WAIT 173.206.249.186 63126 [0]
18532 TIME_WAIT 173.206.249.186 63198 [0]
18532 TIME_WAIT 173.212.96.120 2562 [0]
18532 TIME_WAIT 173.212.96.120 2627 [0]
18532 TIME_WAIT 173.217.70.99 55989 [0]
18532 TIME_WAIT 174.1.105.59 57493 [0]
18532 TIME_WAIT 174.3.215.184 3109 [0]
18532 TIME_WAIT 174.3.215.184 3216 [0]
18532 TIME_WAIT 174.5.77.211 64065 [0]
18532 TIME_WAIT 174.5.105.33 58806 [0]
18532 TIME_WAIT 174.5.105.33 59062 [0]
18532 TIME_WAIT 174.89.26.20 54240 [0]
18532 TIME_WAIT 174.102.66.231 59051 [0]
18532 TIME_WAIT 174.102.66.231 59221 [0]
18532 TIME_WAIT 174.106.20.67 64359 [0]
18532 TIME_WAIT 174.106.20.67 64548 [0]
18532 TIME_WAIT 174.108.4.68 58475 [0]
18532 TIME_WAIT 174.108.4.68 58486 [0]
18532 TIME_WAIT 174.112.2.48 64094 [0]
18532 TIME_WAIT 174.112.2.48 64095 [0]
18532 TIME_WAIT 174.113.18.113 50569 [0]
18532 TIME_WAIT 174.115.45.94 63197 [0]
18532 TIME_WAIT 174.117.251.141 56265 [0]
18532 TIME_WAIT 174.117.251.141 56389 [0]
18532 TIME_WAIT 174.155.88.19 63080 [0]
18532 TIME_WAIT 175.136.60.9 60898 [0]
18532 TIME_WAIT 175.136.174.188 39437 [0]
18532 TIME_WAIT 175.145.215.67 3910 [0]
18532 TIME_WAIT 176.44.95.83 40754 [0]
18532 TIME_WAIT 177.40.149.15 52157 [0]
18532 TIME_WAIT 177.40.149.15 52844 [0]
18532 TIME_WAIT 178.77.152.19 52657 [0]
18532 TIME_WAIT 178.131.159.198 56616 [0]
18532 ESTABLISHED 178.253.210.201 11154 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 180.148.38.175 3927 [0]
18532 TIME_WAIT 180.188.237.227 55779 [0]
18532 TIME_WAIT 180.188.237.227 55795 [0]
18532 TIME_WAIT 180.191.34.86 60738 [0]
18532 TIME_WAIT 180.215.1.241 50896 [0]
18532 TIME_WAIT 180.215.185.246 52363 [0]
18532 TIME_WAIT 184.65.11.31 4427 [0]
18532 TIME_WAIT 184.65.11.31 4515 [0]
18532 TIME_WAIT 187.53.29.11 52329 [0]
18532 TIME_WAIT 187.53.29.11 52425 [0]
18532 TIME_WAIT 189.13.198.200 59757 [0]
18532 TIME_WAIT 192.194.227.18 24023 [0]
18532 TIME_WAIT 194.144.99.4 52707 [0]
18532 TIME_WAIT 195.42.128.66 61848 [0]
18532 TIME_WAIT 195.42.128.66 62143 [0]
18532 TIME_WAIT 195.150.86.75 64967 [0]
18532 TIME_WAIT 196.209.225.186 58347 [0]
18532 TIME_WAIT 201.78.253.37 12173 [0]
18532 ESTABLISHED 201.79.104.6 52449 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 203.129.46.57 56343 [0]
18532 TIME_WAIT 203.218.68.138 49630 [0]
18532 TIME_WAIT 203.218.68.138 49758 [0]
18532 TIME_WAIT 204.83.50.5 56197 [0]
18532 TIME_WAIT 206.45.54.243 58898 [0]
18532 TIME_WAIT 206.223.181.9 3587 [0]
18532 TIME_WAIT 206.223.181.9 3588 [0]
18532 TIME_WAIT 206.223.181.9 3650 [0]
18532 TIME_WAIT 206.223.181.9 3652 [0]
18532 TIME_WAIT 207.6.147.218 61734 [0]
18532 TIME_WAIT 207.47.211.236 60603 [0]
18532 TIME_WAIT 207.255.176.194 32800 [0]
18532 TIME_WAIT 207.255.176.194 45873 [0]
18532 TIME_WAIT 208.96.95.93 56060 [0]
18532 TIME_WAIT 208.96.95.93 56102 [0]
18532 TIME_WAIT 208.101.112.152 51854 [0]
18532 TIME_WAIT 208.127.69.105 63031 [0]
18532 TIME_WAIT 209.6.66.156 59470 [0]
18532 TIME_WAIT 209.6.66.156 59574 [0]
18532 TIME_WAIT 209.59.76.180 63920 [0]
18532 TIME_WAIT 209.115.246.230 40153 [0]
18532 TIME_WAIT 209.115.246.230 47969 [0]
18532 TIME_WAIT 209.121.151.230 53707 [0]
18532 TIME_WAIT 209.195.80.51 51009 [0]
18532 TIME_WAIT 210.49.68.98 59331 [0]
18532 TIME_WAIT 212.116.206.100 24591 [0]
18532 TIME_WAIT 212.116.206.100 24813 [0]
18532 TIME_WAIT 213.55.108.113 46736 [0]
18532 ESTABLISHED 213.101.236.162 62717 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 TIME_WAIT 216.8.181.186 58186 [0]
18532 TIME_WAIT 220.157.134.4 59164 [0]
18532 TIME_WAIT 220.233.18.33 17569 [0]
18532 TIME_WAIT 220.233.18.33 17589 [0]
49152 LISTENING 0.0.0.0 0 [444] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [824] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [928] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49155 LISTENING 0.0.0.0 0 [1344] c:\windows\system32\spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate
49156 LISTENING 0.0.0.0 0 [500] c:\windows\system32\services.exe
Script: Quarantine, Delete, BC delete, Terminate
49157 LISTENING 0.0.0.0 0 [516] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
53140 ESTABLISHED 64.4.61.128 1863 [3576] c:\program files\windows live\contacts\wlcomm.exe
Script: Quarantine, Delete, BC delete, Terminate
53163 ESTABLISHED 65.54.77.72 443 [1768] c:\program files\windows live\mesh\wlcrasvc.exe
Script: Quarantine, Delete, BC delete, Terminate
53164 ESTABLISHED 65.55.202.197 443 [2856] c:\program files\windows live\mesh\moe.exe
Script: Quarantine, Delete, BC delete, Terminate
53169 ESTABLISHED 65.55.17.39 80 [2640] c:\program files\htc home 1.10\htchome.exe
Script: Quarantine, Delete, BC delete, Terminate
53967 ESTABLISHED 38.117.98.204 80 [5092] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
53968 ESTABLISHED 38.117.98.204 80 [5092] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
56030 ESTABLISHED 76.125.37.249 57021 [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
9 LISTENING -- -- [2856] c:\program files\windows live\mesh\moe.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [3664] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [3664] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1204] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
