Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 10/10/2012; 14:44)

List of processes

File name	PID	Description	Copyright	MD5	Information
	292			??	?,error getting file info Command line:
	344			??	?,error getting file info Command line:
	392			??	?,error getting file info Command line:
	772			??	?,error getting file info Command line:
	1236			??	?,error getting file info Command line:
	1948			??	?,error getting file info Command line:
	360			??	?,error getting file info Command line:
	308			??	?,error getting file info Command line:
	588			??	?,error getting file info Command line:
	1088			??	?,error getting file info Command line:
	2164			??	?,error getting file info Command line:
	2172			??	?,error getting file info Command line:
	2204			??	?,error getting file info Command line:
	2260			??	?,error getting file info Command line:
	2352			??	?,error getting file info Command line:
	2588			??	?,error getting file info Command line:
	2740			??	?,error getting file info Command line:
	2832			??	?,error getting file info Command line:
	2856			??	?,error getting file info Command line:
	2864			??	?,error getting file info Command line:
	2872			??	?,error getting file info Command line:
	2884			??	?,error getting file info Command line:
	2908			??	?,error getting file info Command line:
	3036			??	?,error getting file info Command line:
	3216			??	?,error getting file info Command line:
	3484			??	?,error getting file info Command line:
	4036			??	?,error getting file info Command line:
	4092			??	?,error getting file info Command line:
	2924			??	?,error getting file info Command line:
	3116			??	?,error getting file info Command line:
Detected:70, recognized as trusted 40

Module name	Handle	Description	Copyright	MD5	Used by processes
Modules detected:528, recognized as trusted 528

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_atapi.sys Script: Quarantine, Delete, BC delete	95CCE000	009000 (36864)
C:\Windows\System32\Drivers\dump_dumpata.sys Script: Quarantine, Delete, BC delete	95CC3000	00B000 (45056)
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, BC delete	95CD7000	011000 (69632)
Modules detected - 168, recognized as trusted - 165

Services

Service	Description	Status	File	Group	Dependencies
Detected - 148, recognized as trusted - 148

Drivers

Service	Description	Status	File	Group	Dependencies
catchme Driver: Unload, Delete, Disable, BC delete	catchme	Not started	C:\Users\Guy\AppData\Local\Temp\catchme.sys Script: Quarantine, Delete, BC delete	Base
RapportIaso Driver: Unload, Delete, Disable, BC delete	RapportIaso	Not started	c:\programdata\trusteer\rapport\store\exts\rapportms\39624\rapportiaso.sys Script: Quarantine, Delete, BC delete
Detected - 267, recognized as trusted - 265

Autoruns

File name	Status	Startup method	Description
C:\Program Files\AVG Secure Search\ROC_ROC_NT.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, ROC_ROC_NT Delete
C:\Users\Guy\AppData\Local\temp\_uninst_14440365.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Guy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Guy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_14440365.lnk,
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\xampp\mysql\bin\mysqld.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\MySQL, EventMessageFile
progman.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell Delete
vgafix.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items detected - 595, recognized as trusted - 587

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
Elements detected - 5, recognized as trusted - 5

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
Elements detected - 8, recognized as trusted - 8

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Elements detected - 7, recognized as trusted - 7

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 1, recognized as trusted - 1

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 6, recognized as trusted - 6

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 22, recognized as trusted - 22
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [696] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
554 LISTENING 0.0.0.0 0 [3304] c:\program files\windows media player\wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
10243 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [400] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [816] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [888] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49155 LISTENING 0.0.0.0 0 [468] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49156 LISTENING 0.0.0.0 0 [452] c:\windows\system32\services.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [888] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1456] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1456] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3544 LISTENING -- -- [888] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1456] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1456] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1020] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1020] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [888] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5004 LISTENING -- -- [3304] c:\program files\windows media player\wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5005 LISTENING -- -- [3304] c:\program files\windows media player\wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1148] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING -- -- [1456] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
54153 LISTENING -- -- [1456] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
54154 LISTENING -- -- [1456] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
54155 LISTENING -- -- [1020] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
59966 LISTENING -- -- [888] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
64531 LISTENING -- -- [1020] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Elements detected - 2, recognized as trusted - 2

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 21, recognized as trusted - 21

Active Setup

File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record
яю1
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 13, recognized as trusted - 10

Suspicious objects

File Description Type
C:\Windows\system32\DRIVERS\5857757drv.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook

