Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 07/09/2011; 16:08)

List of processes

File namePIDDescriptionCopyrightMD5Information
c:\windows\system32\hasplms.exe
Script: Quarantine, Delete, BC delete, Terminate		2396Sentinel HASP License Manager Service(c) 2009 SafeNet, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved.??3662.50 kb, rsah,
created: 29.08.2010 18:48:29,
modified: 16.12.2009 15:44:36
Command line:
C:\Windows\system32\hasplms.exe -run
Detected:66, recognized as trusted 66
Module nameHandleDescriptionCopyrightMD5Used by processes
C:\Program Files\Common Files\Aladdin Shared\HASP\haspvlib_89149.dll
Script: Quarantine, Delete, BC delete		268435456Aladdin HASP Vendor LibraryCopyright (c) 2009 SafeNet, Inc., and/or Aladdin Knowledge Systems Ltd.--2396
Modules detected:655, recognized as trusted 654

Kernel Space Modules Viewer

ModuleBase addressSize in memoryDescriptionManufacturer
C:\Windows\system32\DRIVERS\11640154.sys
Script: Quarantine, Delete, BC delete		86A03000522000 (5382144)
C:\Windows\System32\Drivers\dump_dumpata.sys
Script: Quarantine, Delete, BC delete		99EA700000B000 (45056)
C:\Windows\System32\Drivers\dump_msahci.sys
Script: Quarantine, Delete, BC delete		99EB200000A000 (40960)
C:\Windows\System32\Drivers\sptd.sys
Script: Quarantine, Delete, BC delete		8320C000110000 (1114112)
Modules detected - 160, recognized as trusted - 156

Services

ServiceDescriptionStatusFileGroupDependencies
RoxLiveShare9
Service: Stop, Delete, Disable, BC delete		LiveShare P2P Server 9Not startedC:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
Script: Quarantine, Delete, BC delete		 RPCSS
Detected - 149, recognized as trusted - 148

Drivers

ServiceDescriptionStatusFileGroupDependencies
sptd
Driver: Unload, Delete, Disable, BC delete		sptdRunningC:\Windows\SystemRoot\System32\Drivers\sptd.sys
Script: Quarantine, Delete, BC delete		Boot Bus Extender 
blbdrive
Driver: Unload, Delete, Disable, BC delete		blbdriveNot startedC:\Windows\system32\drivers\blbdrive.sys
Script: Quarantine, Delete, BC delete		  
catchme
Driver: Unload, Delete, Disable, BC delete		catchmeNot startedC:\ComboFix\catchme.sys
Script: Quarantine, Delete, BC delete		Base 
IpInIp
Driver: Unload, Delete, Disable, BC delete		IP in IP Tunnel DriverNot startedC:\Windows\system32\DRIVERS\ipinip.sys
Script: Quarantine, Delete, BC delete		 Tcpip
NwlnkFlt
Driver: Unload, Delete, Disable, BC delete		IPX Traffic Filter DriverNot startedC:\Windows\system32\DRIVERS\nwlnkflt.sys
Script: Quarantine, Delete, BC delete		 NwlnkFwd
NwlnkFwd
Driver: Unload, Delete, Disable, BC delete		IPX Traffic Forwarder DriverNot startedC:\Windows\system32\DRIVERS\nwlnkfwd.sys
Script: Quarantine, Delete, BC delete		  
RimUsb
Driver: Unload, Delete, Disable, BC delete		BlackBerry SmartphoneNot startedC:\Windows\system32\Drivers\RimUsb.sys
Script: Quarantine, Delete, BC delete		Base 
Detected - 254, recognized as trusted - 247

