Gathering system information: completed 5 minutes ago (events: 274, time: 00:05:29) 2012-10-26 13:48:40 Task started Gathering system information 2012-10-26 13:48:42 Main script of analysis 2012-10-26 13:48:42 Windows version: Microsoft Windows XP, Build=2600, SP="Dodatek Service Pack 3" 2012-10-26 13:48:42 System Restore: enabled 2012-10-26 13:48:44 1.1 Searching for user-mode API hooks 2012-10-26 13:48:44 Analysis: kernel32.dll, export table found in section .text 2012-10-26 13:48:44 IAT modification detected: CreateProcessA - 00B80010<>7C80236B 2012-10-26 13:48:44 IAT modification detected: GetModuleFileNameA - 00B80080<>7C80B56F 2012-10-26 13:48:44 IAT modification detected: FreeLibrary - 00B800F0<>7C80AC7E 2012-10-26 13:48:44 IAT modification detected: GetModuleFileNameW - 00B80160<>7C80B475 2012-10-26 13:48:44 IAT modification detected: CreateProcessW - 00B801D0<>7C802336 2012-10-26 13:48:44 IAT modification detected: LoadLibraryW - 00B802B0<>7C80AEEB 2012-10-26 13:48:44 IAT modification detected: LoadLibraryA - 00B80320<>7C801D7B 2012-10-26 13:48:44 IAT modification detected: GetProcAddress - 00B80390<>7C80AE40 2012-10-26 13:48:44 Analysis: ntdll.dll, export table found in section .text 2012-10-26 13:48:44 Analysis: user32.dll, export table found in section .text 2012-10-26 13:48:44 Analysis: advapi32.dll, export table found in section .text 2012-10-26 13:48:44 Analysis: ws2_32.dll, export table found in section .text 2012-10-26 13:48:44 Analysis: wininet.dll, export table found in section .text 2012-10-26 13:48:44 Analysis: rasapi32.dll, export table found in section .text 2012-10-26 13:48:44 Analysis: urlmon.dll, export table found in section .text 2012-10-26 13:48:44 Analysis: netapi32.dll, export table found in section .text 2012-10-26 13:48:46 1.2 Searching for kernel-mode API hooks 2012-10-26 13:48:46 Driver loaded successfully 2012-10-26 13:48:46 SDT found (RVA=07C020) 2012-10-26 13:48:46 Kernel ntkrnlpa.exe found in memory at address 804D7000 2012-10-26 13:48:46 SDT = 80553020 2012-10-26 13:48:46 KiST = 80501B9C (284) 2012-10-26 13:48:46 Function NtAdjustPrivilegesToken (0B) intercepted (805E1ECA->BA51D690), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtClose (19) intercepted (805B1CF4->BA51DF94), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtConnectPort (1F) intercepted (80599994->BA51EDC8), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtCreateEvent (23) intercepted (80605200->BA51F312), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtCreateFile (25) intercepted (8056E2FC->BA51E270), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtCreateKey (29) intercepted (8061A362->BA51C500), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtCreateMutant (2B) intercepted (8060D89A->BA51F1F8), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtCreateNamedPipeFile (2C) intercepted (8056E336->BA51D27E), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtCreatePort (2E) intercepted (8059A4B0->BA51F0CC), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtCreateSection (32) intercepted (805A0796->BA51D426), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtCreateSemaphore (33) intercepted (8060B236->BA51F432), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtCreateThread (35) intercepted (805C72C6->BA51DC1C), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtCreateWaitablePort (38) intercepted (8059A4D4->BA51F162), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtDebugActiveProcess (39) intercepted (80639B62->BA520B1A), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtDeleteKey (3F) intercepted (8061A7F2->BA51CB0A), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtDeleteValueKey (41) intercepted (8061A9C2->BA51CEBE), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtDeviceIoControlFile (42) intercepted (8056E4C2->BA51E6F2), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtDuplicateObject (44) intercepted (805B3908->BA521D26), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:46 Function NtEnumerateKey (47) intercepted (8061ABA2->BA51D00A), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:46 >>> Function restored successfully ! 2012-10-26 13:48:46 >>> Hook code blocked 2012-10-26 13:48:47 Function NtEnumerateValueKey (49) intercepted (8061AE0C->BA51D0A2), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:47 >>> Function restored successfully ! 2012-10-26 13:48:47 >>> Hook code blocked 2012-10-26 13:48:47 Function NtFsControlFile (54) intercepted (8056E4F6->BA51E500), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:47 >>> Function restored successfully ! 2012-10-26 13:48:47 >>> Hook code blocked 2012-10-26 13:48:47 Function NtLoadDriver (61) intercepted (80579608->BA520C0C), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:47 >>> Function restored successfully ! 2012-10-26 13:48:47 >>> Hook code blocked 2012-10-26 13:48:47 Function NtLoadKey (62) intercepted (8061C55E->BA51C4DC), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:47 >>> Function restored successfully ! 2012-10-26 13:48:47 >>> Hook code blocked 2012-10-26 13:48:47 Function NtLoadKey2 (63) intercepted (8061C16A->BA51C4EE), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:47 >>> Function restored successfully ! 