I have analyzed the anubis report: http://anubis.iseclab.org/?action=result&task_id=166b5eb9b4df7ec54a15da70bdf780736&format=html

Load-time dll’s:
DLL" at address 0x7C900000 by thread 1. Successfully hooked module. … DllMain(0x7C900000, DLL_PROCESS_ATTACH, 0x00000000) in ntdll.dll, flagged as a security risk file since 2003, also User Mode rootkits exploit the slightly lower-level Native API, which invokes functions provided by the operating system’s ntdll.dll.
Kernel32.dll is the Windows base API DLL, which means it’s the dynamic load library (DLL) that handles memory,
This malware has the ability of effective camouflage. It disguises itself as msvcrt.dll, process infection at Base Address: [0x77C10000 ], Users that want to look up a process infection or mutex list themselves for anlyzing anubis reports etc. see here:

Now the run time dynamic linking tries to load DLL at run time:
BHO object 425718.OCX at visial studio default base address at 0x10000000;
Netapi32.dll is a module that contains the Windows NET API used by applications to access a Microsoft network, in malware it could cause you will loose your network connection.
Run-time comctl32.dll errors will interrupt programs, it is a stealthy malware file programmed to appear as a legitimate file and execute different harmful actions on your compromised computer.
When hnetcfg.dll is loaded, the above files are automatically loaded too, else this dll won’t load.
Cloaked malware file, see: http://www.prevx.com/filenames/156583519112018831-X1/HNETCFG.DLL.html
The most interesting part of the executable is the “IP-stealer” tool … 0x71a50000,
mswsock.dll, is also found in Rootkit: Possibly Infostealer.Banker.C and Gampass malware.

UPX V2.9-3.X SN: 1730 is used in trojan worm constructors.

Registry connection info: Connections info SavedLegacySettings 0x3c0000001600000001000000000000000000000000000000040000000000
changes the default connection settings, several malware species that change this value have been reported for: e.g. W32.MyDoom.AB ,VP Killer trojan;
Monitored Registry Keys will change settings for Internet Explorer,
HEOIFZ.PIF is Trojan/Backdoor.
Kill the process HEOIFZ.PIF and remove HEOIFZ.PIF from the Windows startup.
HEOIFZ.PIF is known as: packed with UPX [Kaspersky Lab].
MD5 of HEOIFZ.PIF = 51EA6A72E85FCB31C08139BAC0C30E50
HEOIFZ.PIF size is 32852 bytes.
Full path on a computer: %PROGRAMFILES%\COMMON FILES\REALTECK\HEOIFZ.PIF
OCB.ini is a very malcious threat found in various keyloggers.
Settings in a device control preset are used during logging, capturing, and output
Device\KsecDD 0x00390008 8 - Memory Mapped Files for setting handle control.
The following files have been added to the system: %TEMP%\ECj1.tmp exploiting a JAVA degression bug.
Windows Sockets Helper DLL. wshtcpip.dll normally is found as:
MD5: 08b3a60a4dd7fae800b552f8f8d5deb0
Category: Process Monitor / Processes
ID / Size / Date: #115841 / 19.5 KB / 2006-05-08
Version / Publisher: 5.1.2600.2180(xpsp_sp2_rtm.040803-2158) / Microsoft Corporation
This bug is being exploited: http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg110099.html
The malware at hand tries to connect out to China: China Unicom Shandong province network
and to CNCGROUP-SZ China Unicom Shenzen network, both known as trojan Pepatch sites.
The explorer.exe infection is hard to detect, see: http://virscan.org/report/bc10cdd8fc1b56e4518b094b5da3a210.html
but it will considerably slow down the infected computer.
Buffered RPC data in rpcrt4.dll is a Remote Procedure Call Runtime.
Also, Windows programs usually do not need to monitor the status of the Shift, Ctrl, or Alt keys, but here this is being performed,
Imagehlp.dll runtime dll could lead to a BSOD: got the BSOD with the following message:
"Stop: c0000221 {Bad Image Checksum} The image imagehlp.dll is possibly corrupt.
norman, sandbox: generic trojan w32/malware found as %TEMP%\ECj1.tmp.
Creating website blocks through …MountPoints2\​{a1094da8-30a0-11dd-817b-806d6172696f}\​
This is found in Neosploit hack code: HKU\​S-1-5-21-842925246-1425521274-308236825-500
\XID.hta depploy toolkit
Furthermore there is shut-downer code: IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____
#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
On mshta.exe read http://www.backgroundtask.eu/Systeemtaken/taakinfo/3708/mshta.exe/
As a result of the malware, when the user opens infected partitions using Explorer,
mshta.exe will be launched from the opened partition, see:
http://cn2010-6-294www.virscan.org/report/d777d1b00bffea87f88d34d505817391.html
mshta.exe not a malcoded executable is required to access user accounts from the Control Panel,
also Advapi32.dll is required to run.
C:\Windows\AppPatch\AcGenral.DLL (trojan related)- not a valid Windows image…creating control panel issues - this is tracker code: Control Code 0x00090028
Acces violation bug is exploited through Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll.
The library file, psapi.dll, contains program code used by Windows applications
to retrieve information about processes and/or device drivers running on the system,
and it is not known to be malicious, also here.
cmd.exe Started by ecj1.tmp delivers a generic flag for malware that abuses Java.lang.ArrayIndexOutOfBoundsException exploit and is detected by norman’s.
system32\ntdll.dll (0x7C900000) C is a malicious process running under explorer.exe

polonus