6771 LISTENING -- -- [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
18532 LISTENING -- -- [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
50651 LISTENING -- -- [3684] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
52132 LISTENING -- -- [5684] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
52623 LISTENING -- -- [5280] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
54608 LISTENING -- -- [5092] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
54683 LISTENING -- -- [3664] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
54684 LISTENING -- -- [3664] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
59426 LISTENING -- -- [3576] c:\program files\windows live\contacts\wlcomm.exe
Script: Quarantine, Delete, BC delete, Terminate
59898 LISTENING -- -- [2856] c:\program files\windows live\mesh\moe.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
{E6F480FC-BD44-4CBA-B74A-89AF7842937D}
Delete http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.21.0.cab
Elements detected - 6, recognized as trusted - 5

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 21, recognized as trusted - 21

Active Setup

File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record
127.0.0.1 localhost

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Elements detected - 17, recognized as trusted - 14

Suspicious objects

File Description Type
C:\Windows\system32\certvert.dll
Script: Quarantine, Delete, BC delete Suspicion by Heuristic analysis HSC: suspicion for hidden autorun AppCertDlls (high degree of probability)

Main script of analysis Windows version: Windows 7 Professional, Build=7600, SP="" System Restore: enabled 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text IAT modification detected: CreateProcessA - 003B0010<>774E2062 IAT modification detected: GetModuleFileNameA - 003B0080<>77531094 IAT modification detected: GetModuleFileNameW - 003B00F0<>77532A14 IAT modification detected: CreateProcessW - 003B0160<>774E202D IAT modification detected: LoadLibraryW - 003B0240<>775328D2 IAT modification detected: LoadLibraryA - 003B0320<>77532884 IAT modification detected: GetProcAddress - 003B0390<>77531857 IAT modification detected: FreeLibrary - 003B0400<>77531A09 Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Function advapi32.dll:AddMandatoryAce (1029) intercepted, method ProcAddressHijack.GetProcAddress ->764024B5->75F8193A Function advapi32.dll:I_QueryTagInformation (1361) intercepted, method ProcAddressHijack.GetProcAddress ->76402655->77D172D8 Function advapi32.dll:I_ScIsSecurityProcess (1362) intercepted, method ProcAddressHijack.GetProcAddress ->7640268C->77D1733F Function advapi32.dll:I_ScPnPGetServiceName (1363) intercepted, method ProcAddressHijack.GetProcAddress ->764026C3->77D17C40 Function advapi32.dll:I_ScQueryServiceConfig (1364) intercepted, method ProcAddressHijack.GetProcAddress ->764026FA->77D15F8A Function advapi32.dll:I_ScSendPnPMessage (1365) intercepted, method ProcAddressHijack.GetProcAddress ->76402732->77D15E7D Function advapi32.dll:I_ScSendTSMessage (1366) intercepted, method ProcAddressHijack.GetProcAddress ->76402766->77D171C5 Function advapi32.dll:I_ScValidatePnPService (1369) intercepted, method ProcAddressHijack.GetProcAddress ->76402799->77D16B9D Function advapi32.dll:IsValidRelativeSecurityDescriptor (1389) intercepted, method ProcAddressHijack.GetProcAddress ->764027D1->75F7977E Function advapi32.dll:PerfCreateInstance (1515) intercepted, method ProcAddressHijack.GetProcAddress ->76402858->752A2187 Function advapi32.dll:PerfDecrementULongCounterValue (1516) intercepted, method ProcAddressHijack.GetProcAddress ->76402871->752A2A1D Function advapi32.dll:PerfDecrementULongLongCounterValue (1517) intercepted, method ProcAddressHijack.GetProcAddress ->76402896->752A2B3C Function advapi32.dll:PerfDeleteInstance (1519) intercepted, method ProcAddressHijack.GetProcAddress ->764028BF->752A2259 Function advapi32.dll:PerfIncrementULongCounterValue (1522) intercepted, method ProcAddressHijack.GetProcAddress ->764028D8->752A27B9 Function advapi32.dll:PerfIncrementULongLongCounterValue (1523) intercepted, method ProcAddressHijack.GetProcAddress ->764028FD->752A28D6 Function advapi32.dll:PerfQueryInstance (1528) intercepted, method ProcAddressHijack.GetProcAddress ->76402926->752A2373 Function advapi32.dll:PerfSetCounterRefValue (1529) intercepted, method ProcAddressHijack.GetProcAddress ->7640293E->752A2447 Function advapi32.dll:PerfSetCounterSetInfo (1530) intercepted, method ProcAddressHijack.GetProcAddress ->7640295B->752A20B0 Function advapi32.dll:PerfSetULongCounterValue (1531) intercepted, method ProcAddressHijack.GetProcAddress ->76402977->752A2565 Function advapi32.dll:PerfSetULongLongCounterValue (1532) intercepted, method ProcAddressHijack.GetProcAddress ->76402996->752A2680 Function advapi32.dll:PerfStartProvider (1533) intercepted, method ProcAddressHijack.GetProcAddress ->764029B9->752A1FED Function advapi32.dll:PerfStartProviderEx (1534) intercepted, method ProcAddressHijack.GetProcAddress ->764029D1->752A1F34 Function advapi32.dll:PerfStopProvider (1535) intercepted, method ProcAddressHijack.GetProcAddress ->764029EB->752A2026 Function advapi32.dll:SystemFunction035 (1753) intercepted, method ProcAddressHijack.GetProcAddress ->76402A3C->75783EA8 Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text Function netapi32.dll:DavAddConnection (1) intercepted, method ProcAddressHijack.GetProcAddress ->74163B10->693029DD Function netapi32.dll:DavDeleteConnection (2) intercepted, method ProcAddressHijack.GetProcAddress ->74163B29->6930181B Function netapi32.dll:DavFlushFile (3) intercepted, method ProcAddressHijack.GetProcAddress ->74163B45->69301713 Function netapi32.dll:DavGetExtendedError (4) intercepted, method ProcAddressHijack.GetProcAddress ->74163B5A->69302347 Function netapi32.dll:DavGetHTTPFromUNCPath (5) intercepted, method ProcAddressHijack.GetProcAddress ->74163B76->6930275B Function netapi32.dll:DavGetUNCFromHTTPPath (6) intercepted, method ProcAddressHijack.GetProcAddress ->74163B94->6930257D Function netapi32.dll:DsAddressToSiteNamesA (7) intercepted, method ProcAddressHijack.GetProcAddress ->74163BB2->755E4A4D Function netapi32.dll:DsAddressToSiteNamesExA (8) intercepted, method ProcAddressHijack.GetProcAddress ->74163BD1->755E4D79 Function netapi32.dll:DsAddressToSiteNamesExW (9) intercepted, method ProcAddressHijack.GetProcAddress ->74163BF2->755E5049 Function netapi32.dll:DsAddressToSiteNamesW (10) intercepted, method ProcAddressHijack.GetProcAddress ->74163C13->755E4C29 Function netapi32.dll:DsDeregisterDnsHostRecordsA (11) intercepted, method ProcAddressHijack.GetProcAddress ->74163C32->755E6DD9 Function netapi32.dll:DsDeregisterDnsHostRecordsW (12) intercepted, method ProcAddressHijack.GetProcAddress ->74163C57->755E6D59 Function netapi32.dll:DsEnumerateDomainTrustsA (13) intercepted, method ProcAddressHijack.GetProcAddress ->74163C7C->755E6771 Function netapi32.dll:DsEnumerateDomainTrustsW (14) intercepted, method ProcAddressHijack.GetProcAddress ->74163C9E->755D60BC Function netapi32.dll:DsGetDcCloseW (15) intercepted, method ProcAddressHijack.GetProcAddress ->74163CC0->755E495D Function netapi32.dll:DsGetDcNameA (16) intercepted, method ProcAddressHijack.GetProcAddress ->74163CD7->755E5BB2 Function netapi32.dll:DsGetDcNameW (17) intercepted, method ProcAddressHijack.GetProcAddress ->74163CED->755D4CA8 Function netapi32.dll:DsGetDcNameWithAccountA (18) intercepted, method ProcAddressHijack.GetProcAddress ->74163D03->755E55E9 Function netapi32.dll:DsGetDcNameWithAccountW (19) intercepted, method ProcAddressHijack.GetProcAddress ->74163D24->755D4CD1 Function netapi32.dll:DsGetDcNextA (20) intercepted, method ProcAddressHijack.GetProcAddress ->74163D45->755E4896 Function netapi32.dll:DsGetDcNextW (21) intercepted, method ProcAddressHijack.GetProcAddress ->74163D5B->755E47ED Function netapi32.dll:DsGetDcOpenA (22) intercepted, method ProcAddressHijack.GetProcAddress ->74163D71->755E473D Function netapi32.dll:DsGetDcOpenW (23) intercepted, method ProcAddressHijack.GetProcAddress ->74163D87->755E46AB Function netapi32.dll:DsGetDcSiteCoverageA (24) intercepted, method ProcAddressHijack.GetProcAddress ->74163D9D->755E5239 Function netapi32.dll:DsGetDcSiteCoverageW (25) intercepted, method ProcAddressHijack.GetProcAddress ->74163DBB->755E5409 Function netapi32.dll:DsGetForestTrustInformationW (26) intercepted, method ProcAddressHijack.GetProcAddress ->74163DD9->755E6E6F Function netapi32.dll:DsGetSiteNameA (27) intercepted, method ProcAddressHijack.GetProcAddress ->74163DFF->755E5B39 Function netapi32.dll:DsGetSiteNameW (28) intercepted, method ProcAddressHijack.GetProcAddress ->74163E17->755D5F24 Function netapi32.dll:DsMergeForestTrustInformationW (29) intercepted, method ProcAddressHijack.GetProcAddress ->74163E2F->755E6F71 Function netapi32.dll:DsRoleAbortDownlevelServerUpgrade (30) intercepted, method ProcAddressHijack.GetProcAddress ->74163E57->74194339 Function netapi32.dll:DsRoleCancel (31) intercepted, method ProcAddressHijack.GetProcAddress ->74163E80->741934A9 Function netapi32.dll:DsRoleDcAsDc (32) intercepted, method ProcAddressHijack.GetProcAddress ->74163E94->74193EAD Function netapi32.dll:DsRoleDcAsReplica (33) intercepted, method ProcAddressHijack.GetProcAddress ->74163EA8->74193F99 Function netapi32.dll:DsRoleDemoteDc (34) intercepted, method ProcAddressHijack.GetProcAddress ->74163EC1->74194189 Function netapi32.dll:DsRoleDnsNameToFlatName (35) intercepted, method ProcAddressHijack.GetProcAddress ->74163ED7->741932B5 Function netapi32.dll:DsRoleFreeMemory (36) intercepted, method ProcAddressHijack.GetProcAddress ->74163EF6->741919A9 Function netapi32.dll:DsRoleGetDatabaseFacts (37) intercepted, method ProcAddressHijack.GetProcAddress ->74163F0E->74193651 Function netapi32.dll:DsRoleGetDcOperationProgress (38) intercepted, method ProcAddressHijack.GetProcAddress ->74163F2C->74193351 Function netapi32.dll:DsRoleGetDcOperationResults (39) intercepted, method ProcAddressHijack.GetProcAddress ->74163F50->74193401 Function netapi32.dll:DsRoleGetPrimaryDomainInformation (40) intercepted, method ProcAddressHijack.GetProcAddress ->74163F73->74191F3D Function netapi32.dll:DsRoleIfmHandleFree (41) intercepted, method ProcAddressHijack.GetProcAddress ->74163F9C->74193539 Function netapi32.dll:DsRoleServerSaveStateForUpgrade (42) intercepted, method ProcAddressHijack.GetProcAddress ->74163FB7->741935C9 Function netapi32.dll:DsRoleUpgradeDownlevelServer (43) intercepted, method ProcAddressHijack.GetProcAddress ->74163FDE->74194261 Function netapi32.dll:DsValidateSubnetNameA (44) intercepted, method ProcAddressHijack.GetProcAddress ->74164002->755E5AF9 Function netapi32.dll:DsValidateSubnetNameW (45) intercepted, method ProcAddressHijack.GetProcAddress ->74164021->755E49E1 Function netapi32.dll:I_BrowserDebugCall (46) intercepted, method ProcAddressHijack.GetProcAddress ->74164040->5BC124A9 Function netapi32.dll:I_BrowserDebugTrace (47) intercepted, method ProcAddressHijack.GetProcAddress ->7416405B->5BC12581 Function netapi32.dll:I_BrowserQueryEmulatedDomains (48) intercepted, method ProcAddressHijack.GetProcAddress ->74164077->5BC129F9 Function netapi32.dll:I_BrowserQueryOtherDomains (49) intercepted, method ProcAddressHijack.GetProcAddress ->7416409D->5BC122C1 Function netapi32.dll:I_BrowserQueryStatistics (50) intercepted, method ProcAddressHijack.GetProcAddress ->741640C0->5BC12651 Function netapi32.dll:I_BrowserResetNetlogonState (51) intercepted, method ProcAddressHijack.GetProcAddress ->741640E1->5BC123D1 Function netapi32.dll:I_BrowserResetStatistics (52) intercepted, method ProcAddressHijack.GetProcAddress ->74164105->5BC12729 Function netapi32.dll:I_BrowserServerEnum (53) intercepted, method ProcAddressHijack.GetProcAddress ->74164126->5BC120BF Function netapi32.dll:I_BrowserSetNetlogonState (54) intercepted, method ProcAddressHijack.GetProcAddress ->74164142->5BC12919 Function netapi32.dll:I_DsUpdateReadOnlyServerDnsRecords (55) intercepted, method ProcAddressHijack.GetProcAddress ->74164164->755E5569 Function netapi32.dll:I_NetAccountDeltas (56) intercepted, method ProcAddressHijack.GetProcAddress ->74164190->755E63AB Function netapi32.dll:I_NetAccountSync (57) intercepted, method ProcAddressHijack.GetProcAddress ->741641AC->755E63AB Function netapi32.dll:I_NetChainSetClientAttributes (59) intercepted, method ProcAddressHijack.GetProcAddress ->741641C6->755E6FA6 Function netapi32.dll:I_NetChainSetClientAttributes2 (58) intercepted, method ProcAddressHijack.GetProcAddress ->741641ED->755E7029 Function netapi32.dll:I_NetDatabaseDeltas (60) intercepted, method ProcAddressHijack.GetProcAddress ->74164215->755E6391 Function netapi32.dll:I_NetDatabaseRedo (61) intercepted, method ProcAddressHijack.GetProcAddress ->74164232->755E6521 Function netapi32.dll:I_NetDatabaseSync (63) intercepted, method ProcAddressHijack.GetProcAddress ->7416424D->755E6391 Function netapi32.dll:I_NetDatabaseSync2 (62) intercepted, method ProcAddressHijack.GetProcAddress ->74164268->755E639E Function netapi32.dll:I_NetDfsGetVersion (64) intercepted, method ProcAddressHijack.GetProcAddress ->74164284->75B57CA1 Function netapi32.dll:I_NetDfsIsThisADomainName (65) intercepted, method ProcAddressHijack.GetProcAddress ->7416429E->622E4E39 Function netapi32.dll:I_NetGetDCList (66) intercepted, method ProcAddressHijack.GetProcAddress ->741642BF->755E5D9C Function netapi32.dll:I_NetGetForestTrustInformation (67) intercepted, method ProcAddressHijack.GetProcAddress ->741642D7->755E6EF1 Function netapi32.dll:I_NetLogonControl (69) intercepted, method ProcAddressHijack.GetProcAddress ->741642FF->755E63B8 Function netapi32.dll:I_NetLogonControl2 (68) intercepted, method ProcAddressHijack.GetProcAddress ->7416431A->755E6439 Function netapi32.dll:I_NetLogonGetDomainInfo (70) intercepted, method ProcAddressHijack.GetProcAddress ->74164336->755D64A4 Function netapi32.dll:I_NetLogonSamLogoff (71) intercepted, method ProcAddressHijack.GetProcAddress ->74164357->755E6091 Function netapi32.dll:I_NetLogonSamLogon (72) intercepted, method ProcAddressHijack.GetProcAddress ->74164374->755E5F39 Function netapi32.dll:I_NetLogonSamLogonEx (73) intercepted, method ProcAddressHijack.GetProcAddress ->74164390->755E5FE1 Function netapi32.dll:I_NetLogonSamLogonWithFlags (74) intercepted, method ProcAddressHijack.GetProcAddress ->741643AE->755DB22A Function netapi32.dll:I_NetLogonSendToSam (75) intercepted, method ProcAddressHijack.GetProcAddress ->741643D3->755E6111 Function netapi32.dll:I_NetLogonUasLogoff (76) intercepted, method ProcAddressHijack.GetProcAddress ->741643F0->755E5EC9 Function netapi32.dll:I_NetLogonUasLogon (77) intercepted, method ProcAddressHijack.GetProcAddress ->7416440D->755E5E53 Function netapi32.dll:I_NetServerAuthenticate (80) intercepted, method ProcAddressHijack.GetProcAddress ->74164429->755E6191 Function netapi32.dll:I_NetServerAuthenticate2 (78) intercepted, method ProcAddressHijack.GetProcAddress ->7416444A->755E6211 Function netapi32.dll:I_NetServerAuthenticate3 (79) intercepted, method ProcAddressHijack.GetProcAddress ->7416446C->755D6393 Function netapi32.dll:I_NetServerGetTrustInfo (81) intercepted, method ProcAddressHijack.GetProcAddress ->7416448E->755E6C61 Function netapi32.dll:I_NetServerPasswordGet (82) intercepted, method ProcAddressHijack.GetProcAddress ->741644AF->755E6B61 Function netapi32.dll:I_NetServerPasswordSet (84) intercepted, method ProcAddressHijack.GetProcAddress ->741644CF->755E6291 Function netapi32.dll:I_NetServerPasswordSet2 (83) intercepted, method ProcAddressHijack.GetProcAddress ->741644EF->755E6311 Function netapi32.dll:I_NetServerReqChallenge (85) intercepted, method ProcAddressHijack.GetProcAddress ->74164510->755D6424 Function netapi32.dll:I_NetServerSetServiceBits (86) intercepted, method ProcAddressHijack.GetProcAddress ->74164531->75B5426D Function netapi32.dll:I_NetServerSetServiceBitsEx (87) intercepted, method ProcAddressHijack.GetProcAddress ->74164552->75B56D11 Function netapi32.dll:I_NetServerTrustPasswordsGet (88) intercepted, method ProcAddressHijack.GetProcAddress ->74164575->755E6BE1 Function netapi32.dll:I_NetlogonComputeClientDigest (89) intercepted, method ProcAddressHijack.GetProcAddress ->7416459B->755D5C20 Function netapi32.dll:I_NetlogonComputeServerDigest (90) intercepted, method ProcAddressHijack.GetProcAddress ->741645C2->755E6AEC Function netapi32.dll:NetAddAlternateComputerName (97) intercepted, method ProcAddressHijack.GetProcAddress ->741645E9->74135B21 Function netapi32.dll:NetAddServiceAccount (98) intercepted, method ProcAddressHijack.GetProcAddress ->7416460C->755E70B1 Function netapi32.dll:NetApiBufferAllocate (101) intercepted, method ProcAddressHijack.GetProcAddress ->7416462A->74151415 Function netapi32.dll:NetApiBufferFree (102) intercepted, method ProcAddressHijack.GetProcAddress ->74164648->741513D2 Function netapi32.dll:NetApiBufferReallocate (103) intercepted, method ProcAddressHijack.GetProcAddress ->74164662->74153729 Function netapi32.dll:NetApiBufferSize (104) intercepted, method ProcAddressHijack.GetProcAddress ->74164682->74153771 Function netapi32.dll:NetBrowserStatisticsGet (108) intercepted, method ProcAddressHijack.GetProcAddress ->7416469C->5BC12801 Function netapi32.dll:NetConnectionEnum (112) intercepted, method ProcAddressHijack.GetProcAddress ->741646BC->75B55521 Function netapi32.dll:NetDfsAdd (113) intercepted, method ProcAddressHijack.GetProcAddress ->741646D5->622E78FD Function netapi32.dll:NetDfsAddFtRoot (114) intercepted, method ProcAddressHijack.GetProcAddress ->741646E6->622E6859 Function netapi32.dll:NetDfsAddRootTarget (115) intercepted, method ProcAddressHijack.GetProcAddress ->741646FD->622E7401 Function netapi32.dll:NetDfsAddStdRoot (116) intercepted, method ProcAddressHijack.GetProcAddress ->74164718->622E2B1E Function netapi32.dll:NetDfsAddStdRootForced (117) intercepted, method ProcAddressHijack.GetProcAddress ->74164730->622E2BB1 Function netapi32.dll:NetDfsEnum (118) intercepted, method ProcAddressHijack.GetProcAddress ->7416474E->622E70F9 Function netapi32.dll:NetDfsGetClientInfo (119) intercepted, method ProcAddressHijack.GetProcAddress ->74164760->622E3F25 Function netapi32.dll:NetDfsGetDcAddress (120) intercepted, method ProcAddressHijack.GetProcAddress ->7416477B->622E2C51 Function netapi32.dll:NetDfsGetFtContainerSecurity (121) intercepted, method ProcAddressHijack.GetProcAddress ->74164795->622E5363 Function netapi32.dll:NetDfsGetInfo (122) intercepted, method ProcAddressHijack.GetProcAddress ->741647B9->622E2D69 Function netapi32.dll:NetDfsGetSecurity (123) intercepted, method ProcAddressHijack.GetProcAddress ->741647CE->622E7741 Function netapi32.dll:NetDfsGetStdContainerSecurity (124) intercepted, method ProcAddressHijack.GetProcAddress ->741647E7->622E3AD5 Function netapi32.dll:NetDfsGetSupportedNamespaceVersion (125) intercepted, method ProcAddressHijack.GetProcAddress ->7416480C->622E5C19 Function netapi32.dll:NetDfsManagerGetConfigInfo (126) intercepted, method ProcAddressHijack.GetProcAddress ->74164836->622E2E9C Function netapi32.dll:NetDfsManagerInitialize (127) intercepted, method ProcAddressHijack.GetProcAddress ->74164858->622E2F91 Function netapi32.dll:NetDfsManagerSendSiteInfo (128) intercepted, method ProcAddressHijack.GetProcAddress ->74164877->622E72C5 Function netapi32.dll:NetDfsMove (129) intercepted, method ProcAddressHijack.GetProcAddress ->74164898->622E5651 Function netapi32.dll:NetDfsRemove (130) intercepted, method ProcAddressHijack.GetProcAddress ->741648AA->622E7A19 Function netapi32.dll:NetDfsRemoveFtRoot (131) intercepted, method ProcAddressHijack.GetProcAddress ->741648BE->622E6A99 Function netapi32.dll:NetDfsRemoveFtRootForced (132) intercepted, method ProcAddressHijack.GetProcAddress ->741648D8->622E6BE5 Function netapi32.dll:NetDfsRemoveRootTarget (133) intercepted, method ProcAddressHijack.GetProcAddress ->741648F8->622E5879 Function netapi32.dll:NetDfsRemoveStdRoot (134) intercepted, method ProcAddressHijack.GetProcAddress ->74164916->622E2CE1 Function netapi32.dll:NetDfsRename (135) intercepted, method ProcAddressHijack.GetProcAddress ->74164931->622E2E91 Function netapi32.dll:NetDfsSetClientInfo (136) intercepted, method ProcAddressHijack.GetProcAddress ->74164945->622E4301 Function netapi32.dll:NetDfsSetFtContainerSecurity (137) intercepted, method ProcAddressHijack.GetProcAddress ->74164960->622E53AF Function netapi32.dll:NetDfsSetInfo (138) intercepted, method