Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 19/07/2012; 13:33)

List of processes

File name	PID	Description	Copyright	MD5	Information
Admload.exe Script: Quarantine, Delete, BC delete, Terminate	7092			??	error getting file info Command line:
ApMsgFwd.exe Script: Quarantine, Delete, BC delete, Terminate	1732			??	error getting file info Command line:
ApntEx.exe Script: Quarantine, Delete, BC delete, Terminate	6328			??	error getting file info Command line:
Apoint.exe Script: Quarantine, Delete, BC delete, Terminate	5412			??	error getting file info Command line:
Apvfb.exe Script: Quarantine, Delete, BC delete, Terminate	6596			??	error getting file info Command line:
c:\program files (x86)\sony\smartwi connection utility\ccp.exe Script: Quarantine, Delete, BC delete, Terminate	1920	CCP	Copyright © 2004 - 2009	??	16.00 kb, rsAh, created: 27.08.2010 11:25:27, modified: 19.01.2010 22:58:42 Command line: "C:\Program Files (x86)\Sony\SmartWi Connection Utility\CCP.exe" /LaunchDependencies
Core Temp.exe Script: Quarantine, Delete, BC delete, Terminate	4352			??	error getting file info Command line:
c:\program files (x86)\mozilla firefox\firefox.exe Script: Quarantine, Delete, BC delete, Terminate	8708	Firefox	©Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL 2.1 licenses, as applicable.	??	892.47 kb, rsAh, created: 04.09.2010 15:33:21, modified: 23.06.2012 22:45:01 Command line: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
iPodService.exe Script: Quarantine, Delete, BC delete, Terminate	6908			??	error getting file info Command line:
ipoint.exe Script: Quarantine, Delete, BC delete, Terminate	5456			??	error getting file info Command line:
mDNSResponder.exe Script: Quarantine, Delete, BC delete, Terminate	1704			??	error getting file info Command line:
c:\program files (x86)\sony\smartwi connection utility\powermanager.exe Script: Quarantine, Delete, BC delete, Terminate	2680	PowerManager	Copyright © 2006	??	34.50 kb, rsAh, created: 27.08.2010 11:25:27, modified: 19.01.2010 22:58:42 Command line: "C:\Program Files (x86)\Sony\SmartWi Connection Utility\PowerManager.exe"
RAVBg64.exe Script: Quarantine, Delete, BC delete, Terminate	5288			??	error getting file info Command line:
sidebar.exe Script: Quarantine, Delete, BC delete, Terminate	3880			??	error getting file info Command line:
c:\program files (x86)\sony\smartwi connection utility\smartwi.exe Script: Quarantine, Delete, BC delete, Terminate	7552			??	178.38 kb, rsAh, created: 27.08.2010 11:25:27, modified: 21.01.2010 21:40:10 Command line: "C:\Program Files (x86)\Sony\SmartWi Connection Utility\SmartWi.exe"
SpfService64.exe Script: Quarantine, Delete, BC delete, Terminate	3420			??	error getting file info Command line:
SPMgr.exe Script: Quarantine, Delete, BC delete, Terminate	5840			??	error getting file info Command line:
SPMService.exe Script: Quarantine, Delete, BC delete, Terminate	6448			??	error getting file info Command line:
c:\program files (x86)\sony\smartwi connection utility\thirdpartyappmgr.exe Script: Quarantine, Delete, BC delete, Terminate	6288	ThirdPartyAppMgr	Copyright © 2006	??	17.50 kb, rsAh, created: 27.08.2010 11:25:27, modified: 19.01.2010 22:58:40 Command line: "C:\Program Files (x86)\Sony\SmartWi Connection Utility\ThirdPartyAppMgr.exe"
VAIOUpdt.exe Script: Quarantine, Delete, BC delete, Terminate	6804			??	error getting file info Command line:
VCAgent.exe Script: Quarantine, Delete, BC delete, Terminate	2548			??	error getting file info Command line:
c:\program files (x86)\common files\sony shared\vaio content folder watcher\vcfw.exe Script: Quarantine, Delete, BC delete, Terminate	2220	VAIO Content Folder Watcher	©2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Sony Corp.	??	935.66 kb, rsAh, created: 24.10.2011 14:49:14, modified: 24.10.2011 14:49:14 Command line: "C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe"
VCPerfService.exe Script: Quarantine, Delete, BC delete, Terminate	5764			??	error getting file info Command line:
VCsystray.exe Script: Quarantine, Delete, BC delete, Terminate	2036			??	error getting file info Command line:
VUAgent.exe Script: Quarantine, Delete, BC delete, Terminate	6228			??	error getting file info Command line:
wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate	4580			??	error getting file info Command line:
Detected:105, recognized as trusted 85

