Kaspersky Virus Removal Tool 11.0.0.1245 (database released 11/04/2012; 12:17)
| File name | PID | Description | Copyright | MD5 | Information
| AESTSr64.exe | Script: Quarantine, Delete, BC delete, Terminate 2428 | | | ?? | error getting file info | Command line: ApMsgFwd.exe | Script: Quarantine, Delete, BC delete, Terminate 4884 | | | ?? | error getting file info | Command line: ApntEx.exe | Script: Quarantine, Delete, BC delete, Terminate 5112 | | | ?? | error getting file info | Command line: Apoint.exe | Script: Quarantine, Delete, BC delete, Terminate 1928 | | | ?? | error getting file info | Command line: c:\program files\avast software\avast\avastsvc.exe | Script: Quarantine, Delete, BC delete, Terminate 1684 | avast! Service | Copyright (c) 2012 AVAST Software | ?? | 43.72 kb, rsAh, | created: 19.03.2012 15:54:39, modified: 07.03.2012 01:15:14 Command line: "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" hidfind.exe | Script: Quarantine, Delete, BC delete, Terminate 3884 | | | ?? | error getting file info | Command line: HWDeviceService64.exe | Script: Quarantine, Delete, BC delete, Terminate 2592 | | | ?? | error getting file info | Command line: LVPrcSrv.exe | Script: Quarantine, Delete, BC delete, Terminate 2636 | | | ?? | error getting file info | Command line: mscorsvw.exe | Script: Quarantine, Delete, BC delete, Terminate 5780 | | | ?? | error getting file info | Command line: PresentationFontCache.exe | Script: Quarantine, Delete, BC delete, Terminate 4148 | | | ?? | error getting file info | Command line: quickset.exe | Script: Quarantine, Delete, BC delete, Terminate 3568 | | | ?? | error getting file info | Command line: sidebar.exe | Script: Quarantine, Delete, BC delete, Terminate 3916 | | | ?? | error getting file info | Command line: c:\program files (x86)\openoffice.org 3\program\soffice.bin | Script: Quarantine, Delete, BC delete, Terminate 4684 | OpenOffice.org 3.3 | Copyright © 2000-2010 by Oracle, Inc. | ?? | 11049.50 kb, rsAh, | created: 17.01.2011 19:08:58, modified: 17.01.2011 19:08:58 Command line: "C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe" "-quickstart" "-env:OOO_CWD=2C:\\Program Files (x86)\\OpenOffice.org 3\\program" stacsv64.exe | Script: Quarantine, Delete, BC delete, Terminate 1064 | | | ?? | error getting file info | Command line: sttray64.exe | Script: Quarantine, Delete, BC delete, Terminate 3988 | | | ?? | error getting file info | Command line: TrustedInstaller.exe | Script: Quarantine, Delete, BC delete, Terminate 5368 | | | ?? | error getting file info | Command line: wmpnetwk.exe | Script: Quarantine, Delete, BC delete, Terminate 5264 | | | ?? | error getting file info | Command line: Detected:91, recognized as trusted 76
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\Windows\system32\DRIVERS\31448338.sys | Script: Quarantine, Delete, BC delete C040000 | 75F000 (7729152) |
| C:\Windows\System32\Drivers\dump_dumpfve.sys | Script: Quarantine, Delete, BC delete 4961000 | 013000 (77824) |
| C:\Windows\System32\Drivers\dump_iaStor.sys | Script: Quarantine, Delete, BC delete 402A000 | 39A000 (3776512) |
| Modules detected - 198, recognized as trusted - 195
| | |||||||
| Service | Description | Status | File | Group | Dependencies
| Detected - 168, recognized as trusted - 168
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| 31448338 | Driver: Unload, Delete, Disable, BC delete 31448338 | Running | 31448338.sys | Script: Quarantine, Delete, BC delete |
| Detected - 269, recognized as trusted - 268
| | ||||||
| File name | Status | Startup method | Description
| C:\6a11f58902b819a419e567\DW\DW20.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
| C:\Program Files\Bonjour\mDNSResponder.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Bonjour Service, EventMessageFile
| C:\Program Files\Common Files\McAfee\SystemCore\mfehidk_messages.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mfehidk, EventMessageFile
| C:\Program Files\Dell\Dell Wir | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\wltrysvc, EventMessageFile
| C:\Users\Lewis\AppData\Local\Temp\_uninst_99642562.bat | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Lewis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_99642562.lnk,
| C:\Windows\system32\psxss.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| auditcse.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName | Delete lvcod64.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, vidc.i420 | Delete rdpclip | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms | Delete Autoruns items detected - 598, recognized as trusted - 589
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| C:\Program Files\Java\jre6\bin\jp2ssv.dll | Script: Quarantine, Delete, BC delete BHO | {DBC80044-A445-435b-BC74-9C25C1C588A9} | Delete Elements detected - 7, recognized as trusted - 6
| | ||||||||
| File name | Destination | Description | Manufacturer | CLSID
| WebCheck | {E6FB5E20-DE35-11CF-9C87-00AA005127ED} | Delete ColumnHandler | {F9DB5320-233E-11D1-9F84-707F02C10627} | Delete Elements detected - 16, recognized as trusted - 14
| | ||||||||||||
| File name | Type | Name | Description | Manufacturer
| EP0SLM01.DLL | Script: Quarantine, Delete, BC delete Monitor | Epson Inbox Language Monitor01 |
| localspl.dll | Script: Quarantine, Delete, BC delete Monitor | Local Port |
| FXSMON.DLL | Script: Quarantine, Delete, BC delete Monitor | Microsoft Shared Fax Monitor |
| tcpmon.dll | Script: Quarantine, Delete, BC delete Monitor | Standard TCP/IP Port |
| usbmon.dll | Script: Quarantine, Delete, BC delete Monitor | USB Monitor |
| WSDMon.dll | Script: Quarantine, Delete, BC delete Monitor | WSD Port |
| inetpp.dll | Script: Quarantine, Delete, BC delete Provider | HTTP Print Services |
| Elements detected - 8, recognized as trusted - 1
| | |||||||||||||
| File name | Job name | Job status | Description | Manufacturer
| Elements detected - 5, recognized as trusted - 5
| | ||||||
| Provider | Status | EXE file | Description | GUID
| Detected - 8, recognized as trusted - 8
| | ||||||
| Provider | EXE file | Description
| Detected - 10, recognized as trusted - 10
| | ||||||
| Port | Status | Remote Host | Remote Port | Application | Notes
| TCP ports
| UDP ports
| | ||||||||||||
| File name | Description | Manufacturer | CLSID | Source URL
| Elements detected - 0, recognized as trusted - 0
| | ||||||
| File name | Description | Manufacturer
| C:\Windows\system32\FlashPlayerCPLApp.cpl | Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet | Copyright © 1996-2012 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
| Elements detected - 19, recognized as trusted - 18
| | ||||||
| File name | Description | Manufacturer | CLSID
| Elements detected - 9, recognized as trusted - 9
| | ||||||
| Hosts file record |
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete Elements detected - 13, recognized as trusted - 10
| | ||||||
| File | Description | Type |
Main script of analysis Windows version: Windows 7 Home Premium, Build=7601, SP="Service Pack 1" System Restore: enabled >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268) >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100) >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun >> Windows Explorer - show extensions of known file types System Analysis in progressAdd commands to script:
System Analysis - complete
Script commands