2012-10-26 13:48:47 >>> Hook code blocked 2012-10-26 13:48:47 Function NtMapViewOfSection (6C) intercepted (805A752A->BA521374), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:47 >>> Function restored successfully ! 2012-10-26 13:48:47 >>> Hook code blocked 2012-10-26 13:48:47 Function NtNotifyChangeKey (6F) intercepted (8061C528->BA51D1CE), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:47 >>> Function restored successfully ! 2012-10-26 13:48:47 >>> Hook code blocked 2012-10-26 13:48:50 Function NtNotifyChangeMultipleKeys (70) intercepted (8061B178->F712121A), hook C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtOpenEvent (72) intercepted (80605300->BA51F3A8), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtOpenFile (74) intercepted (8056F41A->BA51E016), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtOpenKey (77) intercepted (8061B734->BA51C6C0), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtOpenMutant (78) intercepted (8060D972->BA51F288), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtOpenProcess (7A) intercepted (805C1354->BA51D8CC), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtOpenSection (7D) intercepted (8059F7CC->BA52110E), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtOpenSemaphore (7E) intercepted (8060B330->BA51F4C8), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtOpenThread (80) intercepted (805C15E0->BA51D7BE), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtQueryKey (A0) intercepted (8061BA5A->BA51D13A), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtQueryMultipleValueKey (A1) intercepted (806194B0->BA51CD72), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtQuerySection (A7) intercepted (805ADC84->BA5216AE), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtQueryValueKey (B1) intercepted (8061859A->BA51C99C), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtQueueApcThread (B4) intercepted (805C7524->BA520FA0), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtRenameKey (C0) intercepted (80619D84->BA51CC2C), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtReplaceKey (C1) intercepted (8061C40E->BA51BF16), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtReplyPort (C2) intercepted (8059A8B0->BA51F82C), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtReplyWaitReceivePort (C3) intercepted (8059B878->BA51F6F2), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtRequestWaitReplyPort (C8) intercepted (8059813A->BA5208B4), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtRestoreKey (CC) intercepted (8061BD1A->BA51C28E), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtResumeThread (CE) intercepted (805CACE0->BA521BC8), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtSaveKey (CF) intercepted (8061BE16->BA51BEAE), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtSecureConnectPort (D2) intercepted (80599128->BA51EB0E), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtSetContextThread (D5) intercepted (805C79E8->BA51DE38), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtSetInformationToken (E6) intercepted (805F0226->BA520154), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtSetSecurityObject (ED) intercepted (805B607A->BA520DAA), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:50 Function NtSetSystemInformation (F0) intercepted (80605F52->BA5217FE), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:50 >>> Function restored successfully ! 2012-10-26 13:48:50 >>> Hook code blocked 2012-10-26 13:48:51 Function NtSetValueKey (F7) intercepted (806188E8->BA51C816), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:51 >>> Function restored successfully ! 2012-10-26 13:48:51 >>> Hook code blocked 2012-10-26 13:48:51 Function NtSuspendProcess (FD) intercepted (805CADA8->BA5218F0), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:51 >>> Function restored successfully ! 2012-10-26 13:48:51 >>> Hook code blocked 2012-10-26 13:48:51 Function NtSuspendThread (FE) intercepted (805CAC1A->BA521A2A), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:51 >>> Function restored successfully ! 2012-10-26 13:48:51 >>> Hook code blocked 2012-10-26 13:48:51 Function NtSystemDebugControl (FF) intercepted (8060E2B6->BA520A3E), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:51 >>> Function restored successfully ! 2012-10-26 13:48:51 >>> Hook code blocked 2012-10-26 13:48:51 Function NtTerminateProcess (101) intercepted (805C8CE8->BA51DA68), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:51 >>> Function restored successfully ! 2012-10-26 13:48:51 >>> Hook code blocked 2012-10-26 13:48:51 Function NtTerminateThread (102) intercepted (805C8EE2->BA51D9C8), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:51 >>> Function restored successfully ! 2012-10-26 13:48:51 >>> Hook code blocked 2012-10-26 13:48:51 Function NtUnmapViewOfSection (10B) intercepted (805A8340->BA521552), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:51 >>> Function restored successfully ! 