Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 19/11/2011; 17:50)

List of processes

File name	PID	Description	Copyright	MD5	Information
BcmDeviceAndTaskStatusService.exe Script: Quarantine, Delete, BC delete, Terminate	4628			??	error getting file info Command line:
DCPButtonSvc.exe Script: Quarantine, Delete, BC delete, Terminate	2252			??	error getting file info Command line:
DCPSysMgr.exe Script: Quarantine, Delete, BC delete, Terminate	4884			??	error getting file info Command line:
DCPSysMgrSvc.exe Script: Quarantine, Delete, BC delete, Terminate	2316			??	error getting file info Command line:
Dell.ControlPoint.exe Script: Quarantine, Delete, BC delete, Terminate	4592			??	error getting file info Command line:
c:\program files\dell\dell controlpoint\connection manager\dell.ucm.exe Script: Quarantine, Delete, BC delete, Terminate	4612	Dell.UCM	Copyright © 2008-2009 by Smith Micro Software, Inc.	??	1784.00 kb, rsAh, created: 05.10.2009 20:54:30, modified: 05.10.2009 20:54:30 Command line: "C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe"
HostControlService.exe Script: Quarantine, Delete, BC delete, Terminate	1836			??	error getting file info Command line:
HostStorageService.exe Script: Quarantine, Delete, BC delete, Terminate	1860			??	error getting file info Command line:
iPodService.exe Script: Quarantine, Delete, BC delete, Terminate	5824			??	error getting file info Command line:
nvPDsvc.exe Script: Quarantine, Delete, BC delete, Terminate	2396			??	error getting file info Command line:
SetPoint.exe Script: Quarantine, Delete, BC delete, Terminate	4924			??	error getting file info Command line:
sidebar.exe Script: Quarantine, Delete, BC delete, Terminate	4740			??	error getting file info Command line:
Smc.exe Script: Quarantine, Delete, BC delete, Terminate	1336			??	error getting file info Command line:
SmcGui.exe Script: Quarantine, Delete, BC delete, Terminate	4196			??	error getting file info Command line:
c:\program files\dell\dell controlpoint\connection manager\smmanager.exe Script: Quarantine, Delete, BC delete, Terminate	2072	SMManager Application	Copyright (C) 2008	??	74.50 kb, rsAh, created: 05.10.2009 20:54:10, modified: 05.10.2009 20:54:10 Command line: "C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe"
sqlwriter.exe Script: Quarantine, Delete, BC delete, Terminate	2672			??	error getting file info Command line:
stacsv64.exe Script: Quarantine, Delete, BC delete, Terminate	368			??	error getting file info Command line:
sttray64.exe Script: Quarantine, Delete, BC delete, Terminate	4516			??	error getting file info Command line:
SynTPEnh.exe Script: Quarantine, Delete, BC delete, Terminate	4504			??	error getting file info Command line:
SynTPHelper.exe Script: Quarantine, Delete, BC delete, Terminate	4860			??	error getting file info Command line:
TdmService.exe Script: Quarantine, Delete, BC delete, Terminate	2788			??	error getting file info Command line:
wmdc.exe Script: Quarantine, Delete, BC delete, Terminate	4676			??	error getting file info Command line:
wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate	4856			??	error getting file info Command line:
Detected:96, recognized as trusted 75

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.SharedUI.dll Script: Quarantine, Delete, BC delete	1843134464	Dell.SharedUI	Copyright © 2008-2009 by Smith Micro Software, Inc.	--	4612
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMApplication.dll Script: Quarantine, Delete, BC delete	1611661312	SMApplication Dynamic Link Library	Copyright (C) 2008	--	2072
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMBIOSController.dll Script: Quarantine, Delete, BC delete	27852800			--	2072
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMCommon.dll Script: Quarantine, Delete, BC delete	1614807040	SMCommon Dynamic Link Library	Copyright (C) 2008	--	2072
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMConfiguration.dll Script: Quarantine, Delete, BC delete	1613758464	SMConfig Dynamic Link Library	Copyright (C) 2008	--	2072
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMDEVICES.dll Script: Quarantine, Delete, BC delete	1627389952	SMDevice Dynamic Link Library	Copyright (C) 2008	--	2072
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.Application.dll Script: Quarantine, Delete, BC delete	1890189312	SmithMicro.Application	Copyright © 2008-2009 by Smith Micro Software, Inc.	--	4612
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.AsyncOperations.dll Script: Quarantine, Delete, BC delete	1763508224	SmithMicro.AsyncOperations	Copyright © 2008-2009 by Smith Micro Software, Inc.	--	4612
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.Common.dll Script: Quarantine, Delete, BC delete	1897988096	SmithMicro.Common	Copyright © 2008-2009 by Smith Micro Software, Inc.	--	4612
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.Controls.dll Script: Quarantine, Delete, BC delete	1892155392	SmithMicro.Controls	Copyright © 2008-2009 by Smith Micro Software, Inc.	--	4612
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.Message.dll Script: Quarantine, Delete, BC delete	1889730560	SmithMicro.Message	Copyright © 2008-2009 by Smith Micro Software, Inc.	--	4612
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.VpnController.dll Script: Quarantine, Delete, BC delete	1795620864	SmithMicro.VpnController	Copyright © 2008-2009 by Smith Micro Software, Inc.	--	4612
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMMessages.dll Script: Quarantine, Delete, BC delete	1677721600	SMMessag Dynamic Link Library	Copyright (C) 2008	--	2072
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMPROFILEMANAGER.dll Script: Quarantine, Delete, BC delete	1694498816	SMManager Profile Manager	Copyright (C) 2008	--	2072
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMUtilities.dll Script: Quarantine, Delete, BC delete	1711276032	SMUtilities Dynamic Link Library	Copyright (C) 2008	--	4612, 2072
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMWAN.dll Script: Quarantine, Delete, BC delete	268435456	SMWAN DLL	Copyright (c) 2000-2009	--	2072
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMWifiVista.dll Script: Quarantine, Delete, BC delete	1728053248	SMWiFiVi Dynamic Link Library	Copyright (C) 2008	--	2072
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\VpnWrapper.dll Script: Quarantine, Delete, BC delete	268435456	VpnWrapp Dynamic Link Library	Copyright (C) 2008	--	4612
C:\Windows\system32\bcmwlapi.dll Script: Quarantine, Delete, BC delete	27590656	WlAdapterAPI	Copyright (c) 2007 Broadcom Corp. All rights reserved.	--	2072
Modules detected:504, recognized as trusted 485