Main script of analysis
Windows version: Windows 7 Professional, Build=7601, SP="Service Pack 1"
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 013E0010<>76EC2082
IAT modification detected: GetModuleFileNameA - 013E0080<>76F0D75A
IAT modification detected: FreeLibrary - 013E00F0<>76F0EF67
IAT modification detected: GetModuleFileNameW - 013E0160<>76F0EF35
IAT modification detected: CreateProcessW - 013E01D0<>76EC204D
IAT modification detected: LoadLibraryW - 013E02B0<>76F0EF42
IAT modification detected: LoadLibraryA - 013E0320<>76F0DC65
IAT modification detected: GetProcAddress - 013E0390<>76F0CC94
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=169B00)
 Kernel ntkrnlpa.exe found in memory at address 82A17000
   SDT = 82B80B00
   KiST = 82A95D5C (401)
Function NtAdjustPrivilegesToken (0C) intercepted (82C9CD8D->9EA56E36), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcConnectPort (16) intercepted (82C8D44E->9EA59074), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcCreatePort (17) intercepted (82C0CCFE->9EA592EE), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcSendWaitReceivePort (27) intercepted (82C6A0BE->9EA59564), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtClose (32) intercepted (82C5C4F8->9EA5774A), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtConnectPort (3B) intercepted (82C8FF59->9EA5857E), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateEvent (40) intercepted (82C587EF->9EA58AC8), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateFile (42) intercepted (82C67362->9EA57A26), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateMutant (4A) intercepted (82C2828E->9EA589AE), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateNamedPipeFile (4B) intercepted (82C98749->9EA56A24), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreatePort (4D) intercepted (82C09851->9EA58882), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSection (54) intercepted (82C3B04D->9EA56BCC), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSemaphore (55) intercepted (82C1DA85->9EA58BE8), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThread (57) intercepted (82CF3ED6->9EA573D0), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThreadEx (58) intercepted (82C8834B->9EA574CE), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateUserProcess (5D) intercepted (82C8627D->9EA597AE), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateWaitablePort (5E) intercepted (82BBC1B8->9EA58918), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDebugActiveProcess (60) intercepted (82CC5DB0->9EA5A2D6), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeviceIoControlFile (6B) intercepted (82C8B5F1->9EA57EA8), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (6F) intercepted (82C4965A->9EA5B4E4), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFsControlFile (86) intercepted (82C6D8B0->9EA57CB6), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadDriver (9B) intercepted (82BDDBFC->9EA5A3C8), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtMapViewOfSection (A8) intercepted (82C5E512->9EA5AB30), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenEvent (B1) intercepted (82C27C8A->9EA58B5E), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenFile (B3) intercepted (82C49C7A->9EA577CC), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenMutant (BB) intercepted (82C792F0->9EA58A3E), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (BE) intercepted (82C29AD4->9EA57074), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSection (C2) intercepted (82C8189B->9EA5A8CA), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSemaphore (C3) intercepted (82BFD1B8->9EA58C7E), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (C6) intercepted (82C75F95->9EA56F64), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryDirectoryObject (E0) intercepted (82C70BFE->9EA59868), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQuerySection (FE) intercepted (82C8EC36->9EA5AE6A), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueueApcThread (10D) intercepted (82C13D9C->9EA5A75C), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplaceKey (124) intercepted (82CB3B18->9EA556DE), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyPort (126) intercepted (82C08B2F->9EA58FE2), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyWaitReceivePort (127) intercepted (82C5074C->9EA58EA8), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRequestWaitReplyPort (12B) intercepted (82C55A43->9EA5A070), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (12E) intercepted (82CA9B5C->9EA55A56), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtResumeThread (130) intercepted (82C88572->9EA5B386), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSaveKey (135) intercepted (82CAB3CE->9EA55676), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSecureConnectPort (138) intercepted (82C75FCA->9EA582C4), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetContextThread (13C) intercepted (82CF5755->9EA575EC), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationToken (150) intercepted (82C1B878->9EA5990A), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSecurityObject (15B) intercepted (82C1971E->9EA5A566), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemInformation (15E) intercepted (82C6626C->9EA5AFBA), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendProcess (16E) intercepted (82CF5BE3->9EA5B0AC), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendThread (16F) intercepted (82CAD085->9EA5B1E6), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSystemDebugControl (170) intercepted (82C9D6BC->9EA5A1FA), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (172) intercepted (82C72BCD->9EA5721A), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateThread (173) intercepted (82C90584->9EA57170), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtUnmapViewOfSection (181) intercepted (82C7C85A->9EA5AD0E), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (18F) intercepted (82C7792A->9EA57306), hook C:\Windows\system32\DRIVERS\5857757drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Functions checked: 401, intercepted: 52, restored: 52