ProcAddressHijack.GetProcAddress ->74164984->622E6D8B Function netapi32.dll:NetDfsSetSecurity (139) intercepted, method ProcAddressHijack.GetProcAddress ->74164999->622E7822 Function netapi32.dll:NetDfsSetStdContainerSecurity (140) intercepted, method ProcAddressHijack.GetProcAddress ->741649B2->622E3B24 Function netapi32.dll:NetEnumerateComputerNames (141) intercepted, method ProcAddressHijack.GetProcAddress ->741649D7->74135E39 Function netapi32.dll:NetEnumerateServiceAccounts (142) intercepted, method ProcAddressHijack.GetProcAddress ->741649F8->755E7199 Function netapi32.dll:NetEnumerateTrustedDomains (143) intercepted, method ProcAddressHijack.GetProcAddress ->74164A1D->755E652E Function netapi32.dll:NetFileClose (147) intercepted, method ProcAddressHijack.GetProcAddress ->74164A41->75B55659 Function netapi32.dll:NetFileEnum (148) intercepted, method ProcAddressHijack.GetProcAddress ->74164A55->75B55729 Function netapi32.dll:NetFileGetInfo (149) intercepted, method ProcAddressHijack.GetProcAddress ->74164A68->75B55859 Function netapi32.dll:NetGetAnyDCName (150) intercepted, method ProcAddressHijack.GetProcAddress ->74164A7E->755E496D Function netapi32.dll:NetGetDCName (151) intercepted, method ProcAddressHijack.GetProcAddress ->74164A97->755E5913 Function netapi32.dll:NetGetDisplayInformationIndex (152) intercepted, method ProcAddressHijack.GetProcAddress ->74164AAD->74124117 Function netapi32.dll:NetGetJoinInformation (153) intercepted, method ProcAddressHijack.GetProcAddress ->74164AD2->74132DC7 Function netapi32.dll:NetGetJoinableOUs (154) intercepted, method ProcAddressHijack.GetProcAddress ->74164AEF->741359D1 Function netapi32.dll:NetGroupAdd (155) intercepted, method ProcAddressHijack.GetProcAddress ->74164B08->741271C3 Function netapi32.dll:NetGroupAddUser (156) intercepted, method ProcAddressHijack.GetProcAddress ->74164B1B->741273AD Function netapi32.dll:NetGroupDel (157) intercepted, method ProcAddressHijack.GetProcAddress ->74164B32->741273CB Function netapi32.dll:NetGroupDelUser (158) intercepted, method ProcAddressHijack.GetProcAddress ->74164B45->741273EB Function netapi32.dll:NetGroupEnum (159) intercepted, method ProcAddressHijack.GetProcAddress ->74164B5C->74127409 Function netapi32.dll:NetGroupGetInfo (160) intercepted, method ProcAddressHijack.GetProcAddress ->74164B70->741278C8 Function netapi32.dll:NetGroupGetUsers (161) intercepted, method ProcAddressHijack.GetProcAddress ->74164B87->74127952 Function netapi32.dll:NetGroupSetInfo (162) intercepted, method ProcAddressHijack.GetProcAddress ->74164B9F->74127C02 Function netapi32.dll:NetGroupSetUsers (163) intercepted, method ProcAddressHijack.GetProcAddress ->74164BB6->74127DAE Function netapi32.dll:NetIsServiceAccount (164) intercepted, method ProcAddressHijack.GetProcAddress ->74164BCE->755E72D9 Function netapi32.dll:NetJoinDomain (165) intercepted, method ProcAddressHijack.GetProcAddress ->74164BEB->741354B9 Function netapi32.dll:NetLocalGroupAdd (166) intercepted, method ProcAddressHijack.GetProcAddress ->74164C00->7412875A Function netapi32.dll:NetLocalGroupAddMember (167) intercepted, method ProcAddressHijack.GetProcAddress ->74164C18->74128886 Function netapi32.dll:NetLocalGroupAddMembers (168) intercepted, method ProcAddressHijack.GetProcAddress ->74164C36->74128E99 Function netapi32.dll:NetLocalGroupDel (169) intercepted, method ProcAddressHijack.GetProcAddress ->74164C55->741288A4 Function netapi32.dll:NetLocalGroupDelMember (170) intercepted, method ProcAddressHijack.GetProcAddress ->74164C6D->74128928 Function netapi32.dll:NetLocalGroupDelMembers (171) intercepted, method ProcAddressHijack.GetProcAddress ->74164C8B->74128EBD Function netapi32.dll:NetLocalGroupEnum (172) intercepted, method ProcAddressHijack.GetProcAddress ->74164CAA->74128946 Function netapi32.dll:NetLocalGroupGetInfo (173) intercepted, method ProcAddressHijack.GetProcAddress ->74164CC3->74128CE4 Function netapi32.dll:NetLocalGroupGetMembers (174) intercepted, method ProcAddressHijack.GetProcAddress ->74164CDF->74122265 Function netapi32.dll:NetLocalGroupSetInfo (175) intercepted, method ProcAddressHijack.GetProcAddress ->74164CFE->74128D57 Function netapi32.dll:NetLocalGroupSetMembers (176) intercepted, method ProcAddressHijack.GetProcAddress ->74164D1A->74128E75 Function netapi32.dll:NetLogonGetTimeServiceParentDomain (177) intercepted, method ProcAddressHijack.GetProcAddress ->74164D39->755E6CE9 Function netapi32.dll:NetLogonSetServiceBits (178) intercepted, method ProcAddressHijack.GetProcAddress ->74164D65->755D603C Function netapi32.dll:NetProvisionComputerAccount (184) intercepted, method ProcAddressHijack.GetProcAddress ->74164D85->7586F2D3 Function netapi32.dll:NetQueryDisplayInformation (185) intercepted, method ProcAddressHijack.GetProcAddress ->74164DA9->74123D87 Function netapi32.dll:NetQueryServiceAccount (186) intercepted, method ProcAddressHijack.GetProcAddress ->74164DCB->755E7249 Function netapi32.dll:NetRemoteComputerSupports (188) intercepted, method ProcAddressHijack.GetProcAddress ->74164DEB->74152160 Function netapi32.dll:NetRemoteTOD (189) intercepted, method ProcAddressHijack.GetProcAddress ->74164E0E->75B56C11 Function netapi32.dll:NetRemoveAlternateComputerName (190) intercepted, method ProcAddressHijack.GetProcAddress ->74164E22->74135C29 Function netapi32.dll:NetRemoveServiceAccount (191) intercepted, method ProcAddressHijack.GetProcAddress ->74164E48->755E7129 Function netapi32.dll:NetRenameMachineInDomain (192) intercepted, method ProcAddressHijack.GetProcAddress ->74164E69->74135751 Function netapi32.dll:NetRequestOfflineDomainJoin (208) intercepted, method ProcAddressHijack.GetProcAddress ->74164E89->7586B52F Function netapi32.dll:NetScheduleJobAdd (209) intercepted, method ProcAddressHijack.GetProcAddress ->74164EAD->73C819D1 Function netapi32.dll:NetScheduleJobDel (210) intercepted, method ProcAddressHijack.GetProcAddress ->74164EC8->73C81AC9 Function netapi32.dll:NetScheduleJobEnum (211) intercepted, method ProcAddressHijack.GetProcAddress ->74164EE3->73C81BC1 Function netapi32.dll:NetScheduleJobGetInfo (212) intercepted, method ProcAddressHijack.GetProcAddress ->74164EFF->73C81CE1 Function netapi32.dll:NetServerAliasAdd (213) intercepted, method ProcAddressHijack.GetProcAddress ->74164F1E->75B57843 Function netapi32.dll:NetServerAliasDel (214) intercepted, method ProcAddressHijack.GetProcAddress ->74164F37->75B57A79 Function netapi32.dll:NetServerAliasEnum (215) intercepted, method ProcAddressHijack.GetProcAddress ->74164F50->75B57931 Function netapi32.dll:NetServerComputerNameAdd (216) intercepted, method ProcAddressHijack.GetProcAddress ->74164F6A->75B57411 Function netapi32.dll:NetServerComputerNameDel (217) intercepted, method ProcAddressHijack.GetProcAddress ->74164F8A->75B576FB Function netapi32.dll:NetServerDiskEnum (218) intercepted, method ProcAddressHijack.GetProcAddress ->74164FAA->75B56559 Function netapi32.dll:NetServerEnum (219) intercepted, method ProcAddressHijack.GetProcAddress ->74164FC3->5BC12F61 Function netapi32.dll:NetServerEnumEx (220) intercepted, method ProcAddressHijack.GetProcAddress ->74164FD9->5BC12C5F Function netapi32.dll:NetServerGetInfo (221) intercepted, method ProcAddressHijack.GetProcAddress ->74164FF1->75B53CFA Function netapi32.dll:NetServerSetInfo (222) intercepted, method ProcAddressHijack.GetProcAddress ->74165009->75B56681 Function netapi32.dll:NetServerTransportAdd (223) intercepted, method ProcAddressHijack.GetProcAddress ->74165021->75B56851 Function netapi32.dll:NetServerTransportAddEx (224) intercepted, method ProcAddressHijack.GetProcAddress ->7416503E->75B57329 Function netapi32.dll:NetServerTransportDel (225) intercepted, method ProcAddressHijack.GetProcAddress ->7416505D->75B56A01 Function netapi32.dll:NetServerTransportEnum (226) intercepted, method ProcAddressHijack.GetProcAddress ->7416507A->75B56AD9 Function netapi32.dll:NetSessionDel (231) intercepted, method ProcAddressHijack.GetProcAddress ->74165098->75B55941 Function netapi32.dll:NetSessionEnum (232) intercepted, method ProcAddressHijack.GetProcAddress ->741650AD->75B55A11 Function netapi32.dll:NetSessionGetInfo (233) intercepted, method ProcAddressHijack.GetProcAddress ->741650C3->75B55B41 Function netapi32.dll:NetSetPrimaryComputerName (234) intercepted, method ProcAddressHijack.GetProcAddress ->741650DC->74135D31 Function netapi32.dll:NetShareAdd (235) intercepted, method ProcAddressHijack.GetProcAddress ->741650FD->75B55C81 Function netapi32.dll:NetShareCheck (236) intercepted, method ProcAddressHijack.GetProcAddress ->74165110->75B55E91 Function netapi32.dll:NetShareDel (237) intercepted, method ProcAddressHijack.GetProcAddress ->74165125->75B55F81 Function netapi32.dll:NetShareDelEx (238) intercepted, method ProcAddressHijack.GetProcAddress ->74165138->75B57B61 Function netapi32.dll:NetShareDelSticky (239) intercepted, method ProcAddressHijack.GetProcAddress ->7416514D->75B560D1 Function netapi32.dll:NetShareEnum (240) intercepted, method ProcAddressHijack.GetProcAddress ->74165166->75B53F91 Function netapi32.dll:NetShareEnumSticky (241) intercepted, method ProcAddressHijack.GetProcAddress ->7416517A->75B561C9 Function netapi32.dll:NetShareGetInfo (242) intercepted, method ProcAddressHijack.GetProcAddress ->74165194->75B5433F Function netapi32.dll:NetShareSetInfo (243) intercepted, method ProcAddressHijack.GetProcAddress ->741651AB->75B56341 Function netapi32.dll:NetUnjoinDomain (245) intercepted, method ProcAddressHijack.GetProcAddress ->741651C2->74135641 Function netapi32.dll:NetUseAdd (247) intercepted, method ProcAddressHijack.GetProcAddress ->741651D9->74133693 Function netapi32.dll:NetUseDel (248) intercepted, method ProcAddressHijack.GetProcAddress ->741651EA->74135FA9 Function netapi32.dll:NetUseEnum (249) intercepted, method ProcAddressHijack.GetProcAddress ->741651FB->74133184 Function netapi32.dll:NetUseGetInfo (250) intercepted, method ProcAddressHijack.GetProcAddress ->7416520D->74136039 Function netapi32.dll:NetUserAdd (251) intercepted, method ProcAddressHijack.GetProcAddress ->74165222->7412464F Function netapi32.dll:NetUserChangePassword (252) intercepted, method ProcAddressHijack.GetProcAddress ->74165234->74125A06 Function netapi32.dll:NetUserDel (253) intercepted, method ProcAddressHijack.GetProcAddress ->74165251->74124826 Function netapi32.dll:NetUserEnum (254) intercepted, method ProcAddressHijack.GetProcAddress ->74165263->741249D6 Function netapi32.dll:NetUserGetGroups (255) intercepted, method ProcAddressHijack.GetProcAddress ->74165276->74124E01 Function netapi32.dll:NetUserGetInfo (256) intercepted, method ProcAddressHijack.GetProcAddress ->7416528E->74121C60 Function netapi32.dll:NetUserGetLocalGroups (257) intercepted, method ProcAddressHijack.GetProcAddress ->741652A4->74122875 Function netapi32.dll:NetUserModalsGet (258) intercepted, method ProcAddressHijack.GetProcAddress ->741652C1->7412206B Function netapi32.dll:NetUserModalsSet (259) intercepted, method ProcAddressHijack.GetProcAddress ->741652D9->741254AA Function netapi32.dll:NetUserSetGroups (260) intercepted, method ProcAddressHijack.GetProcAddress ->741652F1->74125095 Function netapi32.dll:NetUserSetInfo (261) intercepted, method ProcAddressHijack.GetProcAddress ->74165309->74124D1D Function netapi32.dll:NetValidateName (262) intercepted, method ProcAddressHijack.GetProcAddress ->7416531F->74135859 Function netapi32.dll:NetValidatePasswordPolicy (263) intercepted, method ProcAddressHijack.GetProcAddress ->74165336->74129967 Function netapi32.dll:NetValidatePasswordPolicyFree (264) intercepted, method ProcAddressHijack.GetProcAddress ->74165357->74129B6B Function netapi32.dll:NetWkstaTransportAdd (267) intercepted, method ProcAddressHijack.GetProcAddress ->7416537C->74134E45 Function netapi32.dll:NetWkstaTransportDel (268) intercepted, method ProcAddressHijack.GetProcAddress ->74165398->74134F21 Function netapi32.dll:NetWkstaTransportEnum (269) intercepted, method ProcAddressHijack.GetProcAddress ->741653B4->74134CF9 Function netapi32.dll:NetWkstaUserEnum (270) intercepted, method ProcAddressHijack.GetProcAddress ->741653D1->74134AD1 Function netapi32.dll:NetWkstaUserGetInfo (271) intercepted, method ProcAddressHijack.GetProcAddress ->741653E9->74133280 Function netapi32.dll:NetWkstaUserSetInfo (272) intercepted, method ProcAddressHijack.GetProcAddress ->74165404->74134C15 Function netapi32.dll:NetapipBufferAllocate (273) intercepted, method ProcAddressHijack.GetProcAddress ->7416541F->741537AA Function netapi32.dll:NetpIsRemote (289) intercepted, method ProcAddressHijack.GetProcAddress ->7416543E->7415382D Function netapi32.dll:NetpwNameCanonicalize (296) intercepted, method ProcAddressHijack.GetProcAddress ->74165454->74151C30 Function netapi32.dll:NetpwNameCompare (297) intercepted, method ProcAddressHijack.GetProcAddress ->74165473->74151F2E Function netapi32.dll:NetpwNameValidate (298) intercepted, method ProcAddressHijack.GetProcAddress ->7416548D->74151990 Function netapi32.dll:NetpwPathCanonicalize (299) intercepted, method ProcAddressHijack.GetProcAddress ->741654A8->7415275D Function netapi32.dll:NetpwPathCompare (300) intercepted, method ProcAddressHijack.GetProcAddress ->741654C7->74154086 Function netapi32.dll:NetpwPathType (301) intercepted, method ProcAddressHijack.GetProcAddress ->741654E1->74152533 Function netapi32.dll:NlBindingAddServerToCache (302) intercepted, method ProcAddressHijack.GetProcAddress ->741654F8->755D61F8 Function netapi32.dll:NlBindingRemoveServerFromCache (303) intercepted, method ProcAddressHijack.GetProcAddress ->7416551B->755D5D67 Function netapi32.dll:NlBindingSetAuthInfo (304) intercepted, method ProcAddressHijack.GetProcAddress ->74165543->755D6198 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=1689C0) Kernel ntkrnlpa.exe found in memory at address 82A50000 SDT = 82BB89C0 KiST = 82ABF800 (401) Functions checked: 401, intercepted: 0, restored: 0 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Analysis for CPU 2 CmpCallCallBacks = 00000000 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking of IRP handlers \FileSystem\ntfs[IRP_MJ_CREATE] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_CLOSE] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_WRITE] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 84A861F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 84A861F8 -> hook not defined Checking - complete >>> C:\Windows\system32\certvert.dll HSC: suspicion for hidden autorun AppCertDlls (high degree of probability) >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268) Error [2, SC_EXT_ADDITEMST] >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100) Error [2, SC_EXT_ADDITEMST] >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100) Error [2, SC_EXT_ADDITEMST] > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled Error [2, SC_EXT_ADDITEMST] >> Security: administrative shares (C$, D$ ...) are enabled Error [2, SC_EXT_ADDITEMST] >> Security: anonymous user access is enabled Error [2, SC_EXT_ADDITEMST] Error [2, SC_EXT_ADDITEMST] >> Security: sending Remote Assistant queries is enabled >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun System Analysis in progress
System Analysis - complete
Script commands

Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
Registry cleanup after deleting files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)
Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries
File list