Kaspersky Virus Removal Tool 11.0.0.1245 (database released 25/08/2011; 13:26)
| File name | PID | Description | Copyright | MD5 | Information
| AESTSr64.exe | Script: Quarantine, Delete, BC delete, Terminate 1492 | | | ?? | error getting file info | Command line: agr64svc.exe | Script: Quarantine, Delete, BC delete, Terminate 1516 | | | ?? | error getting file info | Command line: EKIJ5000MUI.exe | Script: Quarantine, Delete, BC delete, Terminate 1080 | | | ?? | error getting file info | Command line: hpCaslNotification.exe | Script: Quarantine, Delete, BC delete, Terminate 4924 | | | ?? | error getting file info | Command line: HPHC_Service.exe | Script: Quarantine, Delete, BC delete, Terminate 2640 | | | ?? | error getting file info | Command line: HPWAMain.exe | Script: Quarantine, Delete, BC delete, Terminate 536 | | | ?? | error getting file info | Command line: iPodService.exe | Script: Quarantine, Delete, BC delete, Terminate 4696 | | | ?? | error getting file info | Command line: jucheck.exe | Script: Quarantine, Delete, BC delete, Terminate 4324 | | | ?? | error getting file info | Command line: jusched.exe | Script: Quarantine, Delete, BC delete, Terminate 3652 | | | ?? | error getting file info | Command line: PresentationFontCache.exe | Script: Quarantine, Delete, BC delete, Terminate 4132 | | | ?? | error getting file info | Command line: sidebar.exe | Script: Quarantine, Delete, BC delete, Terminate 2652 | | | ?? | error getting file info | Command line: SmartMenu.exe | Script: Quarantine, Delete, BC delete, Terminate 408 | | | ?? | error getting file info | Command line: stacsv64.exe | Script: Quarantine, Delete, BC delete, Terminate 484 | | | ?? | error getting file info | Command line: SynTPEnh.exe | Script: Quarantine, Delete, BC delete, Terminate 980 | | | ?? | error getting file info | Command line: SynTPHelper.exe | Script: Quarantine, Delete, BC delete, Terminate 3692 | | | ?? | error getting file info | Command line: wmpnetwk.exe | Script: Quarantine, Delete, BC delete, Terminate 2860 | | | ?? | error getting file info | Command line: Detected:89, recognized as trusted 73
| | |||||
| Module name | Handle | Description | Copyright | MD5 | Used by processes
| Modules detected:485, recognized as trusted 485
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\Users\hallo\AppData\Local\Temp\aswMBR.sys | Script: Quarantine, Delete, BC delete D110000 | 00E000 (57344) |
| C:\Windows\System32\Drivers\dump_dumpfve.sys | Script: Quarantine, Delete, BC delete 8A1A000 | 013000 (77824) |
| C:\Windows\System32\Drivers\dump_iaStor.sys | Script: Quarantine, Delete, BC delete 20A2000 | 11C000 (1163264) |
| Modules detected - 242, recognized as trusted - 239
| | |||||||
| Service | Description | Status | File | Group | Dependencies
| Detected - 170, recognized as trusted - 170
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| RtsUIR | Driver: Unload, Delete, Disable, BC delete Realtek IR Driver | Not started | C:\Windows\system32\DRIVERS\Rts516xIR.sys | Script: Quarantine, Delete, BC delete |
| USBCCID | Driver: Unload, Delete, Disable, BC delete Realtek Smartcard Reader Driver | Not started | C:\Windows\system32\DRIVERS\RtsUCcid.sys | Script: Quarantine, Delete, BC delete |
| Detected - 262, recognized as trusted - 260
| | ||||||
| File name | Status | Startup method | Description
| C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DW.EXE | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft Visual Studio Tools for Applications, EventMessageFile
| C:\ProgramData\Verizon\UA_ar\UtilityApplication.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Launch Utility Application.lnk,
| C:\Users\hallo\AppData\Local\Temp\_uninst_52024155.bat | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\hallo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\hallo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_52024155.lnk,
| C:\Users\hallo\AppData\Roaming\Verizon\UA_ar\UtilityApplication.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\hallo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\hallo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launch Utility Application.lnk,
| C:\Windows\system32\psxss.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| auditcse.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName | Delete igfxdev.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName | Delete rdpclip | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms | Delete Autoruns items detected - 608, recognized as trusted - 600
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| Explorer Bar | {555D4D79-4BD2-4094-A395-CFC534424A05} | Delete Elements detected - 8, recognized as trusted - 7
| | |||||||||
| File name | Destination | Description | Manufacturer | CLSID
| WinRAR shell extension | {B41DB860-8EE4-11D2-9906-E49FADC173CA} | Delete ColumnHandler | {F9DB5320-233E-11D1-9F84-707F02C10627} | Delete Elements detected - 12, recognized as trusted - 10
| | ||||||||||||
| File name | Type | Name | Description | Manufacturer
| cpwmon64.dll | Script: Quarantine, Delete, BC delete Monitor | CutePDF Writer Monitor |
| EKIJ5000MON.dll | Script: Quarantine, Delete, BC delete Monitor | KODAK EASYSHARE All-in-One Printer |
| localspl.dll | Script: Quarantine, Delete, BC delete Monitor | Local Port |
| FXSMON.DLL | Script: Quarantine, Delete, BC delete Monitor | Microsoft Shared Fax Monitor |
| hpf3lw73.dll | Script: Quarantine, Delete, BC delete Monitor | PCL hpf3lw73 |
| hpz3lw71.dll | Script: Quarantine, Delete, BC delete Monitor | PCL hpz3lw71 |
| tcpmon.dll | Script: Quarantine, Delete, BC delete Monitor | Standard TCP/IP Port |
| usbmon.dll | Script: Quarantine, Delete, BC delete Monitor | USB Monitor |
| WSDMon.dll | Script: Quarantine, Delete, BC delete Monitor | WSD Port |
| inetpp.dll | Script: Quarantine, Delete, BC delete Provider | HTTP Print Services |
| Elements detected - 11, recognized as trusted - 1
| | ||||||||||||||||
| File name | Job name | Job status | Description | Manufacturer
| Elements detected - 5, recognized as trusted - 5
| | ||||||
| Provider | Status | EXE file | Description | GUID
| Detected - 9, recognized as trusted - 9
| | ||||||
| Provider | EXE file | Description
| Detected - 10, recognized as trusted - 10
| | ||||||
| Port | Status | Remote Host | Remote Port | Application | Notes
| TCP ports
| UDP ports
| | ||||||||||||
| File name | Description | Manufacturer | CLSID | Source URL
| {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} | Delete http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
| Elements detected - 3, recognized as trusted - 2
| | |||||||||
| File name | Description | Manufacturer
| C:\Windows\system32\FlashPlayerCPLApp.cpl | Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet | Copyright © 1996-2010 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
| Elements detected - 19, recognized as trusted - 18
| | ||||||
| File name | Description | Manufacturer | CLSID
| Elements detected - 9, recognized as trusted - 9
| | ||||||
| Hosts file record |
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete Elements detected - 16, recognized as trusted - 13
| | ||||||
| File | Description | Type |
Main script of analysis Windows version: Windows 7 Home Premium, Build=7601, SP="Service Pack 1" System Restore: enabled Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~2\KASPER~1\KASPER~1\x64\kloehk.dll,C:\PROGRA~2\KASPER~1\KASPER~1\x64\sbhook64.dll" >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268) >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100) >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun >> Windows Explorer - show extensions of known file types System Analysis in progressAdd commands to script:
System Analysis - complete
Script commands