Status: Deleted (events: 16)
9/8/2011 11:10:35 PM Deleted Trojan program Backdoor.Win32.Poison.crtb C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfattachtest.exe High
9/8/2011 11:10:43 PM Deleted Trojan program Backdoor.Win32.Poison.crsu C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfautodump.exe High
9/8/2011 11:10:49 PM Deleted Trojan program Backdoor.Win32.Poison.crsx C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfcleanmap.exe High
9/8/2011 11:10:54 PM Deleted Trojan program Backdoor.Win32.Poison.crss C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfderamp.exe High
9/8/2011 11:11:02 PM Deleted Trojan program Backdoor.Win32.Poison.crte C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfdoffsets.exe High
9/8/2011 11:11:06 PM Deleted Trojan program Backdoor.Win32.Poison.crsz C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfexpbench.exe High
9/8/2011 11:11:09 PM Deleted Trojan program Backdoor.Win32.Poison.crsw C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfflows.exe High
9/8/2011 11:11:16 PM Deleted Trojan program Backdoor.Win32.Poison.crga C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dflair.exe High
9/8/2011 11:11:20 PM Deleted Trojan program Backdoor.Win32.Poison.crtd C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfmode.exe High
9/8/2011 11:11:22 PM Deleted Trojan program Backdoor.Win32.Poison.crst C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfpause.exe High
9/8/2011 11:11:26 PM Deleted Trojan program Backdoor.Win32.Poison.crtf C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfposition.exe High
9/8/2011 11:11:32 PM Deleted Trojan program Backdoor.Win32.Poison.crsv C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfsuspend.exe High
9/8/2011 11:12:30 PM Deleted Trojan program Backdoor.Win32.Poison.crsy C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dftubefill.exe High
9/8/2011 11:12:35 PM Deleted Trojan program Backdoor.Win32.Poison.crta C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfunstuck.exe High
9/8/2011 11:12:39 PM Deleted Trojan program Backdoor.Win32.Poison.crtc C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfweather.exe High
9/9/2011 7:51:52 AM Deleted virus HEUR:Exploit.Script.Generic C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\03UA893J\cmuesal7[1].htm High
Results of system analysis
Kaspersky Virus Removal Tool 11.0.0.1245 (database released 08/09/2011; 21:10)
List of processes
File name PID Description Copyright MD5 Information
c:\program files\verizon\iha_messagecenter\bin\verizon_ihamessagecenter.exe
Script: Quarantine, Delete, BC delete, Terminate 4612 ?? 148.00 kb, rsAh,
created: 16.06.2011 13:13:20,
modified: 01.07.2011 15:01:18
Command line:
"C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe"
Detected:77, recognized as trusted 77
Module name Handle Description Copyright MD5 Used by processes
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\cfb60f99da570cc494e27e0e8ee747e2\System.Xml.ni.dll
Script: Quarantine, Delete, BC delete 1639776256 .NET Framework © Microsoft Corporation. All rights reserved. -- 4612
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9dff86a62a525ec8dc827fe9f50298b7\System.ni.dll
Script: Quarantine, Delete, BC delete 1797128192 .NET Framework © Microsoft Corporation. All rights reserved. -- 4612
Modules detected:639, recognized as trusted 637
Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\Windows\System32\Drivers\dump_atapi.sys
Script: Quarantine, Delete, BC delete 9278F000 008000 (32768)
C:\Windows\System32\Drivers\dump_dumpata.sys
Script: Quarantine, Delete, BC delete 92784000 00B000 (45056)
Modules detected - 150, recognized as trusted - 148
Services
Service Description Status File Group Dependencies
msiserver
Service: Stop, Delete, Disable, BC delete Windows Installer Not started C:\Windows\system32\msiexec
Script: Quarantine, Delete, BC delete rpcss
Detected - 146, recognized as trusted - 145
Drivers
Service Description Status File Group Dependencies
blbdrive
Driver: Unload, Delete, Disable, BC delete blbdrive Not started C:\Windows\system32\drivers\blbdrive.sys
Script: Quarantine, Delete, BC delete
catchme
