Kaspersky Virus Removal Tool 11.0.0.1245 (database released 27/07/2012; 15:15)
| File name | PID | Description | Copyright | MD5 | Information
| AESTSr64.exe | Script: Quarantine, Delete, BC delete, Terminate 1628 | | | ?? | error getting file info | Command line: BCMWLTRY.EXE | Script: Quarantine, Delete, BC delete, Terminate 1752 | | | ?? | error getting file info | Command line: btwdins.exe | Script: Quarantine, Delete, BC delete, Terminate 2240 | | | ?? | error getting file info | Command line: BullGuard.exe | Script: Quarantine, Delete, BC delete, Terminate 4708 | | | ?? | error getting file info | Command line: BullGuardBhvScanner.exe | Script: Quarantine, Delete, BC delete, Terminate 2068 | | | ?? | error getting file info | Command line: BullGuardScanner.exe | Script: Quarantine, Delete, BC delete, Terminate 2144 | | | ?? | error getting file info | Command line: BullGuardUpdate.exe | Script: Quarantine, Delete, BC delete, Terminate 2176 | | | ?? | error getting file info | Command line: DpHostW.exe | Script: Quarantine, Delete, BC delete, Terminate 1912 | | | ?? | error getting file info | Command line: dpupdchk.exe | Script: Quarantine, Delete, BC delete, Terminate 4960 | | | ?? | error getting file info | Command line: E_S50RPB.EXE | Script: Quarantine, Delete, BC delete, Terminate 2400 | | | ?? | error getting file info | Command line: E_S50STB.EXE | Script: Quarantine, Delete, BC delete, Terminate 2336 | | | ?? | error getting file info | Command line: HPSA_Service.exe | Script: Quarantine, Delete, BC delete, Terminate 3536 | | | ?? | error getting file info | Command line: hrfscore.exe | Script: Quarantine, Delete, BC delete, Terminate 6080 | | | ?? | error getting file info | Command line: itype.exe | Script: Quarantine, Delete, BC delete, Terminate 4656 | | | ?? | error getting file info | Command line: McciCMService.exe | Script: Quarantine, Delete, BC delete, Terminate 2292 | | | ?? | error getting file info | Command line: OSPPSVC.EXE | Script: Quarantine, Delete, BC delete, Terminate 7012 | | | ?? | error getting file info | Command line: PresentationFontCache.exe | Script: Quarantine, Delete, BC delete, Terminate 3680 | | | ?? | error getting file info | Command line: SASCore64.exe | Script: Quarantine, Delete, BC delete, Terminate 1408 | | | ?? | error getting file info | Command line: stacsv64.exe | Script: Quarantine, Delete, BC delete, Terminate 592 | | | ?? | error getting file info | Command line: SUPERANTISPYWARE.EXE | Script: Quarantine, Delete, BC delete, Terminate 4740 | | | ?? | error getting file info | Command line: SynTPEnh.exe | Script: Quarantine, Delete, BC delete, Terminate 4612 | | | ?? | error getting file info | Command line: SynTPHelper.exe | Script: Quarantine, Delete, BC delete, Terminate 4848 | | | ?? | error getting file info | Command line: WLTRAY.EXE | Script: Quarantine, Delete, BC delete, Terminate 4620 | | | ?? | error getting file info | Command line: WLTRYSVC.EXE | Script: Quarantine, Delete, BC delete, Terminate 1684 | | | ?? | error getting file info | Command line: wmpnetwk.exe | Script: Quarantine, Delete, BC delete, Terminate 5764 | | | ?? | error getting file info | Command line: Detected:106, recognized as trusted 81
| | |||||
| Module name | Handle | Description | Copyright | MD5 | Used by processes
| Modules detected:399, recognized as trusted 399
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\windows\System32\Drivers\dump_dumpfve.sys | Script: Quarantine, Delete, BC delete 8DDF000 | 013000 (77824) |
| C:\windows\System32\Drivers\dump_iaStor.sys | Script: Quarantine, Delete, BC delete 4050000 | 154000 (1392640) |
| C:\windows\System32\Drivers\dump_MfeEpeHb.sys | Script: Quarantine, Delete, BC delete 8DDD000 | 002000 (8192) |
| Modules detected - 242, recognized as trusted - 239
| | |||||||
| Service | Description | Status | File | Group | Dependencies
| wltrysvc | Service: Stop, Delete, Disable, BC delete Broadcom Wireless LAN Tray Service | Running | C:\Program Files\Broadcom\Broadcom 802.11\WLTRYSVC.EXE | Script: Quarantine, Delete, BC delete wltrysvc |
| Detected - 206, recognized as trusted - 205
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| catchme | Driver: Unload, Delete, Disable, BC delete catchme | Not started | C:\ComboFix\catchme.sys | Script: Quarantine, Delete, BC delete Base |
| MREMP50a64 | Driver: Unload, Delete, Disable, BC delete MREMP50a64 NDIS Protocol Driver | Not started | C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS | Script: Quarantine, Delete, BC delete PNP_TDI |
| MREMPR5 | Driver: Unload, Delete, Disable, BC delete MREMPR5 NDIS Protocol Driver | Not started | C:\PROGRA~2\COMMON~1\Motive\MREMPR5.SYS | Script: Quarantine, Delete, BC delete PNP_TDI |