Autoruns

File nameStatusStartup methodDescription
C:\Program Files\Common Files\McAfee\SystemCore\mfehidk_messages.dll
Script: Quarantine, Delete, BC delete		--Registry keyHKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mfehidk, EventMessageFile
C:\Users\Devonasa\AppData\Local\temp\_uninst_93523497.bat
Script: Quarantine, Delete, BC delete		ActiveShortcut in Autoruns folderC:\Users\Devonasa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Devonasa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_93523497.lnk,
C:\Users\Devonasa\Desktop\dds.scr
Script: Quarantine, Delete, BC delete		ActiveRegistry keyHKEY_USERS, S-1-5-21-1663229470-2338449591-2720500769-1000\Control Panel\Desktop, scrnsave.exe
Delete
C:\Users\Devonasa\Desktop\dds.scr
Script: Quarantine, Delete, BC delete		ActiveFile system.iniC:\Windows\system.ini, boot, SCRNSAVE.EXE
C:\WindowsSystem32\IoLogMsg.dll
Script: Quarantine, Delete, BC delete		--Registry keyHKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vsmraid, EventMessageFile
C:\Windows\System32\appmgmts.dll
Script: Quarantine, Delete, BC delete		ActiveRegistry keyHKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll
Delete
C:\Windows\System32\igmpv2.dll
Script: Quarantine, Delete, BC delete		--Registry keyHKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
C:\Windows\System32\ipbootp.dll
Script: Quarantine, Delete, BC delete		--Registry keyHKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
C:\Windows\System32\iprip2.dll
Script: Quarantine, Delete, BC delete		--Registry keyHKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
C:\Windows\System32\ws03res.dll
Script: Quarantine, Delete, BC delete		--Registry keyHKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPNATHLP, EventMessageFile
C:\Windows\System\LVMaLogD.DLL
Script: Quarantine, Delete, BC delete		--Registry keyHKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\LOGITECH, EventMessageFile
C:\Windows\system32\psxss.exe
Script: Quarantine, Delete, BC delete		--Registry keyHKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
ResLuComServer_3_3.DLL
Script: Quarantine, Delete, BC delete		--Registry keyHKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\LiveUpdate, EventMessageFile
progman.exe
Script: Quarantine, Delete, BC delete		ActiveRegistry keyHKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell
Delete
rdpclip
Script: Quarantine, Delete, BC delete		ActiveRegistry keyHKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Delete
vgafix.fon
Script: Quarantine, Delete, BC delete		ActiveRegistry keyHKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon
Delete
vgaoem.fon
Script: Quarantine, Delete, BC delete		ActiveRegistry keyHKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon
Delete
vgasys.fon
Script: Quarantine, Delete, BC delete		ActiveRegistry keyHKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon
Delete
Autoruns items detected - 727, recognized as trusted - 709

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File nameTypeDescriptionManufacturerCLSID
Extension module{02E2473F-766B-4ce2-8FD0-C4E8071EF1C4}
Delete
Extension module{2670000A-7350-4f3c-8081-5663EE0C6C49}
Delete
Extension module{92780B25-18CC-41C8-B9BE-3C9C571A8263}
Delete
Elements detected - 13, recognized as trusted - 10

