Kaspersky Virus Removal Tool 11.0.0.1245 (database released 19/04/2012; 10:47)
| File name | PID | Description | Copyright | MD5 | Information
| c:\program files\system security guard\systemsecurityguardtray.exe | Script: Quarantine, Delete, BC delete, Terminate 780 | System Security Guard tray file | SystemSecurityGuard.com | ?? | 1076.50 kb, rsAh, | created: 06.04.2012 16:31:00, modified: 28.03.2012 09:37:30 Command line: "C:\Program Files\System Security Guard\SystemSecurityGuardTray.exe" /TRAY Detected:68, recognized as trusted 67
| | |||||
| Module name | Handle | Description | Copyright | MD5 | Used by processes
| Modules detected:639, recognized as trusted 639
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\Windows\System32\Drivers\dump_dumpfve.sys | Script: Quarantine, Delete, BC delete 93C00000 | 011000 (69632) |
| C:\Windows\System32\Drivers\dump_iaStorV.sys | Script: Quarantine, Delete, BC delete 93D22000 | 0DB000 (897024) |
| Modules detected - 191, recognized as trusted - 189
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| Detected - 169, recognized as trusted - 169
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| catchme | Driver: Unload, Delete, Disable, BC delete catchme | Not started | C:\Users\Thom\AppData\Local\Temp\catchme.sys | Script: Quarantine, Delete, BC delete Base |
| EagleXNt | Driver: Unload, Delete, Disable, BC delete EagleXNt | Not started | C:\Windows\system32\drivers\EagleXNt.sys | Script: Quarantine, Delete, BC delete |
| Synth3dVsc | Driver: Unload, Delete, Disable, BC delete Synth3dVsc | Not started | C:\Windows\system32\drivers\synth3dvsc.sys | Script: Quarantine, Delete, BC delete |
| tsusbhub | Driver: Unload, Delete, Disable, BC delete tsusbhub | Not started | C:\Windows\system32\drivers\tsusbhub.sys | Script: Quarantine, Delete, BC delete |
| VGPU | Driver: Unload, Delete, Disable, BC delete VGPU | Not started | C:\Windows\system32\drivers\rdvgkmd.sys | Script: Quarantine, Delete, BC delete |
| Detected - 267, recognized as trusted - 262
| | ||||||
| File name | Status | Startup method | Description
| C:\Program Files\System Security Guard\SystemSecurityGuardTray.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, S-1-5-21-2243041973-16635593-2241794628-1000\Software\Microsoft\Windows\CurrentVersion\Run, SystemSecurityGuardAutoStart | Delete C:\Users\Thom\AppData\Local\Temp\_uninst_17185863.bat | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\Thom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Thom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_17185863.lnk,
| C:\Windows\system32\psxss.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| C:\Windows\system32\wuaucpl.cpl | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {5F327514-6C5E-4d60-8F16-D07FA08A78ED} | Delete progman.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell | Delete vgafix.fon | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon | Delete vgaoem.fon | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon | Delete vgasys.fon | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon | Delete Autoruns items detected - 746, recognized as trusted - 738
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| BHO | {5C255C8A-E604-49b4-9D64-90988571CECB} | Delete Elements detected - 26, recognized as trusted - 25
| | |||||||||
| File name | Destination | Description | Manufacturer | CLSID
| AVG Find Extension | {9F97547E-460A-42C5-AE0C-81C61FFAEBC3} | Delete C:\Windows\system32\wuaucpl.cpl | Script: Quarantine, Delete, BC delete Auto Update Property Sheet Extension | {5F327514-6C5E-4d60-8F16-D07FA08A78ED} | Delete Elements detected - 29, recognized as trusted - 27
| | |||||||||||
| File name | Type | Name | Description | Manufacturer
| Elements detected - 7, recognized as trusted - 7
| | ||||||
| File name | Job name | Job status | Description | Manufacturer
| Elements detected - 1, recognized as trusted - 1
| | ||||||
| Provider | Status | EXE file | Description | GUID
| Detected - 10, recognized as trusted - 10
| | ||||||
| Provider | EXE file | Description
| Detected - 27, recognized as trusted - 27
| | ||||||
| File name | Description | Manufacturer | CLSID | Source URL
| {67DABFBF-D0AB-41FA-9C46-CC0F21721616} | Delete http://download.divx.com/player/DivXBrowserPlugin.cab
| {E2883E8F-472F-4FB0-9522-AC9BF37916A7} | Delete http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
| Elements detected - 7, recognized as trusted - 5
| | ||||||||||||
| File name | Description | Manufacturer
| Elements detected - 22, recognized as trusted - 22
| | ||||||
| File name | Description | Manufacturer | CLSID
| Elements detected - 10, recognized as trusted - 10
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete Elements detected - 25, recognized as trusted - 22
| | ||||||
| File | Description | Type
| C:\Windows\system32\DRIVERS\5786307drv.sys | Script: Quarantine, Delete, BC delete Suspicion for Rootkit | Kernel-mode hook
| |
Main script of analysis Windows version: Windows 7 Ultimate, Build=7601, SP="Service Pack 1" System Restore: enabled 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text IAT modification detected: CreateProcessA - 00390010<>75F12082 IAT modification detected: GetModuleFileNameA - 00390080<>75F5D75A IAT modification detected: FreeLibrary - 003900F0<>75F5EF67 IAT modification detected: GetModuleFileNameW - 00390160<>75F5EF35 IAT modification detected: CreateProcessW - 003901D0<>75F1204D IAT modification detected: LoadLibraryW - 003902B0<>75F5EF42 IAT modification detected: LoadLibraryA - 00390320<>75F5DC65 IAT modification detected: GetProcAddress - 00390390<>75F5CC94 Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=169B00) Kernel ntkrnlpa.exe found in memory at address 82A51000 SDT = 82BBAB00 KiST = 82ACFD5C (401) Function NtAdjustPrivilegesToken (0C) intercepted (82CD6BFD->BAC48E36), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtAlpcConnectPort (16) intercepted (82CC72BE->BAC4B074), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtAlpcCreatePort (17) intercepted (82C46C82->BAC4B2EE), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtAlpcSendWaitReceivePort (27) intercepted (82CA3FC7->BAC4B564), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtClose (32) intercepted (82C96438->BAC4974A), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtConnectPort (3B) intercepted (82CC9DC9->BAC4A57E), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateEvent (40) intercepted (82C9272F->BAC4AAC8), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateFile (42) intercepted (82CA12A2->BAC49A26), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateMutant (4A) intercepted (82C62212->BAC4A9AE), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateNamedPipeFile (4B) intercepted (82CD25B9->BAC48A24), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreatePort (4D) intercepted (82C437D5->BAC4A882), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateSection (54) intercepted (82C74F8D->BAC48BCC), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateSemaphore (55) intercepted (82C57A09->BAC4ABE8), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateThread (57) intercepted (82D2DCEE->BAC493D0), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateThreadEx (58) intercepted (82CC21E4->BAC494CE), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateUserProcess (5D) intercepted (82CC0116->BAC4B7AE), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtCreateWaitablePort (5E) intercepted (82BF613C->BAC4A918), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtDebugActiveProcess (60) intercepted (82CFFC00->BAC4C2D6), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtDeviceIoControlFile (6B) intercepted (82CC548A->BAC49EA8), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtDuplicateObject (6F) intercepted (82C8359A->BAC4D4E4), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtFsControlFile (86) intercepted (82CA7760->BAC49CB6), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtLoadDriver (9B) intercepted (82C17B80->BAC4C3C8), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtMapViewOfSection (A8) intercepted (82C98452->BAC4CB30), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtOpenEvent (B1) intercepted (82C61C0E->BAC4AB5E), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtOpenFile (B3) intercepted (82C83BBA->BAC497CC), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtOpenMutant (BB) intercepted (82CB31A0->BAC4AA3E), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtOpenProcess (BE) intercepted (82C63A58->BAC49074), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtOpenSection (C2) intercepted (82CBB734->BAC4C8CA), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtOpenSemaphore (C3) intercepted (82C3713C->BAC4AC7E), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtOpenThread (C6) intercepted (82CAFE45->BAC48F64), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtQueryDirectoryObject (E0) intercepted (82CAAAAE->BAC4B868), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtQuerySection (FE) intercepted (82CC8AA6->BAC4CE6A), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtQueueApcThread (10D) intercepted (82C4DD20->BAC4C75C), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtReplaceKey (124) intercepted (82CED968->BAC476DE), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtReplyPort (126) intercepted (82C42AB3->BAC4AFE2), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtReplyWaitReceivePort (127) intercepted (82C8A68C->BAC4AEA8), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtRequestWaitReplyPort (12B) intercepted (82C8F983->BAC4C070), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtRestoreKey (12E) intercepted (82CE39CC->BAC47A56), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtResumeThread (130) intercepted (82CC240B->BAC4D386), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSaveKey (135) intercepted (82CE523E->BAC47676), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSecureConnectPort (138) intercepted (82CAFE7A->BAC4A2C4), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSetContextThread (13C) intercepted (82D2EDEF->BAC495EC), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSetInformationToken (150) intercepted (82C557FC->BAC4B90A), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSetSecurityObject (15B) intercepted (82C536A2->BAC4C566), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSetSystemInformation (15E) intercepted (82CA01AC->BAC4CFBA), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSuspendProcess (16E) intercepted (82D2F98F->BAC4D0AC), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSuspendThread (16F) intercepted (82CE6EF5->BAC4D1E6), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtSystemDebugControl (170) intercepted (82CD752C->BAC4C1FA), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtTerminateProcess (172) intercepted (82CACA7D->BAC4921A), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtTerminateThread (173) intercepted (82CCA3F4->BAC49170), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtUnmapViewOfSection (181) intercepted (82CB66FA->BAC4CD0E), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Function NtWriteVirtualMemory (18F) intercepted (82CB17DA->BAC49306), hook C:\Windows\system32\DRIVERS\5786307drv.sys, driver recognized as trusted >>> Function restored successfully ! >>> Hook code blocked Functions checked: 401, intercepted: 52, restored: 52 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Analysis for CPU 2 Analysis for CPU 3 Analysis for CPU 4 CmpCallCallBacks = 00000000 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed 1.5 Checking of IRP handlers Driver loaded successfully Checking - complete Latent loading of libraries through AppInit_DLLs suspected: "C:\Windows\System32\avgrsstx.dll" >> Services: potentially dangerous service allowed: TermService (Remote Desktop Services) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery) >> Services: potentially dangerous service allowed: Schedule (Task Scheduler) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun System Analysis in progressAdd commands to script:
System Analysis - complete
Script commands