Kaspersky Virus Removal Tool 11.0.0.1245 (database released 23/11/2014; 15:06)
| File name | PID | Description | Copyright | MD5 | Information
| dlpwdnt.exe | Script: Quarantine, Delete, BC delete, Terminate 2380 | | | ?? | error getting file info | Command line: dlsdbnt.exe | Script: Quarantine, Delete, BC delete, Terminate 1684 | | | ?? | error getting file info | Command line: esClient.exe | Script: Quarantine, Delete, BC delete, Terminate 1808 | | | ?? | error getting file info | Command line: c:\program files (x86)\constant guard protection suite\idvault.exe | Script: Quarantine, Delete, BC delete, Terminate 5568 | Fast Connect | Copyright © 2006-2013 White Sky, Inc. All rights reserved. | ?? | 2217.30 kb, rsAh, | created: 12.11.2014 15:27:04, modified: 12.11.2014 15:27:08 Command line: "C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe" c:\program files (x86)\constant guard protection suite\idvaultsvc.exe | Script: Quarantine, Delete, BC delete, Terminate 1504 | Fast Connect | Copyright © 2006-2013 White Sky, Inc. All rights reserved. | ?? | 39.30 kb, rsAh, | created: 12.11.2014 15:27:04, modified: 12.11.2014 15:27:08 Command line: "C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe" ielowutil.exe | Script: Quarantine, Delete, BC delete, Terminate 5952 | | | ?? | error getting file info | Command line: ipoint.exe | Script: Quarantine, Delete, BC delete, Terminate 2248 | | | ?? | error getting file info | Command line: itype.exe | Script: Quarantine, Delete, BC delete, Terminate 2024 | | | ?? | error getting file info | Command line: mDNSResponder.exe | Script: Quarantine, Delete, BC delete, Terminate 1656 | | | ?? | error getting file info | Command line: Microsoft.HomeServer.Archive.TransferService.exe | Script: Quarantine, Delete, BC delete, Terminate 2280 | | | ?? | error getting file info | Command line: nvtray.exe | Script: Quarantine, Delete, BC delete, Terminate 2588 | | | ?? | error getting file info | Command line: nvxdsync.exe | Script: Quarantine, Delete, BC delete, Terminate 1252 | | | ?? | error getting file info | Command line: PresentationFontCache.exe | Script: Quarantine, Delete, BC delete, Terminate 1944 | | | ?? | error getting file info | Command line: sqlwriter.exe | Script: Quarantine, Delete, BC delete, Terminate 2060 | | | ?? | error getting file info | Command line: TrustedInstaller.exe | Script: Quarantine, Delete, BC delete, Terminate 4468 | | | ?? | error getting file info | Command line: WDDMService.exe | Script: Quarantine, Delete, BC delete, Terminate 2144 | | | ?? | error getting file info | Command line: WDFME.exe | Script: Quarantine, Delete, BC delete, Terminate 2408 | | | ?? | error getting file info | Command line: WDRulesEngine.exe | Script: Quarantine, Delete, BC delete, Terminate 2176 | | | ?? | error getting file info | Command line: WHSConnector.exe | Script: Quarantine, Delete, BC delete, Terminate 2548 | | | ?? | error getting file info | Command line: WHSTrayApp.exe | Script: Quarantine, Delete, BC delete, Terminate 1128 | | | ?? | error getting file info | Command line: wmpnetwk.exe | Script: Quarantine, Delete, BC delete, Terminate 4696 | | | ?? | error getting file info | Command line: Detected:75, recognized as trusted 56
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\Windows\System32\Drivers\dump_atapi.sys | Script: Quarantine, Delete, BC delete 5FF3000 | 009000 (36864) |
| C:\Windows\System32\Drivers\dump_dumpata.sys | Script: Quarantine, Delete, BC delete 5FE7000 | 00C000 (49152) |
| C:\Windows\System32\Drivers\dump_dumpfve.sys | Script: Quarantine, Delete, BC delete 5E00000 | 013000 (77824) |
| Modules detected - 177, recognized as trusted - 174
| | |||||||
| Service | Description | Status | File | Group | Dependencies
| Detected - 177, recognized as trusted - 177
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| ALSysIO | Driver: Unload, Delete, Disable, BC delete ALSysIO | Not started | C:\Users\Willie\AppData\Local\Temp\ALSysIO64.sys | Script: Quarantine, Delete, BC delete |
| AntiLog32 | Driver: Unload, Delete, Disable, BC delete AntiLog32 | Not started | C:\Windows\system32\drivers\AntiLog64.sys | Script: Quarantine, Delete, BC delete |
| catchme | Driver: Unload, Delete, Disable, BC delete catchme | Not started | C:\ComboFix\catchme.sys | Script: Quarantine, Delete, BC delete Base |
| keycrypt | Driver: Unload, Delete, Disable, BC delete keycrypt | Not started | C:\Windows\system32\DRIVERS\KeyCrypt64.sys | Script: Quarantine, Delete, BC delete Keyboard Class | kbdclass
| Detected - 270, recognized as trusted - 266
| | ||||||
