Kaspersky Virus Removal Tool 11.0.0.1245 (database released 20/09/2011; 10:23)
| File name | PID | Description | Copyright | MD5 | Information
| AESTSr64.exe | Script: Quarantine, Delete, BC delete, Terminate 1592 | | | ?? | error getting file info | Command line: SASCore64.exe | Script: Quarantine, Delete, BC delete, Terminate 1568 | | | ?? | error getting file info | Command line: stacsv64.exe | Script: Quarantine, Delete, BC delete, Terminate 948 | | | ?? | error getting file info | Command line: sttray64.exe | Script: Quarantine, Delete, BC delete, Terminate 4996 | | | ?? | error getting file info | Command line: SynTPEnh.exe | Script: Quarantine, Delete, BC delete, Terminate 5004 | | | ?? | error getting file info | Command line: SynTPHelper.exe | Script: Quarantine, Delete, BC delete, Terminate 4384 | | | ?? | error getting file info | Command line: wmpnetwk.exe | Script: Quarantine, Delete, BC delete, Terminate 5248 | | | ?? | error getting file info | Command line: Detected:68, recognized as trusted 61
| | |||||
| Module name | Handle | Description | Copyright | MD5 | Used by processes
| Modules detected:443, recognized as trusted 443
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\Windows\System32\Drivers\dump_dumpfve.sys | Script: Quarantine, Delete, BC delete 660E000 | 013000 (77824) |
| C:\Windows\System32\Drivers\dump_iaStor.sys | Script: Quarantine, Delete, BC delete 4A21000 | 208000 (2129920) |
| Modules detected - 204, recognized as trusted - 202
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| gupdate | Service: Stop, Delete, Disable, BC delete Google Update Service (gupdate) | Not started | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | Script: Quarantine, Delete, BC delete | RPCSS
| gupdatem | Service: Stop, Delete, Disable, BC delete Google Update Service (gupdatem) | Not started | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | Script: Quarantine, Delete, BC delete | RPCSS
| Detected - 172, recognized as trusted - 170
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| Detected - 270, recognized as trusted - 270
| | ||||||
| File name | Status | Startup method | Description
| C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist, DLLName | Delete C:\Program Files (x86)\Dell\DellDock\DellDock.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\Regjon Higgins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Regjon Higgins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk,
| C:\Users\Regjon Higgins\AppData\Local\Temp\_uninst_88646186.bat | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\Regjon Higgins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Regjon Higgins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_88646186.lnk,
| C:\Users\Regjon Higgins\AppData\Local\Temp\_uninst_89585899.bat | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\Regjon Higgins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Regjon Higgins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_89585899.lnk,
| C:\Windows\System32\appmgmts.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll | Delete C:\Windows\system32\psxss.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| C:\d910ac4ce79853401de3\DW\DW20.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
| auditcse.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName | Delete igfxdev.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName | Delete rdpclip | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms | Delete Autoruns items detected - 605, recognized as trusted - 595
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| Extension module | {2670000A-7350-4f3c-8081-5663EE0C6C49} | Delete Extension module | {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} | Delete Elements detected - 6, recognized as trusted - 4
| | ||||||||||||
| File name | Destination | Description | Manufacturer | CLSID
| ColumnHandler | {F9DB5320-233E-11D1-9F84-707F02C10627} | Delete Elements detected - 14, recognized as trusted - 13
| | |||||||||
| File name | Type | Name | Description | Manufacturer
| hpzllw71.dll | Script: Quarantine, Delete, BC delete Monitor | LIDIL hpzllw71 |
| localspl.dll | Script: Quarantine, Delete, BC delete Monitor | Local Port |
| FXSMON.DLL | Script: Quarantine, Delete, BC delete Monitor | Microsoft Shared Fax Monitor |
| hpz3lw71.dll | Script: Quarantine, Delete, BC delete Monitor | PCL hpz3lw71 |
| PJLMON.DLL | Script: Quarantine, Delete, BC delete Monitor | PJL Language Monitor |
| tcpmon.dll | Script: Quarantine, Delete, BC delete Monitor | Standard TCP/IP Port |
| usbmon.dll | Script: Quarantine, Delete, BC delete Monitor | USB Monitor |
| WSDMon.dll | Script: Quarantine, Delete, BC delete Monitor | WSD Port |
| inetpp.dll | Script: Quarantine, Delete, BC delete Provider | HTTP Print Services |
| Elements detected - 10, recognized as trusted - 1
| | |||||||||||||||
| File name | Job name | Job status | Description | Manufacturer
| Elements detected - 0, recognized as trusted - 0
| | ||||||
| Provider | Status | EXE file | Description | GUID
| Detected - 9, recognized as trusted - 9
| | ||||||
| Provider | EXE file | Description
| Detected - 10, recognized as trusted - 10
| | ||||||
| File name | Description | Manufacturer | CLSID | Source URL
| C:\Program Files\Java\jre6\bin\npjpi160_20.dll | Script: Quarantine, Delete, BC delete {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} | Delete http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
| Elements detected - 3, recognized as trusted - 2
| | ||||||||
| File name | Description | Manufacturer
| Elements detected - 18, recognized as trusted - 18
| | ||||||
| File name | Description | Manufacturer | CLSID
| Elements detected - 9, recognized as trusted - 9
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete Elements detected - 16, recognized as trusted - 13
| | ||||||
| File | Description | Type |
Main script of analysis Windows version: Windows 7 Home Premium, Build=7600, SP="" System Restore: enabled >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268) >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100) >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun >> Windows Explorer - show extensions of known file types System Analysis in progressAdd commands to script:
System Analysis - complete
Script commands