Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 28/11/2011; 07:04)

List of processes

Kernel Space Modules Viewer

Services

Drivers

Autoruns

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

Windows Explorer extension modules

Printing system extensions (print monitors, providers)

Task Scheduler jobs

SPI/LSP settings

LSP settings checked. No errors detected

яю#

Main script of analysis
Windows version: Windows 7 Enterprise, Build=7601, SP="Service Pack 1"
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 003C0010<>76102082
IAT modification detected: GetModuleFileNameA - 003C0080<>7614D75A
IAT modification detected: FreeLibrary - 003C00F0<>7614EF67
IAT modification detected: GetModuleFileNameW - 003C0160<>7614EF35
IAT modification detected: CreateProcessW - 003C01D0<>7610204D
IAT modification detected: LoadLibraryW - 003C02B0<>7614EF42
IAT modification detected: LoadLibraryA - 003C0320<>7614DC65
IAT modification detected: GetProcAddress - 003C0390<>7614CC94
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=15FA80)
 Kernel ntoskrnl.exe found in memory at address 8284C000
   SDT = 829ABA80
   KiST = 828A870C (401)
Function NtOpenProcess (BE) intercepted (82A64E27->92E31F3C), hook C:\Windows\system32\DRIVERS\AVGIDSShim.Sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (172) intercepted (82A65306->92E31FE4), hook C:\Windows\system32\DRIVERS\AVGIDSShim.Sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateThread (173) intercepted (82A7C7C4->92E32080), hook C:\Windows\system32\DRIVERS\AVGIDSShim.Sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (18F) intercepted (82A95123->92E3211C), hook C:\Windows\system32\DRIVERS\AVGIDSShim.Sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Functions checked: 401, intercepted: 4, restored: 4
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
CmpCallCallBacks = 00000000
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
 Driver loaded successfully
 Checking - complete
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Security: automatic logon is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  Windows Explorer - show extensions of known file types
System Analysis in progress

 System Analysis - complete


Script commands
 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service TermService (Remote Desktop Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Task Scheduler)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries
Security tweaking: disable automatic logon

File list