Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 09/10/2012; 03:04)

List of processes

File name	PID	Description	Copyright	MD5	Information
c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate	3284	avast! Service	Copyright (c) 2012 AVAST Software	??	43.76 kb, rsAh, created: 15.09.2012 05:50:29, modified: 21.08.2012 10:12:25 Command line: "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
c:\program files (x86)\canon\canon ij network scan utility\cnmnsut.exe Script: Quarantine, Delete, BC delete, Terminate	3752	Canon IJ Network Scan Utility	Copyright CANON INC. 2005-2010 All Rights Reserved	??	201.41 kb, rsAh, created: 17.10.2011 00:17:08, modified: 23.08.2010 17:11:28 Command line: "C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe"
GoogleCrashHandler64.exe Script: Quarantine, Delete, BC delete, Terminate	2220			??	error getting file info Command line:
iPodService.exe Script: Quarantine, Delete, BC delete, Terminate	3740			??	error getting file info Command line:
c:\program files (x86)\itunes\itunes.exe Script: Quarantine, Delete, BC delete, Terminate	5284	iTunes	© 2003-2012 Apple Inc. All rights reserved.	??	9547.85 kb, rsAh, created: 27.03.2012 13:09:16, modified: 27.03.2012 13:09:16 Command line: "C:\program files (x86)\itunes\itunes.exe"
KHALMNPR.exe Script: Quarantine, Delete, BC delete, Terminate	4592			??	error getting file info Command line:
KhalScroll.exe Script: Quarantine, Delete, BC delete, Terminate	3528			??	error getting file info Command line:
mDNSResponder.exe Script: Quarantine, Delete, BC delete, Terminate	1604			??	error getting file info Command line:
nvtray.exe Script: Quarantine, Delete, BC delete, Terminate	3436			??	error getting file info Command line:
nvxdsync.exe Script: Quarantine, Delete, BC delete, Terminate	1660			??	error getting file info Command line:
SetPoint.exe Script: Quarantine, Delete, BC delete, Terminate	3328			??	error getting file info Command line:
wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate	4700			??	error getting file info Command line:
Detected:75, recognized as trusted 66

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNSU_ENU.DLL Script: Quarantine, Delete, BC delete	268435456	Canon IJ Network Scan Utility Resources	Copyright CANON INC. 2005-2010 All Rights Reserved	--	3752
C:\Program Files (x86)\QuickTime\QTSystem\CoreVideo.qtx Script: Quarantine, Delete, BC delete	1713307648	CoreVideo	© Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QTCF.dll Script: Quarantine, Delete, BC delete	1795686400	QuickTime CoreFoundation	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTime.qts Script: Quarantine, Delete, BC delete	1526005760	QuickTime	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTime3GPP.qtx Script: Quarantine, Delete, BC delete	1524760576	QuickTime 3GPP	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTime3GPPAuthoring.qtx Script: Quarantine, Delete, BC delete	1524367360	QuickTime 3GPP Authoring	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeAudioSupport.qtx Script: Quarantine, Delete, BC delete	1726676992	QuickTime Audio Support	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeAuthoring.qtx Script: Quarantine, Delete, BC delete	1520435200	QuickTime Authoring	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeCapture.qtx Script: Quarantine, Delete, BC delete	1520041984	QuickTime Capture	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeEffects.qtx Script: Quarantine, Delete, BC delete	1519386624	QuickTime Effects	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeEssentials.qtx Script: Quarantine, Delete, BC delete	1518927872	QuickTime Essentials	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeH264.qtx Script: Quarantine, Delete, BC delete	1515520000	QuickTimeH264	© Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeImage.qtx Script: Quarantine, Delete, BC delete	1514471424	QuickTime Image	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeInternetExtras.qtx Script: Quarantine, Delete, BC delete	1513553920	QuickTime Internet Extras	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeMPEG.qtx Script: Quarantine, Delete, BC delete	1513029632	QuickTime MPEG	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeMPEG4.qtx Script: Quarantine, Delete, BC delete	1512636416	QuickTime MPEG4	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeMPEG4Authoring.qtx Script: Quarantine, Delete, BC delete	1511981056	QuickTime MPEG4Authoring	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeMusic.qtx Script: Quarantine, Delete, BC delete	1511391232	QuickTime Music	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeStreaming.qtx Script: Quarantine, Delete, BC delete	1510473728	QuickTime Streaming	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeStreamingAuthoring.qtx Script: Quarantine, Delete, BC delete	1510080512	QuickTime Streaming Authoring	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeStreamingExtras.qtx Script: Quarantine, Delete, BC delete	1713111040	QuickTime Streaming Extras	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files (x86)\QuickTime\QTSystem\QuickTimeVR.qtx Script: Quarantine, Delete, BC delete	1509163008	QuickTime VR	Copyright Apple Inc. 1989-2012	--	5284
C:\Program Files\AVAST Software\Avast\defs\12100900\algo.dll Script: Quarantine, Delete, BC delete	1499922432			--	3284
Modules detected:497, recognized as trusted 474