| MRENDIS5 | Driver: Unload, Delete, Disable, BC delete MRENDIS5 NDIS Protocol Driver | Not started | C:\PROGRA~2\COMMON~1\Motive\MRENDIS5.SYS | Script: Quarantine, Delete, BC delete PNP_TDI |
| MRESP50a64 | Driver: Unload, Delete, Disable, BC delete MRESP50a64 NDIS Protocol Driver | Not started | C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS | Script: Quarantine, Delete, BC delete PNP_TDI |
| Detected - 294, recognized as trusted - 289
| | ||||||
| File name | Status | Startup method | Description
| C:\010f1e96896450667a05\DW\DW20.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
| C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\DWA\resources\libraries\EventMessages.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Adobe Setup, EventMessageFile
| C:\Program Files (x86)\Kineti | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Online Backup Service, EventMessageFile
| C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Broadcom Wireless Manager UI | Delete C:\Program Files\Broadcom\Broadcom 802.11\bcmwltry.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\wltrysvc, EventMessageFile
| C:\Sfax\SfaxDriverUpdate.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sfax Printer Driver - Auto Update.lnk,
| C:\Users\Peter\AppData\Local\Temp\_uninst_96513819.bat | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_96513819.lnk,
| C:\windows\System32\BCMLogon.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\BCMLogon\NetworkProvider, ProviderPath | Delete C:\windows\System32\bcmwlcpl.cpl | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls, bcmwlcpl.cpl | Delete C:\windows\system32\psxss.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| SDEvents.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile
| auditcse.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName | Delete c:\Program Files\Microsoft IntelliType Pro\dw15.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\IntelliType Pro, EventMessageFile
| rdpclip | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms | Delete Autoruns items detected - 754, recognized as trusted - 740
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| Extension module | {2670000A-7350-4f3c-8081-5663EE0C6C49} | Delete Extension module | {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} | Delete Elements detected - 8, recognized as trusted - 6
| | ||||||||||||
| File name | Destination | Description | Manufacturer | CLSID
| ColumnHandler | {F9DB5320-233E-11D1-9F84-707F02C10627} | Delete Elements detected - 48, recognized as trusted - 47
| | |||||||||
| File name | Type | Name | Description | Manufacturer
| AdobePDF.dll | Script: Quarantine, Delete, BC delete Monitor | Adobe PDF Port Monitor |
| E_ILMGBA.DLL | Script: Quarantine, Delete, BC delete Monitor | EPSON WorkForce 630 Series 64MonitorBA |
| localspl.dll | Script: Quarantine, Delete, BC delete Monitor | Local Port |
| FXSMON.DLL | Script: Quarantine, Delete, BC delete Monitor | Microsoft Shared Fax Monitor |
| tcpmon.dll | Script: Quarantine, Delete, BC delete Monitor | Standard TCP/IP Port |
| usbmon.dll | Script: Quarantine, Delete, BC delete Monitor | USB Monitor |
| WSDMon.dll | Script: Quarantine, Delete, BC delete Monitor | WSD Port |
| inetpp.dll | Script: Quarantine, Delete, BC delete Provider | HTTP Print Services |
| Elements detected - 9, recognized as trusted - 1
| | ||||||||||||||
| File name | Job name | Job status | Description | Manufacturer
| Elements detected - 4, recognized as trusted - 4
| | ||||||
| Provider | Status | EXE file | Description | GUID
| Detected - 9, recognized as trusted - 9
| | ||||||
| Provider | EXE file | Description
| Detected - 23, recognized as trusted - 23
| | ||||||
| Port | Status | Remote Host | Remote Port | Application | Notes
| TCP ports
| UDP ports
| | ||||||||||||
| File name | Description | Manufacturer | CLSID | Source URL
| Elements detected - 0, recognized as trusted - 0
| | ||||||
| File name | Description | Manufacturer
| C:\windows\system32\FlashPlayerCPLApp.cpl | Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet | Copyright © 1996 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
| Elements detected - 19, recognized as trusted - 18
| | ||||||
| File name | Description | Manufacturer | CLSID
| Elements detected - 9, recognized as trusted - 9
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete Elements detected - 14, recognized as trusted - 11
| | ||||||
| File | Description | Type |
Main script of analysis Windows version: Windows 7 Professional, Build=7601, SP="Service Pack 1" System Restore: enabled >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268) >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100) >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun >> Windows Explorer - show extensions of known file types System Analysis in progressAdd commands to script:
System Analysis - complete
Script commands