Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 29/12/2011; 19:39)

List of processes

Kernel Space Modules Viewer

Services

Drivers

Autoruns

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

Windows Explorer extension modules

Printing system extensions (print monitors, providers)

Task Scheduler jobs

SPI/LSP settings

LSP settings checked. No errors detected

яю1

Main script of analysis
Windows version: Windows 7 Home Premium, Build=7600, SP=""
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00610010<>76EF2062
IAT modification detected: GetModuleFileNameA - 00610080<>76F41014
IAT modification detected: FreeLibrary - 006100F0<>76F41989
IAT modification detected: GetModuleFileNameW - 00610160<>76F42994
IAT modification detected: CreateProcessW - 006101D0<>76EF202D
IAT modification detected: LoadLibraryW - 006102B0<>76F42852
IAT modification detected: LoadLibraryA - 00610320<>76F42804
IAT modification detected: GetProcAddress - 00610390<>76F417D7
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=1689C0)
 Kernel ntkrnlpa.exe found in memory at address 83407000
   SDT = 8356F9C0
   KiST = 83476860 (401)
Function NtAdjustPrivilegesToken (0C) intercepted (83614C5D->829A9E36), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcConnectPort (16) intercepted (8365AD8D->829AC074), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcCreatePort (17) intercepted (835F5480->829AC2EE), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcSendWaitReceivePort (27) intercepted (8367C612->829AC564), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtClose (32) intercepted (8364E5FC->829AA74A), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtConnectPort (3B) intercepted (8367FE03->829AB57E), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateEvent (40) intercepted (83668B49->829ABAC8), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateFile (42) intercepted (836523EE->829AAA26), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateMutant (4A) intercepted (83686184->829AB9AE), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateNamedPipeFile (4B) intercepted (836915F6->829A9A24), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreatePort (4D) intercepted (835FC1E2->829AB882), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSection (54) intercepted (83638243->829A9BCC), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSemaphore (55) intercepted (83688578->829ABBE8), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThread (57) intercepted (836E2186->829AA3D0), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThreadEx (58) intercepted (836402B1->829AA4CE), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateUserProcess (5D) intercepted (8365D34C->829AC7AE), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateWaitablePort (5E) intercepted (835A73A7->829AB918), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDebugActiveProcess (60) intercepted (836B771C->829AD2D6), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeviceIoControlFile (6B) intercepted (836649F0->829AAEA8), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (6F) intercepted (83683631->829AE4E4), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFsControlFile (86) intercepted (8366B24E->829AACB6), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadDriver (9B) intercepted (835A8295->829AD3C8), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtMapViewOfSection (A8) intercepted (83686446->829ADB30), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenEvent (B1) intercepted (83688AD6->829ABB5E), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenFile (B3) intercepted (83681B33->829AA7CC), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenMutant (BB) intercepted (83623AC9->829ABA3E), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (BE) intercepted (83688AA0->829AA074), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSection (C2) intercepted (83686729->829AD8CA), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSemaphore (C3) intercepted (835EB459->829ABC7E), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (C6) intercepted (836873F7->829A9F64), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryDirectoryObject (E0) intercepted (8368FDEA->829AC868), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQuerySection (FE) intercepted (83673474->829ADE6A), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueueApcThread (10D) intercepted (835F3BB3->829AD75C), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplaceKey (124) intercepted (836A4632->829A86DE), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyPort (126) intercepted (835F83C4->829ABFE2), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyWaitReceivePort (127) intercepted (8367E09C->829ABEA8), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRequestWaitReplyPort (12B) intercepted (8367E03A->829AD070), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (12E) intercepted (8369D4C5->829A8A56), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtResumeThread (130) intercepted (8367953E->829AE386), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSaveKey (135) intercepted (8369B5D6->829A8676), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSecureConnectPort (138) intercepted (83666F6F->829AB2C4), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetContextThread (13C) intercepted (836E328B->829AA5EC), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationToken (150) intercepted (8362132A->829AC90A), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSecurityObject (15B) intercepted (8361D40D->829AD566), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemInformation (15E) intercepted (83692365->829ADFBA), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendProcess (16E) intercepted (836E3E2B->829AE0AC), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendThread (16F) intercepted (836A0BC6->829AE1E6), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSystemDebugControl (170) intercepted (836106E5->829AD1FA), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (172) intercepted (836690AD->829AA21A), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateThread (173) intercepted (8367BE53->829AA170), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtUnmapViewOfSection (181) intercepted (8368324B->829ADD0E), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (18F) intercepted (8368EB25->829AA306), hook C:\Windows\system32\DRIVERS\0460089drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Functions checked: 401, intercepted: 52, restored: 52
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
CmpCallCallBacks = 00000000
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
 Driver loaded successfully
\FileSystem\ntfs[IRP_MJ_CREATE] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 85D521F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 85D521F8 -> hook not defined
 Checking - complete
>> Services: potentially dangerous service allowed: TermService (Servicios de Escritorio remoto)
>> Services: potentially dangerous service allowed: SSDPSRV (Detecciуn SSDP)
>> Services: potentially dangerous service allowed: Schedule (Programador de tareas)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  Windows Explorer - show extensions of known file types
System Analysis in progress

 System Analysis - complete


Script commands
 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service TermService (Servicios de Escritorio remoto)
Performance tweaking: disable service SSDPSRV (Detecciуn SSDP)
Performance tweaking: disable service Schedule (Programador de tareas)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list