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, BC delete	6636000	013000 (77824)
C:\Windows\System32\Drivers\dump_iaStor.sys Script: Quarantine, Delete, BC delete	42DC000	20A000 (2138112)
Modules detected - 226, recognized as trusted - 224

Services

Service	Description	Status	File	Group	Dependencies
Detected - 185, recognized as trusted - 185

Drivers

Service	Description	Status	File	Group	Dependencies
NvtSp50 Driver: Unload, Delete, Disable, BC delete	NvtSp50 NDIS Protocol Driver	Not started	C:\Windows\system32\Drivers\NvtSp50.sys Script: Quarantine, Delete, BC delete	PNP_TDI
Detected - 283, recognized as trusted - 282

Autoruns

File name	Status	Startup method	Description
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-962395197-4016970835-1205081151-1159\Software\Microsoft\Windows\CurrentVersion\Run, ISUSPM Delete
C:\Program Files (x86)\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk,
C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk,
C:\Users\dtreese\AppData\Local\Temp\_uninst_44027730.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\dtreese\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\dtreese\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_44027730.lnk,
C:\Users\dtreese\AppData\Roaming\13DFA\lvvm.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_USERS, S-1-5-21-962395197-4016970835-1205081151-1159\Software\Microsoft\Windows NT\CurrentVersion\Windows, Load
C:\Users\dtreese\AppData\Roaming\13DFA\lvvm.exe Script: Quarantine, Delete, BC delete	Active	File win.ini	C:\Windows\win.ini, windows, load
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
auditcse.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName Delete
nwiz.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, nwiz Delete
rdpclip Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms Delete
tcgcsp.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Wave TCG Enabled CSP, Image Path Delete
tcgcsp.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Wave TCG Enabled SChannel CSP, Image Path Delete
tcgcsp.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Wave TCG-Enabled Strong Authentication CSP, Image Path Delete
wvauth.dll Script: Quarantine, Delete, BC delete	--	?	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Lsa, Authentication Packages
Autoruns items detected - 689, recognized as trusted - 675

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
C:\Program Files\Java\jre6\bin\jp2ssv.dll Script: Quarantine, Delete, BC delete	BHO			{DBC80044-A445-435b-BC74-9C25C1C588A9} Delete
Elements detected - 4, recognized as trusted - 3

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	WebCheck			{E6FB5E20-DE35-11CF-9C87-00AA005127ED} Delete
	ColumnHandler			{F9DB5320-233E-11D1-9F84-707F02C10627} Delete
Elements detected - 26, recognized as trusted - 24

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
AdobePDF.dll Script: Quarantine, Delete, BC delete	Monitor	Adobe PDF Port Monitor
localspl.dll Script: Quarantine, Delete, BC delete	Monitor	Local Port
FXSMON.DLL Script: Quarantine, Delete, BC delete	Monitor	Microsoft Shared Fax Monitor
rc4mon64.dll Script: Quarantine, Delete, BC delete	Monitor	RICOH Language Monitor2
tcpmon.dll Script: Quarantine, Delete, BC delete	Monitor	Standard TCP/IP Port
usbmon.dll Script: Quarantine, Delete, BC delete	Monitor	USB Monitor
WSDMon.dll Script: Quarantine, Delete, BC delete	Monitor	WSD Port
inetpp.dll Script: Quarantine, Delete, BC delete	Provider	HTTP Print Services
Elements detected - 9, recognized as trusted - 1

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 0, recognized as trusted - 0

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 9, recognized as trusted - 9

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 11, recognized as trusted - 11
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
UDP ports

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Elements detected - 0, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 19, recognized as trusted - 19

Active Setup

File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record
яю1
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 14, recognized as trusted - 11

Suspicious objects

File Description Type

Main script of analysis
Windows version: Windows 7 Professional, Build=7601, SP="Service Pack 1"
System Restore: enabled
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  Invalid autorun item
 >>  Windows Explorer - show extensions of known file types
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)
Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
UDP ports