Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 24/08/2012; 04:12)

List of processes

Kernel Space Modules Viewer

Services

Drivers

Autoruns

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

Windows Explorer extension modules

Printing system extensions (print monitors, providers)

Task Scheduler jobs

SPI/LSP settings

LSP settings checked. No errors detected

яю1

Main script of analysis
Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00B40010<>7C80236B
IAT modification detected: GetModuleFileNameA - 00B40080<>7C80B56F
IAT modification detected: FreeLibrary - 00B400F0<>7C80AC7E
IAT modification detected: GetModuleFileNameW - 00B40160<>7C80B475
IAT modification detected: CreateProcessW - 00B401D0<>7C802336
IAT modification detected: LoadLibraryW - 00B402B0<>7C80AEEB
IAT modification detected: LoadLibraryA - 00B40320<>7C801D7B
IAT modification detected: GetProcAddress - 00B40390<>7C80AE40
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=085700)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 8055C700
   KiST = 80504494 (284)
Function NtNotifyChangeKey (6F) intercepted (806261C4->A871F004), hook C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtNotifyChangeMultipleKeys (70) intercepted (80624DF8->A871F0D4), hook C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
>>> Function restored successfully !
>>> the hook code is already blocked
Function NtOpenProcess (7A) intercepted (805CB456->A871ED76), hook C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (101) intercepted (805D22D8->A871EE1E), hook C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateThread (102) intercepted (805D24D2->A871EEBA), hook C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (115) intercepted (805B43D4->A871EF56), hook C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Functions checked: 284, intercepted: 6, restored: 6
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
CmpCallCallBacks = 00093D84
Disable callback - уже нейтирализованы
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
 Driver loaded successfully
 Checking - complete
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  Windows Explorer - show extensions of known file types
System Analysis in progress

 System Analysis - complete


Script commands
 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service RemoteRegistry (Remote Registry)
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service TlntSvr (Telnet)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: prevent terminal connections to the PC
Security: disable sending Remote Assistant queries

File list