Kaspersky Virus Removal Tool 11.0.0.1245 (database released 27/08/2013; 15:15)
| File name | PID | Description | Copyright | MD5 | Information
| MsMpEng.exe | Script: Quarantine, Delete, BC delete, Terminate 776 | | | ?? | error getting file info | Command line: Detected:21, recognized as trusted 20
| | |||||
| Module name | Handle | Description | Copyright | MD5 | Used by processes
| Modules detected:130, recognized as trusted 130
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\Windows\System32\Drivers\dump_iaStor.sys | Script: Quarantine, Delete, BC delete 8C60D000 | 0CE000 (843776) |
| Modules detected - 87, recognized as trusted - 86
| | |||||
| Service | Description | Status | File | Group | Dependencies
| jswpsapi | Service: Stop, Delete, Disable, BC delete Jumpstart Wifi Protected Setup | Not started | C:\Program Files\Jumpstart\jswpsapi.exe | Script: Quarantine, Delete, BC delete | RPCSS
| msiserver | Service: Stop, Delete, Disable, BC delete Windows Installer | Not started | C:\Windows\system32\msiexec | Script: Quarantine, Delete, BC delete | rpcss
| Detected - 144, recognized as trusted - 142
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| catchme | Driver: Unload, Delete, Disable, BC delete catchme | Not started | C:\Users\Elaine\AppData\Local\Temp\catchme.sys | Script: Quarantine, Delete, BC delete Base |
| SVRPEDRV | Driver: Unload, Delete, Disable, BC delete SVRPEDRV | Not started | C:\Windows\System32\sysprep\PEDrv.sys | Script: Quarantine, Delete, BC delete |
| Detected - 236, recognized as trusted - 234
| | ||||||
| File name | Status | Startup method | Description
| C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\HotFixInstaller, EventMessageFile
| C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
| C:\Program Files\ArcSoft\TotalMedia Extreme\MSGDll.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\ArcSoft TotalMedia Extreme, EventMessageFile
| C:\Program Files\Google\Picasa3\Picasa3.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Picasa3, EventMessageFile
| C:\Users\Elaine\AppData\Local\temp\_uninst_.bat | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\Elaine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Elaine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk,
| C:\Users\Elaine\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk | Script: Quarantine, Delete, BC delete Active | File in Autoruns folder | C:\Users\Elaine\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Elaine\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk,
| C:\WindowsSystem32\IoLogMsg.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vsmraid, EventMessageFile
| C:\Windows\System32\appmgmts.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll | Delete C:\Windows\System32\drivers\dwprot.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\DwProt, EventMessageFile
| C:\Windows\System32\drivers\sbapifs.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Anti-Spyware Filter, EventMessageFile
| C:\Windows\System32\igmpv2.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
| C:\Windows\System32\ipbootp.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
| C:\Windows\System32\iprip2.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
| C:\Windows\System32\ws03res.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPNATHLP, EventMessageFile
| C:\Windows\system32\psxss.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| C:\Windows\twain_32\escndv\escndv.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\Elaine\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Elaine\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\EPSON Scan.lnk,
| C:\Windows\winstart.bat | Script: Quarantine, Delete, BC delete -- | File in Autoruns folder | C:\Windows\, C:\Windows\winstart.bat,
| NDSTray.exe | Script: Quarantine, Delete, BC delete Disabled | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run-, NDSTray.exe | Delete SDEvents.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile
| TOSCDSPD.EXE | Script: Quarantine, Delete, BC delete Disabled | Registry key | HKEY_USERS, S-1-5-21-1517136145-1328366619-2469452859-1000\Software\Microsoft\Windows\CurrentVersion\Run-, TOSCDSPD | Delete progman.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell | Delete rdpclip | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms | Delete vgafix.fon | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon | Delete vgaoem.fon | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon | Delete vgasys.fon | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon | Delete Autoruns items detected - 566, recognized as trusted - 541
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| res:\C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM | Script: Quarantine, Delete, BC delete Extension module | {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} | Delete res:\C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM | Script: Quarantine, Delete, BC delete Extension module | {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} | Delete Elements detected - 3, recognized as trusted - 1
| | ||||||||||
| File name | Destination | Description | Manufacturer | CLSID
| Auto Update Property Sheet Extension | {5F327514-6C5E-4d60-8F16-D07FA08A78ED} | Delete ColumnHandler | AutorunsDisabled | Delete "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" | Script: Quarantine, Delete, BC delete ColumnHandler | {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} | Delete Elements detected - 6, recognized as trusted - 3
| | ||||||||||||||
| File name | Type | Name | Description | Manufacturer
| C:\Windows\system32\enppmon.dll | Script: Quarantine, Delete, BC delete Monitor | EpsonNet Print Port | EpsonNet Print Port Monitor DLL | Copyright (C) SEIKO EPSON CORPORATION 2004-2011. All rights reserved.
| Elements detected - 9, recognized as trusted - 8
| | ||||||
| File name | Job name | Job status | Description | Manufacturer
| Elements detected - 0, recognized as trusted - 0
| | ||||||
| Provider | Status | EXE file | Description | GUID
| Detected - 6, recognized as trusted - 6
| | ||||||
| Provider | EXE file | Description
| Detected - 26, recognized as trusted - 26
| | ||||||
| Port | Status | Remote Host | Remote Port | Application | Notes
| TCP ports
| UDP ports
| | ||||||||||||
| File name | Description | Manufacturer | CLSID | Source URL
| Elements detected - 1, recognized as trusted - 1
| | ||||||
| File name | Description | Manufacturer
| Elements detected - 24, recognized as trusted - 24
| | ||||||
| File name | Description | Manufacturer | CLSID
| Elements detected - 8, recognized as trusted - 8
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete Elements detected - 21, recognized as trusted - 18
| | ||||||
| File | Description | Type |
Main script of analysis Windows version: Windows Vista (TM) Home Basic, Build=6002, SP="Service Pack 2" System Restore: enabled System booted in Safe Mode 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text IAT modification detected: CreateProcessA - 00CB0010<>77251C28 IAT modification detected: GetModuleFileNameA - 00CB0080<>7729B8BD IAT modification detected: FreeLibrary - 00CB00F0<>77293F64 IAT modification detected: GetModuleFileNameW - 00CB0160<>7729B47E IAT modification detected: CreateProcessW - 00CB01D0<>77251BF3 IAT modification detected: LoadLibraryW - 00CB02B0<>772793F0 IAT modification detected: LoadLibraryA - 00CB0320<>7727956C IAT modification detected: GetProcAddress - 00CB0390<>7729921B Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Error loading driver - scan interrupted [C0000061] 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed 1.5 Checking of IRP handlers Error loading driver - scan interrupted [C0000061] >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery) >> Services: potentially dangerous service allowed: Schedule (Task Scheduler) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun >> Windows Explorer - show extensions of known file types System Analysis in progressAdd commands to script:
System Analysis - complete
Script commands