Driver: Unload, Delete, Disable, BC delete catchme Not started C:\Users\Jeremy\AppData\Local\Temp\catchme.sys
Script: Quarantine, Delete, BC delete Base
IpInIp
Driver: Unload, Delete, Disable, BC delete IP in IP Tunnel Driver Not started C:\Windows\system32\DRIVERS\ipinip.sys
Script: Quarantine, Delete, BC delete Tcpip
MREMP50a64
Driver: Unload, Delete, Disable, BC delete MREMP50a64 NDIS Protocol Driver Not started C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS
Script: Quarantine, Delete, BC delete PNP_TDI
MRESP50a64
Driver: Unload, Delete, Disable, BC delete MRESP50a64 NDIS Protocol Driver Not started C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS
Script: Quarantine, Delete, BC delete PNP_TDI
NwlnkFlt
Driver: Unload, Delete, Disable, BC delete IPX Traffic Filter Driver Not started C:\Windows\system32\DRIVERS\nwlnkflt.sys
Script: Quarantine, Delete, BC delete NwlnkFwd
NwlnkFwd
Driver: Unload, Delete, Disable, BC delete IPX Traffic Forwarder Driver Not started C:\Windows\system32\DRIVERS\nwlnkfwd.sys
Script: Quarantine, Delete, BC delete
Detected - 245, recognized as trusted - 238
Autoruns
File name Status Startup method Description
C:\Users\Jeremy\AppData\Local\Temp\_uninst_46878702.bat
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_46878702.lnk,
C:\WindowsSystem32\IoLogMsg.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vsmraid, EventMessageFile
C:\Windows\System32\appmgmts.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll
Delete
C:\Windows\System32\igmpv2.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
C:\Windows\System32\ipbootp.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
C:\Windows\System32\iprip2.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
C:\Windows\System32\ws03res.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPNATHLP, EventMessageFile
C:\Windows\system32\psxss.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\f0c44b52cae3eef4cd\DW\DW20.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
SDEvents.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile
progman.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell
Delete
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Delete
vgafix.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon
Delete
vgaoem.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon
Delete
vgasys.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon
Delete
Autoruns items detected - 707, recognized as trusted - 692
Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
Extension module {2670000A-7350-4f3c-8081-5663EE0C6C49}
Delete
Extension module {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
Delete
Extension module {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
Delete
Elements detected - 14, recognized as trusted - 11
Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
IE User Assist {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}
Delete
Color Control Panel Applet {b2c761c6-29bc-4f19-9251-e6195265baf1}
Delete
Add New Hardware {7A979262-40CE-46ff-AEEE-7884AC3B6136}
Delete
Get Programs Online {3e7efb4c-faf1-453d-89eb-56026875ef90}
Delete
Taskbar and Start Menu {0DF44EAA-FF21-4412-828E-260A8728E7F1}
Delete
ActiveDirectory Folder {1b24a030-9b20-49bc-97ac-1be4426f9e59}
Delete
ActiveDirectory Folder {34449847-FD14-4fc8-A75A-7432F5181EFB}
Delete
Sam Account Folder {C8494E42-ACDD-4739-B0FB-217361E4894F}
Delete
Sam Account Folder {E29F9716-5C08-4FCD-955A-119FDB5A522D}
Delete
Control Panel command object for Start menu {5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
Delete
Default Programs command object for Start menu {E44E5D18-0652-4508-A4E2-8A090067BCB0}
Delete
Folder Options {6dfd7c5c-2451-11d3-a299-00c04f8ef6af}
Delete
Explorer Query Band {2C2577C2-63A7-40e3-9B7F-586602617ECB}
Delete
View Available Networks {38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b}
Delete
Contacts folder {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48}
Delete
Windows Firewall {4026492f-2f69-46b8-b9bf-5654fc07e423}
Delete
Problem Reports and Solutions {fcfeecae-ee1b-4849-ae50-685dcf7717ec}
Delete
iSCSI Initiator {a304259d-52b8-4526-8b1a-a1d6cecc8243}
Delete
.cab or .zip files {911051fa-c21c-4246-b470-070cd8df6dc4}
Delete