2012-10-26 13:48:51 >>> Hook code blocked 2012-10-26 13:48:51 Function NtWriteVirtualMemory (115) intercepted (805A98CA->BA51DB52), hook C:\WINDOWS\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:51 >>> Function restored successfully ! 2012-10-26 13:48:51 >>> Hook code blocked 2012-10-26 13:48:51 Function FsRtlCheckLockForReadAccess (804E9FA0) - machine code modification Method of JmpTo. jmp BA50FFD0 \SystemRoot\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:51 >>> Function restored successfully ! 2012-10-26 13:48:51 Function IoIsOperationSynchronous (804EE87E) - machine code modification Method of JmpTo. jmp BA5103AC \SystemRoot\system32\DRIVERS\1294984drv.sys, driver recognized as trusted 2012-10-26 13:48:51 >>> Function restored successfully ! 2012-10-26 13:48:53 Functions checked: 284, intercepted: 61, restored: 63 2012-10-26 13:48:53 1.3 Checking IDT and SYSENTER 2012-10-26 13:48:53 Analysis for CPU 1 2012-10-26 13:48:53 CmpCallCallBacks = 00088FF6 2012-10-26 13:48:53 Disable callback OK 2012-10-26 13:48:53 Checking IDT and SYSENTER - complete 2012-10-26 13:48:56 1.4 Searching for masking processes and drivers 2012-10-26 13:48:56 Checking not performed: extended monitoring driver (AVZPM) is not installed 2012-10-26 13:48:56 1.5 Checking of IRP handlers 2012-10-26 13:48:56 Driver loaded successfully 2012-10-26 13:48:56 Checking - complete 2012-10-26 13:48:58 C:\WINDOWS\system32\msi.dll --> Suspicion for Keylogger or Trojan DLL 2012-10-26 13:48:58 C:\WINDOWS\system32\msi.dll>>> Behavioral analysis 2012-10-26 13:48:58 Behavior typical for keyloggers not detected 2012-10-26 13:49:02 C:\WINDOWS\system32\netshell.dll --> Suspicion for Keylogger or Trojan DLL 2012-10-26 13:49:02 C:\WINDOWS\system32\netshell.dll>>> Behavioral analysis 2012-10-26 13:49:02 Behavior typical for keyloggers not detected 2012-10-26 13:49:02 C:\WINDOWS\system32\credui.dll --> Suspicion for Keylogger or Trojan DLL 2012-10-26 13:49:02 C:\WINDOWS\system32\credui.dll>>> Behavioral analysis 2012-10-26 13:49:02 Behavior typical for keyloggers not detected 2012-10-26 13:49:06 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 2012-10-26 13:49:16 Latent loading of libraries through AppInit_DLLs suspected: "prio.dll" 2012-10-26 13:49:18 >>> G:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability) 2012-10-26 13:50:02 >> Services: potentially dangerous service allowed: TermService (Usługi terminalowe) 2012-10-26 13:50:02 >> Services: potentially dangerous service allowed: SSDPSRV (Usługa odnajdywania SSDP) 2012-10-26 13:50:02 >> Services: potentially dangerous service allowed: Schedule (Harmonogram zadań) 2012-10-26 13:50:02 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! 2012-10-26 13:50:02 >> Security: disk drives' autorun is enabled 2012-10-26 13:50:02 >> Security: administrative shares (C$, D$ ...) are enabled 2012-10-26 13:50:02 >> Security: anonymous user access is enabled 2012-10-26 13:50:02 >>> Security: Internet Explorer allows ActiveX, not marked as safe 2012-10-26 13:50:02 >>> Security: block ActiveX not marked as safe in Internet Explorer 2012-10-26 13:50:02 >>> Security: Internet Explorer allows unsigned ActiveX elements 2012-10-26 13:50:02 >>> Security: Internet Explorer allows automatic queries of ActiveX administrative elements 2012-10-26 13:50:02 >>> Security: Internet Explorer allows running files and applications in IFRAME window without asking user 2012-10-26 13:50:02 >> Security: sending Remote Assistant queries is enabled 2012-10-26 13:50:03 >> Microsoft Internet Explorer - ActiveX, not marked as safe, are allowed 2012-10-26 13:50:03 >> Microsoft Internet Explorer - allow signed ActiveX elements download without prompting user 2012-10-26 13:50:03 >> Microsoft Internet Explorer -unsigned ActiveX elements are allowed 2012-10-26 13:50:04 >> Microsoft Internet Explorer - automatic queries of ActiveX operating elements are allowed 2012-10-26 13:50:04 >> Microsoft Internet Explorer - running programs and files in IFRAME window is allowed 2012-10-26 13:50:06 >> Elements of Start menu blocked 2012-10-26 13:50:06 >> Process termination timeout is out of admissible values 2012-10-26 13:50:06 >> Service termination timeout is out of admissible values 2012-10-26 13:50:06 >> Timeout of "Not Responding" verdict for processes is out of admissible values 2012-10-26 13:50:06 >> Help and Support menu item blocked 2012-10-26 13:50:07 >> Disable HDD autorun 2012-10-26 13:50:07 >> Disable autorun from network drives 2012-10-26 13:50:07 >> Disable CD/DVD autorun 2012-10-26 13:50:07 >> Disable removable media autorun 2012-10-26 13:50:07 >> Dangerous extensions detected in the list of file types that pose no threat 2012-10-26 13:50:11 System Analysis in progress 2012-10-26 13:54:09 System Analysis - complete 2012-10-26 13:54:09 Deleting service/driver: utmymjk3 2012-10-26 13:54:09 [microprogram of healing]> registry key deleted HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\utmymjk3 2012-10-26 13:54:09 Delete file:C:\WINDOWS\system32\Drivers\utmymjk3.sys 2012-10-26 13:54:09 Deleting service/driver: ujmymjk3 2012-10-26 13:54:09 Main script of analysis 2012-10-26 13:54:09 Task completed Gathering system information