Module name	Handle	Description	Copyright	MD5	Used by processes
c:\Program Files (x86)\Sony\PMB\PMB_SDK.dll Script: Quarantine, Delete, BC delete	1952710656	PMB SDK	Copyright 2010 Sony Corporation	--	2220
C:\Program Files (x86)\Sony\SmartWi Connection Utility\DevicePanel.dll Script: Quarantine, Delete, BC delete	1699282944	DevicePanel	Copyright © 2009	--	7552
C:\Program Files (x86)\Sony\SmartWi Connection Utility\Kinoubi.Plugins.PluginManager.ThirdPartyApp.dll Script: Quarantine, Delete, BC delete	1923284992	Kinoubi.Plugins.PluginManager.ThirdPartyApp	Copyright © 2006	--	2680, 6288
C:\Program Files (x86)\Sony\SmartWi Connection Utility\NativeWifiWrap.dll Script: Quarantine, Delete, BC delete	108920832	TODO:	TODO: (c) . All rights reserved.	--	2680, 6288
C:\Program Files (x86)\Sony\SmartWi Connection Utility\NotifyIconEx.dll Script: Quarantine, Delete, BC delete	1667825664	TODO:	TODO: (c) . All rights reserved.	--	7552
C:\Program Files (x86)\Sony\SmartWi Connection Utility\SonyCommonLib.dll Script: Quarantine, Delete, BC delete	1718550528	Sony Common Library	Copyright © 2006	--	1920, 2680, 7552, 6288
C:\Users\Kenzie\AppData\Roaming\Mozilla\Firefox\Profiles\a7331r4l.default\extensions\adblockvideo@adblockvideo.com\components\ff13\AdBlockVideo.dll Script: Quarantine, Delete, BC delete	1663827968			--	8708
C:\Users\Kenzie\AppData\Roaming\Mozilla\Firefox\Profiles\a7331r4l.default\extensions\zoteroWinWordIntegration@zotero.org\components-13.0\zoteroWinWordIntegration.dll Script: Quarantine, Delete, BC delete	1704394752	TODO:	TODO: (c) . All rights reserved.	--	8708
Modules detected:586, recognized as trusted 578

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\system32\DRIVERS\08859749.sys Script: Quarantine, Delete, BC delete	10004000	75F000 (7729152)
C:\Users\Kenzie\AppData\Local\Temp\ALSysIO64.sys Script: Quarantine, Delete, BC delete	B983000	008000 (32768)
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, BC delete	9439000	013000 (77824)
C:\Windows\System32\Drivers\dump_iaStor.sys Script: Quarantine, Delete, BC delete	4CD9000	208000 (2129920)
Modules detected - 216, recognized as trusted - 212

Services

Service	Description	Status	File	Group	Dependencies
SampleCollector Service: Stop, Delete, Disable, BC delete	VAIO Care Performance Service	Running	.exe Script: Quarantine, Delete, BC delete
Detected - 192, recognized as trusted - 191

Drivers

Service	Description	Status	File	Group	Dependencies
08859749 Driver: Unload, Delete, Disable, BC delete	08859749	Running	08859749.sys Script: Quarantine, Delete, BC delete
ALSysIO Driver: Unload, Delete, Disable, BC delete	ALSysIO	Running	C:\Users\Kenzie\AppData\Local\Temp\ALSysIO64.sys Script: Quarantine, Delete, BC delete
WinRing0_1_2_0 Driver: Unload, Delete, Disable, BC delete	WinRing0_1_2_0	Not started	C:\Program Files (x86)\BatteryCare\WinRing0x64.sys Script: Quarantine, Delete, BC delete
Detected - 299, recognized as trusted - 296