Windows Explorer extension modules

File nameDestinationDescriptionManufacturerCLSID
IE User Assist{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}
Delete
Color Control Panel Applet{b2c761c6-29bc-4f19-9251-e6195265baf1}
Delete
Add New Hardware{7A979262-40CE-46ff-AEEE-7884AC3B6136}
Delete
Get Programs Online{3e7efb4c-faf1-453d-89eb-56026875ef90}
Delete
Taskbar and Start Menu{0DF44EAA-FF21-4412-828E-260A8728E7F1}
Delete
ActiveDirectory Folder{1b24a030-9b20-49bc-97ac-1be4426f9e59}
Delete
ActiveDirectory Folder{34449847-FD14-4fc8-A75A-7432F5181EFB}
Delete
Sam Account Folder{C8494E42-ACDD-4739-B0FB-217361E4894F}
Delete
Sam Account Folder{E29F9716-5C08-4FCD-955A-119FDB5A522D}
Delete
Control Panel command object for Start menu{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
Delete
Default Programs command object for Start menu{E44E5D18-0652-4508-A4E2-8A090067BCB0}
Delete
Folder Options{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}
Delete
Explorer Query Band{2C2577C2-63A7-40e3-9B7F-586602617ECB}
Delete
View Available Networks{38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b}
Delete
Contacts folder{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48}
Delete
Windows Firewall{4026492f-2f69-46b8-b9bf-5654fc07e423}
Delete
Problem Reports and Solutions{fcfeecae-ee1b-4849-ae50-685dcf7717ec}
Delete
iSCSI Initiator{a304259d-52b8-4526-8b1a-a1d6cecc8243}
Delete
.cab or .zip files{911051fa-c21c-4246-b470-070cd8df6dc4}
Delete
Windows Search Shell Service{da67b8ad-e81b-4c70-9b91b417b5e33527}
Delete
Microsoft.ScannersAndCameras{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}
Delete
Windows Sidebar Properties{37efd44d-ef8d-41b1-940d-96973a50e9e0}
Delete
Windows Features{67718415-c450-4f3c-bf8a-b487642dc39b}
Delete
Windows Defender{d8559eb9-20c0-410e-beda-7ed416aecc2a}
Delete
Mobility Center Control Panel{5ea4f148-308c-46d7-98a9-49041b1dd468}
Delete
User Accounts{7A9D77BD-5403-11d2-8785-2E0420524153}
Delete
Elements detected - 302, recognized as trusted - 276

Printing system extensions (print monitors, providers)

File nameTypeNameDescriptionManufacturer
Elements detected - 8, recognized as trusted - 8

Task Scheduler jobs

File nameJob nameJob statusDescriptionManufacturer
Elements detected - 4, recognized as trusted - 4

SPI/LSP settings

Namespace providers (NSP)
ProviderStatusEXE fileDescriptionGUID
Detected - 7, recognized as trusted - 7
Transport protocol providers (TSP, LSP)
ProviderEXE fileDescription
Detected - 24, recognized as trusted - 24
Results of automatic SPI settings check 
LSP settings checked. No errors detected

