Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 30/08/2013; 17:06)

List of processes

File name	PID	Description	Copyright	MD5	Information
c:\program files (x86)\kodak\aio\center\ekaiohostservice.exe Script: Quarantine, Delete, BC delete, Terminate	1608	EKAiOHostService Module for Kodak AiO Printers	Copyright 2008-2011	??	385.94 kb, rsAh, created: 19.10.2012 15:51:08, modified: 19.10.2012 15:51:08 Command line: "C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe"
EKIJ5000MUI.exe Script: Quarantine, Delete, BC delete, Terminate	4432			??	error getting file info Command line:
c:\program files (x86)\intel\intel(r) rapid storage technology\iastordatamgrsvc.exe Script: Quarantine, Delete, BC delete, Terminate	3372	IAStorDataSvc	Copyright © Intel Corporation 2009-2010	??	13.02 kb, rsAh, created: 18.10.2012 12:01:15, modified: 05.11.2010 23:54:22 Command line: "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe"
c:\program files (x86)\intel\intel(r) rapid storage technology\iastoricon.exe Script: Quarantine, Delete, BC delete, Terminate	4824	IAStorIcon	Copyright © Intel Corporation 2009-2010	??	276.52 kb, rsAh, created: 18.10.2012 12:01:15, modified: 05.11.2010 23:54:20 Command line: "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe"
iexplore.exe Script: Quarantine, Delete, BC delete, Terminate	18104			??	error getting file info Command line:
iPodService.exe Script: Quarantine, Delete, BC delete, Terminate	4764			??	error getting file info Command line:
mDNSResponder.exe Script: Quarantine, Delete, BC delete, Terminate	1728			??	error getting file info Command line:
nvstreamsvc.exe Script: Quarantine, Delete, BC delete, Terminate	2364			??	error getting file info Command line:
nvstreamsvc.exe Script: Quarantine, Delete, BC delete, Terminate	1256			??	error getting file info Command line:
nvtray.exe Script: Quarantine, Delete, BC delete, Terminate	6448			??	error getting file info Command line:
nvxdsync.exe Script: Quarantine, Delete, BC delete, Terminate	1488			??	error getting file info Command line:
VDeck.exe Script: Quarantine, Delete, BC delete, Terminate	4808			??	error getting file info Command line:
WDDMService.exe Script: Quarantine, Delete, BC delete, Terminate	2188			??	error getting file info Command line:
WDDMStatus.exe Script: Quarantine, Delete, BC delete, Terminate	4492			??	error getting file info Command line:
WDFME.exe Script: Quarantine, Delete, BC delete, Terminate	3500			??	error getting file info Command line:
WDRulesEngine.exe Script: Quarantine, Delete, BC delete, Terminate	3024			??	error getting file info Command line:
wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate	4040			??	error getting file info Command line:
XBoxStat.exe Script: Quarantine, Delete, BC delete, Terminate	4484			??	error getting file info Command line:
ZuneLauncher.exe Script: Quarantine, Delete, BC delete, Terminate	4452			??	error getting file info Command line:
Detected:116, recognized as trusted 100

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\2b87cb064e64ff40778ca12322abb710\IAStorUtil.ni.dll Script: Quarantine, Delete, BC delete	1897529344	IAStorUtil	Copyright © Intel Corporation 2009-2010	--	3372, 4824
C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\eb4812681f6ab4406053f3a1803e6da0\IsdiInterop.ni.dll Script: Quarantine, Delete, BC delete	1750794240			--	3372
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\8dc1c182cd1f10cd2abcfecd01fe9eeb\System.Web.ni.dll Script: Quarantine, Delete, BC delete	1588264960	System.Web.dll	© Microsoft Corporation. All rights reserved.	--	3372
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\28ea347a952d20959ac6ae02d7457d39\System.Windows.Forms.ni.dll Script: Quarantine, Delete, BC delete	1670053888	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4824
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\09db78d6068543df01862a023aca785a\System.Xml.ni.dll Script: Quarantine, Delete, BC delete	1750990848	.NET Framework	© Microsoft Corporation. All rights reserved.	--	3372, 4824
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\5d22a30e587e2cac106b81fb351e7c08\System.ni.dll Script: Quarantine, Delete, BC delete	1757544448	.NET Framework	© Microsoft Corporation. All rights reserved.	--	3372, 4824
C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\1f6f220f9efe936d1158c79b9d4b451f\WindowsBase.ni.dll Script: Quarantine, Delete, BC delete	1746665472	WindowsBase.dll	© Microsoft Corporation. All rights reserved.	--	3372, 4824
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf2ecabcd96ec8238dc385b0a3ffa084\mscorlib.ni.dll Script: Quarantine, Delete, BC delete	1839202304	Microsoft Common Language Runtime Class Library	© Microsoft Corporation. All rights reserved.	--	1608
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\5f27b142c87d877c73ac245ab951a773\System.Windows.Forms.ni.dll Script: Quarantine, Delete, BC delete	1804009472	.NET Framework	© Microsoft Corporation. All rights reserved.	--	1608
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\82d58d49946f82eb56bae40f3b097784\System.Xml.ni.dll Script: Quarantine, Delete, BC delete	1820852224	.NET Framework	© Microsoft Corporation. All rights reserved.	--	1608
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ac79b74f022d9a096de2b884f4249543\System.ni.dll Script: Quarantine, Delete, BC delete	1828454400	.NET Framework	© Microsoft Corporation. All rights reserved.	--	1608
Modules detected:601, recognized as trusted 590