Autoruns

File name	Status	Startup method	Description
C:\Program Files (x86)\Core Temp\Core Temp.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Kenzie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Kenzie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Core Temp.lnk,
C:\Program Files\Sony\VAIO Power Management\SPMPanel.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {ED58A35B-B554-42AF-A26C-6F3D424200D3} Delete
C:\Program Files\Tablet\Pen\Consumer_CPL.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls, Bamboo Delete
C:\Users\Kenzie\AppData\Local\Temp\_uninst_30714152.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Kenzie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Kenzie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_30714152.lnk,
C:\Users\Kenzie\AppData\Local\Temp\_uninst_47838258.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Kenzie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Kenzie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_47838258.lnk,
C:\Windows\W7FBC\dll.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler, {73526E5A-FD53-4BE7-B5E2-D3C89D7413DC} Delete
C:\Windows\W7FBC\dll.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {73526E5A-FD53-4BE7-B5E2-D3C89D7413DC} Delete
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
auditcse.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName Delete
igfxdev.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName Delete
rdpclip Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms Delete
Autoruns items detected - 673, recognized as trusted - 662

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	Extension module			{2670000A-7350-4f3c-8081-5663EE0C6C49} Delete
	Extension module			{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} Delete
	Explorer Bar			{555D4D79-4BD2-4094-A395-CFC534424A05} Delete
Elements detected - 9, recognized as trusted - 6

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
C:\Program Files\Sony\VAIO Power Management\SPMPanel.dll Script: Quarantine, Delete, BC delete	Sony Power Management Extensiond	SPM Module	Copyright 2003, 2004, 2005, 2006, 2007, 2008, 2009 Sony Corporation	{ED58A35B-B554-42AF-A26C-6F3D424200D3} Delete
	WinRAR shell extension			{B41DB860-8EE4-11D2-9906-E49FADC173CA} Delete
C:\Windows\W7FBC\dll.dll Script: Quarantine, Delete, BC delete	Ave's FolderBg			{73526E5A-FD53-4BE7-B5E2-D3C89D7413DC} Delete
	Auto Update Property Sheet Extension			{5F327514-6C5E-4d60-8F16-D07FA08A78ED} Delete
	WebCheck			{E6FB5E20-DE35-11CF-9C87-00AA005127ED} Delete
	ColumnHandler			{F9DB5320-233E-11D1-9F84-707F02C10627} Delete
Elements detected - 49, recognized as trusted - 43

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
AdobePDF.dll Script: Quarantine, Delete, BC delete	Monitor	Adobe PDF Port Monitor
hpinksts8811LM.dll Script: Quarantine, Delete, BC delete	Monitor	HP 8811 Status Monitor
hpf3l70v.dll Script: Quarantine, Delete, BC delete	Monitor	hpf3l70v.dll
hppmopjl.dll Script: Quarantine, Delete, BC delete	Monitor	HPPMOPJL
localspl.dll Script: Quarantine, Delete, BC delete	Monitor	Local Port
FXSMON.DLL Script: Quarantine, Delete, BC delete	Monitor	Microsoft Shared Fax Monitor
hpz3llhn.dll Script: Quarantine, Delete, BC delete	Monitor	PCL hpz3llhn
PJLMON.DLL Script: Quarantine, Delete, BC delete	Monitor	PJL Language Monitor
tcpmon.dll Script: Quarantine, Delete, BC delete	Monitor	Standard TCP/IP Port
usbmon.dll Script: Quarantine, Delete, BC delete	Monitor	USB Monitor
WSDMon.dll Script: Quarantine, Delete, BC delete	Monitor	WSD Port
inetpp.dll Script: Quarantine, Delete, BC delete	Provider	HTTP Print Services
Elements detected - 13, recognized as trusted - 1

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 3, recognized as trusted - 3

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 10, recognized as trusted - 10

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 11, recognized as trusted - 11
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
UDP ports

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Delete http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Elements detected - 2, recognized as trusted - 1

Control Panel Applets (CPL)

File name Description Manufacturer
C:\Windows\system32\FlashPlayerCPLApp.cpl
Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet Copyright © 1996 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Elements detected - 19, recognized as trusted - 18

Active Setup

File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 15, recognized as trusted - 12

Suspicious objects

File Description Type

Main script of analysis
Windows version: Windows 7 Home Premium, Build=7601, SP="Service Pack 1"
System Restore: enabled
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)
Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
UDP ports