Windows Search Shell Service {da67b8ad-e81b-4c70-9b91b417b5e33527}
Delete
Microsoft.ScannersAndCameras {00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}
Delete
Windows Sidebar Properties {37efd44d-ef8d-41b1-940d-96973a50e9e0}
Delete
Windows Features {67718415-c450-4f3c-bf8a-b487642dc39b}
Delete
Windows Defender {d8559eb9-20c0-410e-beda-7ed416aecc2a}
Delete
Mobility Center Control Panel {5ea4f148-308c-46d7-98a9-49041b1dd468}
Delete
User Accounts {7A9D77BD-5403-11d2-8785-2E0420524153}
Delete
AVG Find Extension {9F97547E-460A-42C5-AE0C-81C61FFAEBC3}
Delete
Elements detected - 307, recognized as trusted - 280
Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
Elements detected - 7, recognized as trusted - 7
Task Scheduler jobs
File name Job name Job status Description Manufacturer
Elements detected - 4, recognized as trusted - 4
SPI/LSP settings
Namespace providers (NSP)
Provider Status EXE file Description GUID
Detected - 6, recognized as trusted - 6
Transport protocol providers (TSP, LSP)
Provider EXE file Description
Detected - 18, recognized as trusted - 18
Results of automatic SPI settings check
LSP settings checked. No errors detected
TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
80 LISTENING 0.0.0.0 0 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
135 LISTENING 0.0.0.0 0 [1136] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
443 LISTENING 0.0.0.0 0 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
4165 LISTENING 0.0.0.0 0 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
10000 LISTENING 0.0.0.0 0 [2432] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [800] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [1272] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [1312] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49155 LISTENING 0.0.0.0 0 [864] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49183 LISTENING 0.0.0.0 0 [848] c:\windows\system32\services.exe
Script: Quarantine, Delete, BC delete, Terminate
53091 LISTENING 0.0.0.0 0 [2432] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
55183 CLOSE_WAIT 204.9.163.166 80 [4528] c:\program files\google\chrome\application\chrome.exe
Script: Quarantine, Delete, BC delete, Terminate
55418 ESTABLISHED 127.0.0.1 55419 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55419 ESTABLISHED 127.0.0.1 55418 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55420 ESTABLISHED 127.0.0.1 55421 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55421 ESTABLISHED 127.0.0.1 55420 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55479 ESTABLISHED 69.171.224.12 80 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55482 TIME_WAIT 64.211.203.98 80 [0]
55485 TIME_WAIT 64.211.203.75 80 [0]
55486 TIME_WAIT 64.211.203.123 80 [0]
55487 TIME_WAIT 69.171.229.39 80 [0]
55488 TIME_WAIT 69.171.224.12 80 [0]
55489 ESTABLISHED 66.220.145.39 80 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55492 TIME_WAIT 204.0.1.64 80 [0]
55493 TIME_WAIT 204.0.1.64 80 [0]
55494 TIME_WAIT 204.0.1.64 80 [0]
55495 TIME_WAIT 204.0.1.40 80 [0]
55496 TIME_WAIT 204.0.1.64 80 [0]
55497 TIME_WAIT 204.0.1.40 80 [0]
55498 TIME_WAIT 204.0.1.64 80 [0]
55499 TIME_WAIT 204.0.1.64 80 [0]
55500 TIME_WAIT 204.0.1.64 80 [0]
55501 TIME_WAIT 204.0.1.40 80 [0]
55502 TIME_WAIT 204.0.1.64 80 [0]
55503 TIME_WAIT 204.0.1.40 80 [0]
55504 TIME_WAIT 204.0.1.64 80 [0]
55505 TIME_WAIT 204.0.1.64 80 [0]
55506 TIME_WAIT 204.0.1.64 80 [0]
55507 TIME_WAIT 74.125.227.69 80 [0]
55510 TIME_WAIT 204.0.1.64 80 [0]
55511 TIME_WAIT 204.0.1.64 80 [0]
55512 TIME_WAIT 204.0.1.64 80 [0]
55559 TIME_WAIT 66.59.66.6 80 [0]
55560 TIME_WAIT 74.125.227.70 80 [0]
55561 TIME_WAIT 74.125.45.100 80 [0]
55566 TIME_WAIT 38.110.160.113 24383 [0]
55569 TIME_WAIT 66.59.66.6 80 [0]
55571 TIME_WAIT 131.247.9.134 49883 [0]
55573 TIME_WAIT 213.146.189.206 12350 [0]
55575 TIME_WAIT 213.146.189.206 12350 [0]
55584 TIME_WAIT 78.141.177.111 12350 [0]
55598 ESTABLISHED 204.0.87.97 80 [1724] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
55599 TIME_WAIT 96.41.53.214 43686 [0]
55601 ESTABLISHED 63.97.123.73 80 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55602 TIME_WAIT 212.161.8.3 12350 [0]