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
CmpCallCallBacks = 00000000
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Masking process with PID=292, name = ""
 >> PID substitution detected (current PID=0, real = 292)
Masking process with PID=344, name = ""
 >> PID substitution detected (current PID=0, real = 344)
Masking process with PID=392, name = ""
 >> PID substitution detected (current PID=0, real = 392)
Masking process with PID=772, name = ""
 >> PID substitution detected (current PID=0, real = 772)
Masking process with PID=1236, name = ""
 >> PID substitution detected (current PID=0, real = 1236)
Masking process with PID=1948, name = ""
 >> PID substitution detected (current PID=0, real = 1948)
Masking process with PID=360, name = ""
 >> PID substitution detected (current PID=0, real = 360)
Masking process with PID=308, name = ""
 >> PID substitution detected (current PID=0, real = 308)
Masking process with PID=588, name = ""
 >> PID substitution detected (current PID=0, real = 588)
Masking process with PID=2164, name = ""
 >> PID substitution detected (current PID=0, real = 2164)
Masking process with PID=2172, name = ""
 >> PID substitution detected (current PID=0, real = 2172)
Masking process with PID=2204, name = ""
 >> PID substitution detected (current PID=0, real = 2204)
Masking process with PID=2260, name = ""
 >> PID substitution detected (current PID=0, real = 2260)
Masking process with PID=2352, name = ""
 >> PID substitution detected (current PID=0, real = 2352)
Masking process with PID=2588, name = ""
 >> PID substitution detected (current PID=0, real = 2588)
Masking process with PID=2740, name = ""
 >> PID substitution detected (current PID=0, real = 2740)
Masking process with PID=2832, name = ""
 >> PID substitution detected (current PID=0, real = 2832)
Masking process with PID=2856, name = ""
 >> PID substitution detected (current PID=0, real = 2856)
Masking process with PID=2864, name = ""
 >> PID substitution detected (current PID=0, real = 2864)
Masking process with PID=2872, name = ""
 >> PID substitution detected (current PID=0, real = 2872)
Masking process with PID=2884, name = ""
 >> PID substitution detected (current PID=0, real = 2884)
Masking process with PID=2908, name = ""
 >> PID substitution detected (current PID=0, real = 2908)
Masking process with PID=2932, name = ""
 >> PID substitution detected (current PID=0, real = 2932)
Masking process with PID=3036, name = ""
 >> PID substitution detected (current PID=0, real = 3036)
Masking process with PID=3216, name = ""
 >> PID substitution detected (current PID=0, real = 3216)
Masking process with PID=3484, name = ""
 >> PID substitution detected (current PID=0, real = 3484)
Masking process with PID=4092, name = ""
 >> PID substitution detected (current PID=0, real = 4092)
 Searching for masking processes and drivers - complete
1.5 Checking of IRP handlers
 Driver loaded successfully
 Checking - complete
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Windows Explorer startup key is modified
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (Remote Desktop Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Task Scheduler)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	0	[696] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
139	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
554	LISTENING	0.0.0.0	0	[3304] c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate
2869	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
5357	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
10243	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
49152	LISTENING	0.0.0.0	0	[400] c:\windows\system32\wininit.exe Script: Quarantine, Delete, BC delete, Terminate
49153	LISTENING	0.0.0.0	0	[816] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49154	LISTENING	0.0.0.0	0	[888] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49155	LISTENING	0.0.0.0	0	[468] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
49156	LISTENING	0.0.0.0	0	[452] c:\windows\system32\services.exe Script: Quarantine, Delete, BC delete, Terminate
UDP ports
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
500	LISTENING	--	--	[888] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1456] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1456] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3544	LISTENING	--	--	[888] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[1456] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[1456] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[1020] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[1020] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
4500	LISTENING	--	--	[888] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
5004	LISTENING	--	--	[3304] c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate
5005	LISTENING	--	--	[3304] c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate
5355	LISTENING	--	--	[1148] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49152	LISTENING	--	--	[1456] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
54153	LISTENING	--	--	[1456] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
54154	LISTENING	--	--	[1456] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
54155	LISTENING	--	--	[1020] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
59966	LISTENING	--	--	[888] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
64531	LISTENING	--	--	[1020] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate