Pomoc oko brisanja virusa

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:18 PM, on 10/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\SOUNDMAN.EXE
C:\Programi\Hard Disk Sentinel\HDSentinel.exe
F:\Program Files\WinFast\WFDTV\DTVSchdl.exe
F:\Program Files\NetWorx\networx.exe
F:\Program Files\ASUS\GamerOSD\GamerOSD.exe
F:\WINDOWS\system32\RUNDLL32.EXE
C:\Programi\Internet Download Manager\IDMan.exe
F:\Program Files\WinFast\WFDTV\WFWIZ.exe
F:\WINDOWS\system32\ctfmon.exe
C:\hardware\tv-karta\WF_RemCtrl_1.058\WF_RemCtrl.exe
F:\WINDOWS\ATKKBService.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\oodag.exe
c:\Programs\Parallels Workstation\PRLDHCP.exe
F:\WINDOWS\System32\TUProgSt.exe
F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programi\Internet Download Manager\IEMonitor.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Programi\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - F:\Program Files\BPK\bpkwb.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {80F1B0D1-9425-4197-8B12-3FA84C28F7F7} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: (no name) - {F60E0A4F-7DDD-4345-A0F3-29FC1F088D6D} - (no file)
O3 - Toolbar: &NetWorx Desk Band - {FEEA54B4-D80F-41C7-87B9-DC08E6D3255F} - F:\PROGRA~1\NetWorx\deskband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Hard Disk Sentinel] "C:\Programi\Hard Disk Sentinel\HDSentinel.exe" /AUTORUN
O4 - HKLM\..\Run: [WinFastDTV] F:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [NetWorx] "F:\Program Files\NetWorx\networx.exe" /auto
O4 - HKLM\..\Run: [ASUSGamerOSD] F:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKCU\..\Run: [WinFast Schedule] F:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Shortcut to WF_RemCtrl.exe.lnk = C:\hardware\tv-karta\WF_RemCtrl_1.058\WF_RemCtrl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://F:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all links with IDM - C:\Programi\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Programi\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Programi\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - AppInit_DLLs:  ,F:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,F:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,F:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: khfEUoOi - khfEUoOi.dll (file missing)
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - F:\Program Files\Stardock\Object Desktop\DeskScapes\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - F:\Program Files\Stardock\Object Desktop\DeskScapes\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - F:\Program Files\Stardock\Object Desktop\DeskScapes\DreamControl.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - F:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - F:\WINDOWS\system32\ASTSRV.EXE
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - F:\WINDOWS\ATKKBService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - F:\WINDOWS\system32\oodag.exe
O23 - Service: Parallels DHCP Service for Virtual NIC (PRLDHCP) - Parallels Software International, Inc. - c:\Programs\Parallels Workstation\PRLDHCP.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - c:\Programi\SiSoftware Sandra Professional Business 2009.SP3c\RpcAgentSrv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - F:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - F:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8166 bytes

Code:


Description
Win32/Sality.AA is a polymorphic virus that infects Win32 PE executable files.

Method of Infection

When executed, Win32/Sality.AA drops a malicious component file to:

%System%\drivers\<random filename>.sys

This component is a device driver that acts as a 'rootkit' at kernel level; it allows the virus to hide itself in the compromised system by changing data structures in the kernel and hiding its malicious activity. This 'rootkit' method only functions on Windows NT-based operating systems, such as NT/2000/XP/2003.

Sality.AA also adds the following registry entry as a part of the device driver installation routine:

HKLM\SYSTEM\CurrentControlSet\Services\abp470n5  

It adds the following text to the "system.ini" file located in the %Windows% directory:

[MCIDRV_VER]
DEVICEMB=<random number>

It also adds the following registry key with numerous random subkeys and entries needed for its malicious routine:

HKCU\Software\<computer name><3 random numbers>

For example:

HKCU\Software\JohnSmith498

Note: %System% and %Windows% are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95, 98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP and Vista is C:\Windows.

Method of Distribution
Via File Infection

Win32/Sality.AA is a polymorphic virus that attempts to spread by file infection. It looks for Win32 PE executable files with .EXE or .SCR file extensions, and infects any such files found on the system by appending the virus body to the host file.

Via Networks/Removable Drives

The virus also attempts to propagate by copying itself with a random filename to network drives, including all removable disk drives. Sality.AA also creates an "autorun.inf" file in these drives so that the virus executes when it is accessed.

Payload
Downloads Additional Malware

Sality.AA contacts the following domains in order to download additional malware onto the system:

89.119.67.154
bjerm.mass.hc.ru
klkjwre77638dfqwieuoi888.info
kukutrustnet777.info
kukutrustnet777888.info
kukutrustnet888.info
kukutrustnet987.info
lpbmx.ru
mattfoll.eu.interia.pl
st1.dist.su.lt
www.klkjwre9fqwieluoi.info

Deletes Files

Sality.AA may delete files on the system that have either of the following file extensions:

.VDB
.AVC

Deletes Registry Entries

Win32/Sality.AA deletes registry entries found in any of the following registry subkeys:

HKCU\System\CurrentControlSet\Control\SafeBoot
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Modifies System Settings / Lowers Security Settings

Sality.AA bypasses the system firewall by executing the command:

netsh firewall set opmode disable

and modifying the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"<infected filename>" = "<infected filename>:*:Enabled:ipsec"
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Setting\GlobalUserOffline = 0

It may also disable settings related to system security. It does this by adding the following registry entries:

HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify = dword:00000001

The virus sets the following registry entry so that hidden folders and files are not displayed in Windows Explorer view:
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 2

It also disables Registry Editor and Task Manager by adding these registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr = dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = dword:00000001

Terminates Services

Sality.AA terminates services running on the system that have the following names:

acssrv
Agnitum Client Security Service
Amon monitor
aswFsBlk
aswMon2
aswRdr
aswSP
aswTdi
aswUpdSv
AV Engine
avast! Antivirus
avast! Asynchronous Virus Monitor
avast! iAVS4 Control Service
avast! Mail Scanner
avast! Self Protection
avast! Web Scanner
AVG E-mail Scanner
Avira AntiVir Premium Guard
Avira AntiVir Premium MailGuard
Avira AntiVir Premium WebGuard
BackWeb Plug-in - 4476822
BGLiveSvc
BlackICE
CAISafe
ccEvtMgr
ccProxy
ccSetMgr
Eset HTTP Server
Eset Personal Firewall
Eset Service
F-Prot Antivirus Update Monitor
F-Secure Gatekeeper Handler Starter
fsbwsys
FSDFWD
Google Online Services
InoRPC
InoRT
InoTask
ISSVC
LavasoftFirewall
LIVESRV
McAfeeFramework
McShield
McTaskManager
navapsvc
NOD32krn
NPFMntor
NSCService
Outpost Firewall main module
OutpostFirewall
PAVFIRES
PAVFNSVR
PavProt
PavPrSrv
PAVSRV
PcCtlCom
PersonalFirewal
PREVSRV
ProtoPort Firewall service
PSIMSVC
RapApp
SavRoam
SmcService
SNDSrvc
SPBBCSvc
SpIDer FS Monitor for Windows NT
SpIDer Guard File System Monitor
SPIDERNT
Symantec AntiVirus
Symantec AntiVirus Definition Watcher
Symantec Core LC
Symantec Password Validation
tcpsr
Tmntsrv
TmPfw
tmproxy
UmxAgent
UmxCfg
UmxLU
UmxPol
vsmon
VSSERV
WebrootDesktopFirewallDataService
WebrootFirewall
XCOMM

Terminates Processes / Deletes Files

Win32/Sality.AA terminates any process and/or deletes files with filenames that contain any of the following strings.