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, BC delete	92B8000	013000 (77824)
C:\Windows\System32\Drivers\dump_iaStor.sys Script: Quarantine, Delete, BC delete	4200000	154000 (1392640)
Modules detected - 208, recognized as trusted - 206

Services

Service	Description	Status	File	Group	Dependencies
vToolbarUpdater13.3.2 Service: Stop, Delete, Disable, BC delete	vToolbarUpdater13.3.2	Not started	C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe Script: Quarantine, Delete, BC delete
vToolbarUpdater15.1.0 Service: Stop, Delete, Disable, BC delete	vToolbarUpdater15.1.0	Not started	C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.1.0\ToolbarUpdater.exe Script: Quarantine, Delete, BC delete
Detected - 209, recognized as trusted - 207

Drivers

Service	Description	Status	File	Group	Dependencies
AVGIDSHA Driver: Unload, Delete, Disable, BC delete	AVGIDSHA	Not started	C:\Windows\system32\DRIVERS\avgidsha.sys Script: Quarantine, Delete, BC delete	AVG
Avgtdia Driver: Unload, Delete, Disable, BC delete	AVG TDI Driver	Not started	C:\Windows\system32\DRIVERS\avgtdia.sys Script: Quarantine, Delete, BC delete	PNP_TDI
MSICDSetup Driver: Unload, Delete, Disable, BC delete	MSICDSetup	Not started	D:\CDriver64.sys Script: Quarantine, Delete, BC delete
sptd Driver: Unload, Delete, Disable, BC delete	sptd	Not started	C:\Windows\SystemRoot\System32\Drivers\sptd.sys Script: Quarantine, Delete, BC delete	Boot Bus Extender
XPADFL02 Driver: Unload, Delete, Disable, BC delete	XPAD Filter Service 02	Not started	C:\Windows\system32\DRIVERS\xpadfl02.sys Script: Quarantine, Delete, BC delete	extended base
Detected - 279, recognized as trusted - 274

Autoruns

File name	Status	Startup method	Description
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\DWA\resources\libraries\EventMessages.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Adobe Setup, EventMessageFile
C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\hshld, EventMessageFile
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\HssWd, EventMessageFile
C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-1692155839-1707551626-4126777635-1001\Software\Microsoft\Windows\CurrentVersion\Run,
C:\Program Files (x86)\The Price Is Right\TPiR.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\gamerpc\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\gamerpc\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\The Price Is Right.lnk,
C:\Users\gamerpc\AppData\Local\Temp\_uninst_85975221.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\gamerpc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\gamerpc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_85975221.lnk,
C:\Windows\System32\IusEventLog.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Intel(R) Capability Licensing Service Interface, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
TiltWheelMouse.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, MouseDriver Delete
auditcse.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName Delete
c:\4ce9d2b1da0c9559ab32eb887a\DW\DW20.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
rdpclip Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms Delete
Autoruns items detected - 641, recognized as trusted - 625

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	Extension module			{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Delete
	URLSearchHook			{D8278076-BC68-4484-9233-6E7F1628B56C} Delete
	URLSearchHook			{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} Delete
Elements detected - 5, recognized as trusted - 2

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	ColumnHandler			{F9DB5320-233E-11D1-9F84-707F02C10627} Delete
Elements detected - 6, recognized as trusted - 5

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
E_ILMICE.DLL Script: Quarantine, Delete, BC delete	Monitor	EPSON XP-300 Series 64MonitorBE
EKIJ5000MON.dll Script: Quarantine, Delete, BC delete	Monitor	KODAK EASYSHARE All-in-One Printer
localspl.dll Script: Quarantine, Delete, BC delete	Monitor	Local Port
FXSMON.DLL Script: Quarantine, Delete, BC delete	Monitor	Microsoft Shared Fax Monitor
tcpmon.dll Script: Quarantine, Delete, BC delete	Monitor	Standard TCP/IP Port
usbmon.dll Script: Quarantine, Delete, BC delete	Monitor	USB Monitor
WSDMon.dll Script: Quarantine, Delete, BC delete	Monitor	WSD Port
inetpp.dll Script: Quarantine, Delete, BC delete	Provider	HTTP Print Services
Elements detected - 9, recognized as trusted - 1

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 8, recognized as trusted - 8

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 9, recognized as trusted - 9

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
UDP ports

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Elements detected - 0, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer
C:\Windows\system32\DivXControlPanelApplet.cpl
Script: Quarantine, Delete, BC delete DivX Control Panel © Copyright 2000 - 2009 DivX, Inc.
C:\Windows\system32\FlashPlayerCPLApp.cpl
Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet Copyright © 1996 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Elements detected - 20, recognized as trusted - 18

Active Setup

File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 14, recognized as trusted - 11

Suspicious objects

File Description Type

Main script of analysis
Windows version: Windows 7 Home Premium, Build=7601, SP="Service Pack 1"
System Restore: enabled
Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\NVIDIA~1\NVSTRE~1\rxinput.dll"
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  Windows Explorer - show extensions of known file types
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)
Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
UDP ports