Suspicious objectsFile Description Type
Main script of analysis
Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
System Restore: enabled
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00B80010<>7C802367
IAT modification detected: GetModuleFileNameA - 00B80080<>7C80B4DF
IAT modification detected: GetModuleFileNameW - 00B800F0<>7C80B3E5
IAT modification detected: CreateProcessW - 00B80160<>7C802332
IAT modification detected: LoadLibraryW - 00B80240<>7C80AE5B
IAT modification detected: LoadLibraryA - 00B80320<>7C801D77
IAT modification detected: GetProcAddress - 00B80390<>7C80ADB0
IAT modification detected: FreeLibrary - 00B80400<>7C80ABEE
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=082700)
Kernel ntoskrnl.exe found in memory at address 804D7000
SDT = 80559700
KiST = 804E26B8 (284)
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Searching for masking processes and drivers - complete
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Process termination timeout is out of admissible values
>> Service termination timeout is out of admissible values
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
>> Windows Update is disabled
System Analysis in progress
System Analysis - complete
Script commands
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
Registry cleanup after deleting files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