TCP/UDP ports

PortStatusRemote HostRemote PortApplicationNotes
TCP ports
135LISTENING0.0.0.00[880] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
139LISTENING0.0.0.00[4] System
Script: Quarantine, Delete, BC delete, Terminate		 
445LISTENING0.0.0.00[4] System
Script: Quarantine, Delete, BC delete, Terminate		 
1947LISTENING0.0.0.00[2396] c:\windows\system32\hasplms.exe
Script: Quarantine, Delete, BC delete, Terminate		 
5354LISTENING0.0.0.00[2060] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate		 
5357LISTENING0.0.0.00[4] System
Script: Quarantine, Delete, BC delete, Terminate		 
8585TIME_WAIT127.0.0.150132[0]   
8585TIME_WAIT127.0.0.150134[0]   
8585TIME_WAIT127.0.0.150135[0]   
8585TIME_WAIT127.0.0.150136[0]   
8585TIME_WAIT127.0.0.150137[0]   
8585TIME_WAIT127.0.0.150138[0]   
8585TIME_WAIT127.0.0.150140[0]   
8585TIME_WAIT127.0.0.150141[0]   
8585TIME_WAIT127.0.0.150142[0]   
8585TIME_WAIT127.0.0.150143[0]   
8585TIME_WAIT127.0.0.150145[0]   
8585TIME_WAIT127.0.0.150146[0]   
8585TIME_WAIT127.0.0.150147[0]   
8585TIME_WAIT127.0.0.150148[0]   
8585TIME_WAIT127.0.0.150149[0]   
8585TIME_WAIT127.0.0.150150[0]   
8585TIME_WAIT127.0.0.150151[0]   
8585TIME_WAIT127.0.0.150152[0]   
8585TIME_WAIT127.0.0.150153[0]   
8585TIME_WAIT127.0.0.150154[0]   
8585TIME_WAIT127.0.0.150155[0]   
8585TIME_WAIT127.0.0.150156[0]   
8585TIME_WAIT127.0.0.150157[0]   
8585TIME_WAIT127.0.0.150158[0]   
8585TIME_WAIT127.0.0.150159[0]   
8585TIME_WAIT127.0.0.150160[0]   
8585TIME_WAIT127.0.0.150161[0]   
8585TIME_WAIT127.0.0.150162[0]   
8585TIME_WAIT127.0.0.150163[0]   
8585TIME_WAIT127.0.0.150164[0]   
8585TIME_WAIT127.0.0.150165[0]   
8585TIME_WAIT127.0.0.150166[0]   
8585TIME_WAIT127.0.0.150167[0]   
8585TIME_WAIT127.0.0.150168[0]   
8585TIME_WAIT127.0.0.150169[0]   
8585TIME_WAIT127.0.0.150171[0]   
8585TIME_WAIT127.0.0.150172[0]   
8585TIME_WAIT127.0.0.150173[0]   
8585TIME_WAIT127.0.0.150174[0]   
8585ESTABLISHED127.0.0.150175[2492] c:\program files\safeconnect\scmanager.sys
Script: Quarantine, Delete, BC delete, Terminate		 
8585LISTENING0.0.0.00[2492] c:\program files\safeconnect\scmanager.sys
Script: Quarantine, Delete, BC delete, Terminate		 
27015ESTABLISHED127.0.0.149225[1284] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate		 
27015LISTENING0.0.0.00[1284] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate		 
49152LISTENING0.0.0.00[576] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, BC delete, Terminate		 
49153LISTENING0.0.0.00[968] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
49154LISTENING0.0.0.00[676] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate		 
49155LISTENING0.0.0.00[1052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
49156LISTENING0.0.0.00[664] c:\windows\system32\services.exe
Script: Quarantine, Delete, BC delete, Terminate		 
49190CLOSE_WAIT74.125.159.13980[1296] c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
Script: Quarantine, Delete, BC delete, Terminate		 
49225ESTABLISHED127.0.0.127015[2552] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate		 
49466ESTABLISHED127.0.0.149467[5988] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate		 
49467ESTABLISHED127.0.0.149466[5988] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate		 
49476ESTABLISHED127.0.0.149477[5988] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate		 
49477ESTABLISHED127.0.0.149476[5988] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate		 
50170SYN_SENT198.31.193.2118443[2492] c:\program files\safeconnect\scmanager.sys
Script: Quarantine, Delete, BC delete, Terminate		 
50175ESTABLISHED127.0.0.18585[3776] c:\program files\safeconnect\scclient.exe
Script: Quarantine, Delete, BC delete, Terminate		 
UDP ports
123LISTENING----[1208] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
137LISTENING----[4] System
Script: Quarantine, Delete, BC delete, Terminate		 
138LISTENING----[4] System
Script: Quarantine, Delete, BC delete, Terminate		 
500LISTENING----[1052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
1900LISTENING----[1208] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
1900LISTENING----[1208] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
1947LISTENING----[2396] c:\windows\system32\hasplms.exe
Script: Quarantine, Delete, BC delete, Terminate		 
3702LISTENING----[1208] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
3702LISTENING----[1208] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
4500LISTENING----[1052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
5353LISTENING----[2060] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate		 
5355LISTENING----[1456] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
49546LISTENING----[1052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
51934LISTENING----[2908] c:\program files\divx\divx update\divxupdate.exe
Script: Quarantine, Delete, BC delete, Terminate		 
55778LISTENING----[1908] c:\windows\system32\spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate		 
55779LISTENING----[1284] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate		 
55780LISTENING----[1284] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate		 
55781LISTENING----[2060] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate		 
55783LISTENING----[1208] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
58039LISTENING----[2396] c:\windows\system32\hasplms.exe
Script: Quarantine, Delete, BC delete, Terminate		 
58298LISTENING----[1208] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
58299LISTENING----[1208] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 
62573LISTENING----[4004] c:\program files\somud\somud.exe
Script: Quarantine, Delete, BC delete, Terminate		 
63241LISTENING----[2552] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate		 
63242LISTENING----[2552] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate		 
65148LISTENING----[1004] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate		 