| File name | Status | Startup method | Description
| C:\Program Files (x86)\SFT\GuardedID\events\events.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\GIDTB, EventMessageFile
| C:\Users\Willie\AppData\Local\Temp\_uninst_81202312.bat | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\Willie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Willie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_81202312.lnk,
| C:\Users\Willie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop (1).ini | Script: Quarantine, Delete, BC delete Active | File in Autoruns folder | C:\Users\Willie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Willie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop (1).ini,
| C:\Windows\System32\MsSpellCheckingFacility.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Spell-Checking, EventMessageFile
| C:\Windows\System32\MsSpellCheckingFacility.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-SpellChecker, EventMessageFile
| C:\Windows\System32\MsSpellCheckingFacility.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Spell-Checking, EventMessageFile
| C:\Windows\System32\MsSpellCheckingFacility.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SpellChecker, EventMessageFile
| C:\Windows\System32\appmgmts.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll | Delete C:\Windows\system32\drivers\N360\1506000.020\SYMEFA64.SYS | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\SymEFA, EventMessageFile
| C:\Windows\system32\psxss.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| auditcse.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName | Delete c:\Program Files\Microsoft Mouse and Keyboard Center\dw15.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\IntelliType Pro, EventMessageFile
| rdpclip | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms | Delete Autoruns items detected - 597, recognized as trusted - 584
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| Elements detected - 5, recognized as trusted - 5
| | ||||||
| File name | Destination | Description | Manufacturer | CLSID
| WebCheck | {E6FB5E20-DE35-11CF-9C87-00AA005127ED} | Delete ColumnHandler | {F9DB5320-233E-11D1-9F84-707F02C10627} | Delete Elements detected - 20, recognized as trusted - 18
| | ||||||||||||
| File name | Type | Name | Description | Manufacturer
| localspl.dll | Script: Quarantine, Delete, BC delete Monitor | Local Port |
| FXSMON.DLL | Script: Quarantine, Delete, BC delete Monitor | Microsoft Shared Fax Monitor |
| sdt1cl6.dll | Script: Quarantine, Delete, BC delete Monitor | sdt1c Langmon |
| STOFaxPort64.dll | Script: Quarantine, Delete, BC delete Monitor | SmarThru Office PC Fax Port |
| tcpmon.dll | Script: Quarantine, Delete, BC delete Monitor | Standard TCP/IP Port |
| DLXSOZIL.DLL | Script: Quarantine, Delete, BC delete Monitor | Status Monitor Language Monitor for Dell Color Laser 1320c |
| usbmon.dll | Script: Quarantine, Delete, BC delete Monitor | USB Monitor |
| WSDMon.dll | Script: Quarantine, Delete, BC delete Monitor | WSD Port |
| inetpp.dll | Script: Quarantine, Delete, BC delete Provider | HTTP Print Services |
| Elements detected - 10, recognized as trusted - 1
| | |||||||||||||||
| File name | Job name | Job status | Description | Manufacturer
| Elements detected - 3, recognized as trusted - 3
| | ||||||
| Provider | Status | EXE file | Description | GUID
| Detected - 7, recognized as trusted - 7
| | ||||||
| Provider | EXE file | Description
| Detected - 10, recognized as trusted - 10
| | ||||||
| File name | Description | Manufacturer | CLSID | Source URL
| Elements detected - 0, recognized as trusted - 0
| | ||||||
| File name | Description | Manufacturer
| C:\Windows\system32\FlashPlayerCPLApp.cpl | Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet | Copyright © 1996-2014 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
| Elements detected - 20, recognized as trusted - 19
| | ||||||
| File name | Description | Manufacturer | CLSID
| Elements detected - 7, recognized as trusted - 7
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete Elements detected - 14, recognized as trusted - 11
| | ||||||
| File | Description | Type |
Main script of analysis Windows version: Windows 7 Home Premium, Build=7601, SP="Service Pack 1" System Restore: enabled >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268) >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100) >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun System Analysis in progressAdd commands to script:
System Analysis - complete
Script commands