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\system32\DRIVERS\68339146.sys Script: Quarantine, Delete, BC delete	AC74000	75F000 (7729152)
C:\Windows\system32\DRIVERS\88152142.sys Script: Quarantine, Delete, BC delete	15607000	75F000 (7729152)
C:\Windows\System32\Drivers\dump_atapi.sys Script: Quarantine, Delete, BC delete	A682000	009000 (36864)
C:\Windows\System32\Drivers\dump_dumpata.sys Script: Quarantine, Delete, BC delete	A676000	00C000 (49152)
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, BC delete	A68B000	013000 (77824)
Modules detected - 206, recognized as trusted - 201

Services

Service	Description	Status	File	Group	Dependencies
Detected - 160, recognized as trusted - 160

Drivers

Service	Description	Status	File	Group	Dependencies
68339146 Driver: Unload, Delete, Disable, BC delete	68339146	Running	68339146.sys Script: Quarantine, Delete, BC delete
88152142 Driver: Unload, Delete, Disable, BC delete	88152142	Running	88152142.sys Script: Quarantine, Delete, BC delete
catchme Driver: Unload, Delete, Disable, BC delete	catchme	Not started	C:\ComboFix\catchme.sys Script: Quarantine, Delete, BC delete	Base
Synth3dVsc Driver: Unload, Delete, Disable, BC delete	Synth3dVsc	Not started	Synth3dVsc.sys Script: Quarantine, Delete, BC delete
tsusbhub Driver: Unload, Delete, Disable, BC delete	tsusbhub	Not started	tsusbhub.sys Script: Quarantine, Delete, BC delete
VGPU Driver: Unload, Delete, Disable, BC delete	VGPU	Not started	VGPU.sys Script: Quarantine, Delete, BC delete
Detected - 271, recognized as trusted - 265

Autoruns

File name	Status	Startup method	Description
C:\Program Files (x86)\Free Easy CD DVD Burner\FreeEasyBurner.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Umberto\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Umberto\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Free Easy Burner.lnk,
C:\Users\Umberto\AppData\Local\Temp\_uninst_75635270.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Umberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Umberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_75635270.lnk,
C:\Users\Umberto\AppData\Local\Temp\_uninst_75635270.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Umberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Umberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_75635270.lnk,
C:\Users\Umberto\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk Script: Quarantine, Delete, BC delete	Active	File in Autoruns folder	C:\Users\Umberto\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Umberto\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk,
C:\Users\Umberto\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk Script: Quarantine, Delete, BC delete	Active	File in Autoruns folder	C:\Users\Umberto\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Umberto\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk,
C:\Windows\system32\EventProviders\spcmsg.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Service Pack Installer, EventMessageFile
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile
auditcse.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName Delete
rdpclip Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms Delete
Autoruns items detected - 604, recognized as trusted - 594

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
Elements detected - 4, recognized as trusted - 4

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	{B9B9F083-2B04-452A-8691-83694AC1037B}			Logitech Setpoint Extension Delete
	ColumnHandler			{F9DB5320-233E-11D1-9F84-707F02C10627} Delete
Elements detected - 14, recognized as trusted - 12

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
CNMLMA2.DLL Script: Quarantine, Delete, BC delete	Monitor	Canon BJ Language Monitor MP640 series
CNMN6PPM.DLL Script: Quarantine, Delete, BC delete	Monitor	Canon BJNP Port
hpzllwn7.dll Script: Quarantine, Delete, BC delete	Monitor	LIDIL hpzllwn7
localspl.dll Script: Quarantine, Delete, BC delete	Monitor	Local Port
FXSMON.DLL Script: Quarantine, Delete, BC delete	Monitor	Microsoft Shared Fax Monitor
tcpmon.dll Script: Quarantine, Delete, BC delete	Monitor	Standard TCP/IP Port
usbmon.dll Script: Quarantine, Delete, BC delete	Monitor	USB Monitor
WSDMon.dll Script: Quarantine, Delete, BC delete	Monitor	WSD Port
inetpp.dll Script: Quarantine, Delete, BC delete	Provider	HTTP Print Services
Elements detected - 10, recognized as trusted - 1

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 2, recognized as trusted - 2

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 7, recognized as trusted - 7

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
UDP ports

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Elements detected - 0, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer
C:\Windows\system32\FlashPlayerCPLApp.cpl
Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet Copyright © 1996-2012 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Elements detected - 19, recognized as trusted - 18

Active Setup

File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 16, recognized as trusted - 13

Suspicious objects

File Description Type

Main script of analysis
Windows version: Windows 7 Ultimate, Build=7601, SP="Service Pack 1"
System Restore: enabled
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)
Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
UDP ports