_AVPM.
A2GUARD.
AAVSHIELD.
AVAST
ADVCHK.
AHNSD.
AIRDEFENSE
ALERTSVC
ALOGSERV
ALSVC.
AMON.
ANTI-TROJAN.
ANTIVIR
APVXDWIN.
ARMOR2NET.
ASHAVAST.
ASHDISP.
ASHENHCD.
ASHMAISV.
ASHPOPWZ.
ASHSERV.
ASHSIMPL.
ASHSKPCK.
ASHWEBSV.
ASWUPDSV.
ATCON.
ATUPDATER.
ATWATCH.
AVCIMAN.
AVCONSOL.
AVENGINE.
AVESVC.
AVGAMSVR.
AVGCC.
AVGCC32.
AVGCTRL.
AVGEMC.
AVGFWSRV.
AVGNT.
AVGNTDD
AVGNTMGR
AVGSERV.
AVGUARD.
AVGUPSVC.
AVINITNT.
AVKSERV.
AVKSERVICE.
AVKWCTL.
AVP32.
AVPCC.
AVPM.
AVAST
AVSERVER.
AVSCHED32.
AVSYNMGR.
AVWUPD32.
AVWUPSRV.
AVXMONITOR9X.
AVXMONITORNT.
AVXQUAR.
BDMCON.
BDNEWS.
BDSUBMIT.
BDSWITCH.
BLACKD.
BLACKICE.
CAFIX.
CCAPP.
CCEVTMGR.
CCPROXY.
CCSETMGR.
CFIAUDIT.
CLAMTRAY.
CLAMWIN.
CLAW95.
CUREIT
DEFWATCH.
DRVIRUS.
DRWADINS.
DRWEB32W.
DRWEBSCD.
DRWEBUPW.
DWEBLLIO
DWEBIO
ESCANH95.
ESCANHNT.
EWIDOCTRL.
EZANTIVIRUSREGISTRATIONCHECK.
F-AGNT95.
FAMEH32.
FILEMON
FIRESVC.
FIRETRAY.
FIREWALL.
FPAVUPDM.
F-PROT95.
FRESHCLAM.
EKRN.
FSAV32.
FSAVGUI.
FSBWSYS.
F-SCHED.
FSDFWD.
FSGK32.
FSGK32ST.
FSGUIEXE.
FSMA32.
FSMB32.
FSPEX.
FSSM32.
F-STOPW.
GCASDTSERV.
GCASSERV.
GIANTANTISPYWAREMAIN.
GIANTANTISPYWAREUPDATER.
GUARDGUI.
GUARDNT.
HREGMON.
HRRES.
HSOCKPE.
HUPDATE.
IAMAPP.
IAMSERV.
ICLOAD95.
ICLOADNT.
ICMON.
ICSSUPPNT.
ICSUPP95.
ICSUPPNT.
IFACE.
INETUPD.
INOCIT.
INORPC.
INORT.
INOTASK.
INOUPTNG.
IOMON98.
ISAFE.
ISATRAY.
ISRV95.
ISSVC.
KAVMM.
KAVPF.
KAVPFW.
KAVSTART.
KAVSVC.
KAVSVCUI.
KMAILMON.
KPFWSVC.
MCAGENT.
MCMNHDLR.
MCREGWIZ.
MCUPDATE.
MCVSSHLD.
MINILOG.
MYAGTSVC.
MYAGTTRY.
NAVAPSVC.
NAVAPW32.
NAVLU32.
NAVW32.
NOD32
NEOWATCHLOG.
NEOWATCHTRAY.
NISSERV
NISUM.
NMAIN.
NOD32
NORMIST.
NOTSTART.
NPAVTRAY.
NPFMNTOR.
NPFMSG.
NPROTECT.
NSCHED32.
NSMDTR.
NSSSERV.
NSSTRAY.
NTRTSCAN.
NTOS.
NTXCONFIG.
NUPGRADE.
NVCOD.
NVCTE.
NVCUT.
NWSERVICE.
OFCPFWSVC.
OUTPOST
OP_MON.
PAVFIRES.
PAVFNSVR.
PAVKRE.
PAVPROT.
PAVPROXY.
PAVPRSRV.
PAVSRV51.
PAVSS.
PCCGUIDE.
PCCIOMON.
PCCNTMON.
PCCPFW.
PCCTLCOM.
PCTAV.
PERSFW.
PERTSK.
PERVAC.
PNMSRV.
POP3TRAP.
POPROXY.
PREVSRV.
PSIMSVC.
QHM32.
QHONLINE.
QHONSVC.
QHPF.
QHWSCSVC.
RAVMON.
RAVTIMER.
AVGNT
AVCENTER.
RFWMAIN.
RTVSCAN.
RTVSCN95.
RULAUNCH.
SAVADMINSERVICE.
SAVMAIN.
SAVPROGRESS.
SAVSCAN.
SCANNINGPROCESS.
CUREIT
SDHELP.
SHSTAT.
SITECLI.
SPBBCSVC.
SPHINX.
SPIDERCPL.
SPIDERML.
SPIDERNT.
SPIDERUI.
SPYBOTSD.
SPYXX.
SS3EDIT.
STOPSIGNAV.
SWAGENT.
SWDOCTOR.
SWNETSUP.
SYMLCSVC.
SYMPROXYSVC.
SYMSPORT.
SYMWSC.
SYNMGR.
TAUMON.
TBMON.
AVAST
TFAK.
THAV.
THSM.
TMAS.
TMLISTEN.
TMNTSRV.
TMPFW.
TMPROXY.
TNBUTIL.
TRJSCAN.
UP2DATE.
VBA32ECM.
VBA32IFS.
VBA32LDR.
VBA32PP3.
VBSNTW.
VCHK.
VCRMON.
VETTRAY.
VIRUSKEEPER.
VPTRAY.
VRFWSVC.
VRMONNT.
VRMONSVC.
VRRW32.
VSECOMR.
VSHWIN32.
VSMON.
VSSERV.
VSSTAT.
WATCHDOG.
WEBPROXY.
WEBSCANX.
WEBTRAP.
WGFE95.
WINAW32.
WINROUTE.
WINSS.
WINSSNOTIFY.
WRCTRL.
XCOMMSVR.
ZAUINST
ZLCLIENT
ZONEALARM

Prevents Access to Websites

The dropped .SYS file also acts as an "IP Traffic Filter Device Driver" that has the capability to block access to any domains or websites that contain the following strings in their names:

upload_virus
sality-remov
virusinfo.
cureit.
drweb.
onlinescan.
spywareinfo.
ewido.
virusscan.
windowsecurity.
spywareguide.
bitdefender.
pandasoftware.
agnmitum.
virustotal.
sophos.
trendmicro.
etrust.com
symantec.
mcafee.
f-secure.
eset.com
kaspersky

For additional information:

The device driver is not dropped and installed onto the system unless there is an active internet connection.

The virus may prevent execution of applications that perform an integrity self-check as a result of them being infected.