55604 ESTABLISHED 184.25.210.161 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55605 ESTABLISHED 184.30.15.139 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55606 ESTABLISHED 74.125.47.95 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55607 TIME_WAIT 212.161.8.3 12350 [0]
55615 TIME_WAIT 78.141.181.220 34002 [0]
55617 ESTABLISHED 213.166.51.4 33033 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55619 ESTABLISHED 66.59.66.6 80 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55620 ESTABLISHED 66.59.66.6 80 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55621 ESTABLISHED 169.229.97.131 56068 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55622 TIME_WAIT 213.146.189.204 12350 [0]
55624 CLOSE_WAIT 204.9.163.156 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55626 ESTABLISHED 213.146.189.204 12350 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55627 ESTABLISHED 69.171.228.20 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55628 ESTABLISHED 74.125.227.91 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55630 ESTABLISHED 184.51.37.195 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
443 LISTENING -- -- [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [1312] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [2432] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4165 LISTENING -- -- [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [1312] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1724] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
44301 LISTENING -- -- [3376] c:\windows\system32\pnkbstra.exe
Script: Quarantine, Delete, BC delete, Terminate
50000 LISTENING -- -- [4612] c:\program files\verizon\iha_messagecenter\bin\verizon_ihamessagecenter.exe
Script: Quarantine, Delete, BC delete, Terminate
50049 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
50796 LISTENING -- -- [1312] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
53091 LISTENING -- -- [2432] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
54637 LISTENING -- -- [2432] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
54638 LISTENING -- -- [2432] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
54835 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
54836 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
56257 LISTENING -- -- [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
62193 LISTENING -- -- [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Elements detected - 3, recognized as trusted - 3
Control Panel Applets (CPL)
File name Description Manufacturer
Elements detected - 22, recognized as trusted - 22
Active Setup
File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9
HOSTS file
Hosts file record
яю1
Clear Hosts file
Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 20, recognized as trusted - 17
Suspicious objects
File Description Type
Main script of analysis
Windows version: Windows Vista Home Basic, Build=6001, SP="Service Pack 1"
System Restore: enabled
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00C90010<>75DC1C36
IAT modification detected: GetModuleFileNameA - 00C90080<>75E04625
IAT modification detected: FreeLibrary - 00C900F0<>75E00B10
IAT modification detected: GetModuleFileNameW - 00C90160<>75E05AF5
IAT modification detected: CreateProcessW - 00C901D0<>75DC1C01
IAT modification detected: LoadLibraryW - 00C902B0<>75DE382D
IAT modification detected: LoadLibraryA - 00C90320<>75DE9671
IAT modification detected: GetProcAddress - 00C90390<>75E0BAC6
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=137B00)
Kernel ntkrnlpa.exe found in memory at address 82233000
SDT = 8236AB00
KiST = 822EB940 (391)
Functions checked: 391, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
CmpCallCallBacks = 00000000
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
Driver loaded successfully
Checking - complete
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
>> Windows Explorer - show extensions of known file types
System Analysis in progress
System Analysis - complete
Script commands
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Task Scheduler)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries
File list