Downloaded Program Files (DPF)

File nameDescriptionManufacturerCLSIDSource URL
C:\Program Files\Java\jre7\bin\npjpi160_30.dll
Script: Quarantine, Delete, BC delete		{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Delete		http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
{E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Delete		http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Elements detected - 5, recognized as trusted - 3

Control Panel Applets (CPL)

File nameDescriptionManufacturer
Elements detected - 23, recognized as trusted - 23

Active Setup

File nameDescriptionManufacturerCLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record 
127.0.0.1       localhost
Clear Hosts file

Protocols and handlers

File nameTypeDescriptionManufacturerCLSID
mscoree.dll
Script: Quarantine, Delete, BC delete		ProtocolMicrosoft .NET Runtime Execution Engine ()© Microsoft Corporation. All rights reserved.{1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete		ProtocolMicrosoft .NET Runtime Execution Engine ()© Microsoft Corporation. All rights reserved.{1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete		ProtocolMicrosoft .NET Runtime Execution Engine ()© Microsoft Corporation. All rights reserved.{1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 17, recognized as trusted - 14

Suspicious objects

FileDescriptionType
C:\Windows\system32\DRIVERS\3462167drv.sys
Script: Quarantine, Delete, BC delete		Suspicion for RootkitKernel-mode hook
C:\Windows\system32\ntkrnlpa.exe
Script: Quarantine, Delete, BC delete		Suspicion for RootkitKernel-mode hook
C:\Windows\system32\drivers\wpsdrvnt.sys
Script: Quarantine, Delete, BC delete		Suspicion for RootkitKernel-mode hook 

Main script of analysis
Windows version: Windows Vista (TM) Home Premium, Build=6002, SP="Service Pack 2"
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 008E0010<>75AB1C28
IAT modification detected: GetModuleFileNameA - 008E0080<>75AFB8DD
IAT modification detected: FreeLibrary - 008E00F0<>75AF3FA4
IAT modification detected: GetModuleFileNameW - 008E0160<>75AFB49E
IAT modification detected: CreateProcessW - 008E01D0<>75AB1BF3
IAT modification detected: LoadLibraryW - 008E02B0<>75AD9400
IAT modification detected: LoadLibraryA - 008E0320<>75AD957C
IAT modification detected: GetProcAddress - 008E0390<>75AF925B
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
 >> Danger ! Process masking detected
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=137B00)
 Kernel ntkrnlpa.exe found in memory at address 8221E000
   SDT = 82355B00
   KiST = 822CA86C (391)
Function NtAdjustPrivilegesToken (0C) intercepted (8240E652->C4638E36), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlertResumeThread (0D) intercepted (824B153D->8673FF10), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlertThread (0E) intercepted (8242A255->8673FFD0), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtAllocateVirtualMemory (12) intercepted (824664FB->8673BDE8), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcConnectPort (15) intercepted (82408887->C463B074), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcCreatePort (16) intercepted (823D8973->C463B2EE), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcSendWaitReceivePort (26) intercepted (8245B9BB->C463B564), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtClose (30) intercepted (82458D11->C463974A), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtConnectPort (36) intercepted (823EBB36->C463A57E), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateEvent (3A) intercepted (82430DA7->C463AAC8), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateFile (3C) intercepted (8246033B->C4639A26), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateKey (40) intercepted (8240D140->8221EFEC), hook C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateMutant (43) intercepted (8243E80C->C463A9AE), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateNamedPipeFile (44) intercepted (823EC783->C4638A24), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreatePort (47) intercepted (823A3A40->C463A882), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSection (4B) intercepted (8244FDE5->C4638BCC), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSemaphore (4C) intercepted (823F5D2B->C463ABE8), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThread (4E) intercepted (824AFBB4->C46393D0), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateWaitablePort (73) intercepted (82398D02->C463A918), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDebugActiveProcess (74) intercepted (82482D22->C463C2D6), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeviceIoControlFile (7F) intercepted (824664C8->C4639EA8), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (81) intercepted (82416551->C463D4E4), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFreeVirtualMemory (93) intercepted (822A2F5D->86739DB8), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtFsControlFile (96) intercepted (824640E4->C4639CB6), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtImpersonateAnonymousToken (9C) intercepted (823D8F12->8673FD50), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtImpersonateThread (9E) intercepted (823EE54F->8673FE30), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadDriver (A5) intercepted (82389DEE->C463C3C8), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtMapViewOfSection (B1) intercepted (8242E89A->C463CB30), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenEvent (B8) intercepted (82417DCF->C463AB5E), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenFile (BA) intercepted (824243ED->C46397CC), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenKey (BD) intercepted (82426696->8221EFF1), hook C:\Windows\system32\ntkrnlpa.exe, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenMutant (BF) intercepted (8242FB61->C463AA3E), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (C2) intercepted (8243EFA8->C4639074), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcessToken (C3) intercepted (8241FA2E->86726DF0), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSection (C5) intercepted (8242F66D->C463C8CA), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSemaphore (C6) intercepted (823C3EEE->C463AC7E), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (C9) intercepted (8243A4FA->C4638F64), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThreadToken (CA) intercepted (8243A2A8->8673DF80), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtProtectVirtualMemory (D2) intercepted (824382DD->9743A880), hook C:\Windows\system32\drivers\wpsdrvnt.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryDirectoryObject (DB) intercepted (8242F72E->C463B868), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQuerySection (F2) intercepted (8243E6DB->C463CE6A), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueueApcThread (FF) intercepted (823CF867->C463C75C), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplaceKey (10C) intercepted (82471FB6->C46376DE), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyPort (10E) intercepted (823FF747->C463AFE2), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyWaitReceivePort (10F) intercepted (82457EA9->C463AEA8), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRequestWaitReplyPort (114) intercepted (82461F90->C463C070), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (118) intercepted (82470DB2->C4637A56), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtResumeThread (11A) intercepted (82439B45->C463D386), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSaveKey (11B) intercepted (82470F69->C4637676), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSecureConnectPort (11E) intercepted (823EB70F->C463A2C4), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetContextThread (121) intercepted (824B0883->C46395EC), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationProcess (131) intercepted (824328C8->8673CDC0), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationThread (132) intercepted (824172AD->8673DDB0), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationToken (133) intercepted (823E3C99->C463B90A), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSecurityObject (13A) intercepted (823DE038->C463C566), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemInformation (13D) intercepted (82404EEB->C463CFBA), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendProcess (14A) intercepted (824B1477->C463D0AC), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendThread (14B) intercepted (823B892B->C463D1E6), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSystemDebugControl (14C) intercepted (82416EC1->C463C1FA), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (14E) intercepted (8240F143->C463921A), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateThread (14F) intercepted (8243A52F->C4639170), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtUnmapViewOfSection (15C) intercepted (8242EB5D->C463CD0E), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (166) intercepted (8242B92D->C4639306), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThreadEx (17E) intercepted (82439FE4->C46394CE), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateUserProcess (17F) intercepted (823E7C11->C463B7AE), hook C:\Windows\system32\DRIVERS\3462167drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Functions checked: 391, intercepted: 65, restored: 65
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
CmpCallCallBacks = 00000000
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
 Driver loaded successfully
\FileSystem\ntfs[IRP_MJ_CREATE] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 845611E8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 845611E8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CREATE] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CLOSE] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_WRITE] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_EA] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_EA] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 85CD3430 -> hook not defined
\FileSystem\FastFat[IRP_MJ_PNP] = 85CD3430 -> hook not defined
 Checking - complete
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  Windows Explorer - show extensions of known file types
System Analysis in progress

 System Analysis - complete


Script commands
 

Add commands to script:
Additional operations:

File list