Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 21/11/2013; 10:58)

List of processes

File name	PID	Description	Copyright	MD5	Information
Bkapcs.exe Script: Quarantine, Delete, BC delete, Terminate	1624			??	error getting file info Command line:
BkBackupScheduler.exe Script: Quarantine, Delete, BC delete, Terminate	1600			??	error getting file info Command line:
Connect.exe Script: Quarantine, Delete, BC delete, Terminate	3920			??	error getting file info Command line:
Eraser.exe Script: Quarantine, Delete, BC delete, Terminate	3312			??	error getting file info Command line:
c:\program files (x86)\hewlett-packard\touchsmart\calendar\service\gcalservice.exe Script: Quarantine, Delete, BC delete, Terminate	5116	HP TouchSmart Calendar	© Copyright 2008 Hewlett-Packard Development Company, L.P.	??	16.00 kb, rsAh, created: 16.08.2011 15:03:16, modified: 16.08.2011 15:03:16 Command line: "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe"
HPClientServices.exe Script: Quarantine, Delete, BC delete, Terminate	1720			??	error getting file info Command line:
HPSA_Service.exe Script: Quarantine, Delete, BC delete, Terminate	4076			??	error getting file info Command line:
c:\program files (x86)\hewlett-packard\touchsmart\calendar\service\hptouchsmartsynccalreminderapp.exe Script: Quarantine, Delete, BC delete, Terminate	3756	HP TouchSmart Calendar Service	© Copyright 2008 Hewlett-Packard Development Company, L.P.	??	20.00 kb, rsAh, created: 16.08.2011 15:03:24, modified: 16.08.2011 15:03:24 Command line: HPTouchSmartSyncCalReminderApp.exe
c:\program files (x86)\common files\intuit\update service v4\intuitupdateservice.exe Script: Quarantine, Delete, BC delete, Terminate	1368	Intuit Update Service	© 2012 Intuit Inc. All rights reserved.	??	13.35 kb, rsAh, created: 23.08.2012 12:37:16, modified: 23.08.2012 12:37:16 Command line: "C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe"
iPodService.exe Script: Quarantine, Delete, BC delete, Terminate	3584			??	error getting file info Command line:
mDNSResponder.exe Script: Quarantine, Delete, BC delete, Terminate	1672			??	error getting file info Command line:
NOBuAgent.exe Script: Quarantine, Delete, BC delete, Terminate	1876			??	error getting file info Command line:
ScanToPCActivationApp.exe Script: Quarantine, Delete, BC delete, Terminate	3336			??	error getting file info Command line:
wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate	4256			??	error getting file info Command line:
Detected:81, recognized as trusted 70

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\b5b66869081b909d238fdea083cf3179\PresentationCore.ni.dll Script: Quarantine, Delete, BC delete	1655242752	PresentationCore.dll	© Microsoft Corporation. All rights reserved.	--	3756
C:\Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\7a2dfdf44f0610b43e65f28a1448f110\ReachFramework.ni.dll Script: Quarantine, Delete, BC delete	1761935360	ReachFramework.dll	© Microsoft Corporation. All rights reserved.	--	3756
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\de9e77138e17f0188104c9ec32d375da\System.Data.ni.dll Script: Quarantine, Delete, BC delete	1639841792	.NET Framework	© Microsoft Corporation. All rights reserved.	--	1368
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\60608b811724b2711cb96817043c4dd8\System.ServiceModel.ni.dll Script: Quarantine, Delete, BC delete	1674641408	System.ServiceModel.dll	© Microsoft Corporation. All rights reserved.	--	3756
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\e40d894a772b2cff5ffd5a84ef20d2d4\System.Windows.Forms.ni.dll Script: Quarantine, Delete, BC delete	1705639936	.NET Framework	© Microsoft Corporation. All rights reserved.	--	5116, 3756, 1368
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\0b37b2bafc33ef52282b9d7b217cabaf\WindowsBase.ni.dll Script: Quarantine, Delete, BC delete	1666711552	WindowsBase.dll	© Microsoft Corporation. All rights reserved.	--	3756
Modules detected:529, recognized as trusted 523

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, BC delete	73A5000	013000 (77824)
C:\Windows\System32\Drivers\dump_iaStor.sys Script: Quarantine, Delete, BC delete	443A000	39A000 (3776512)
Modules detected - 155, recognized as trusted - 153

Services

Service	Description	Status	File	Group	Dependencies
Detected - 182, recognized as trusted - 182

Drivers

Service	Description	Status	File	Group	Dependencies
AFS Driver: Unload, Delete, Disable, BC delete	AFS	Not started	C:\Windows\system32\Drivers\AFS.sys Script: Quarantine, Delete, BC delete	SCSI CDROM Class
Detected - 257, recognized as trusted - 256

Autoruns

File name	Status	Startup method	Description
C:\Users\Richard\AppData\Local\Temp\_uninst_30896531.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_30896531.lnk,
C:\Users\Richard\AppData\Local\Temp\_uninst_56660115.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_56660115.lnk,
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\system32\drivers\NIS\1404000.028\SYMEFA64.SYS Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\SymEFA, EventMessageFile
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
D:\b2140546ea18be2b6d4fda\DW\DW20.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile
auditcse.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName Delete
igfxdev.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName Delete
rdpclip Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms Delete
Autoruns items detected - 651, recognized as trusted - 638

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
Elements detected - 6, recognized as trusted - 6

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	{BC9B776A-90D7-4476-A791-79D835F30650}			Eraser Shell Extension Delete
	ColumnHandler			{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} Delete
	ColumnHandler			{F9DB5320-233E-11D1-9F84-707F02C10627} Delete
Elements detected - 6, recognized as trusted - 3

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
hpinkstsC511LM.dll Script: Quarantine, Delete, BC delete	Monitor	HP C511 Status Monitor
HPDiscoPMC511.dll Script: Quarantine, Delete, BC delete	Monitor	HP Discovery Port Monitor (HP ENVY 4500 series)
localspl.dll Script: Quarantine, Delete, BC delete	Monitor	Local Port
FXSMON.DLL Script: Quarantine, Delete, BC delete	Monitor	Microsoft Shared Fax Monitor
hpz3lwn7.dll Script: Quarantine, Delete, BC delete	Monitor	PCL hpz3lwn7
pdfc_port.dll Script: Quarantine, Delete, BC delete	Monitor	PDFC
tcpmon.dll Script: Quarantine, Delete, BC delete	Monitor	Standard TCP/IP Port
usbmon.dll Script: Quarantine, Delete, BC delete	Monitor	USB Monitor
WSDMon.dll Script: Quarantine, Delete, BC delete	Monitor	WSD Port
inetpp.dll Script: Quarantine, Delete, BC delete	Provider	HTTP Print Services
Elements detected - 11, recognized as trusted - 1

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 4, recognized as trusted - 4

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 9, recognized as trusted - 9

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
UDP ports

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Elements detected - 0, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 19, recognized as trusted - 19

Active Setup

File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 20, recognized as trusted - 17

Suspicious objects

File Description Type

Main script of analysis
Windows version: Windows 7 Home Premium, Build=7601, SP="Service Pack 1"
System Restore: enabled
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)
Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
UDP ports