Here is the manual scan results. I also often get a strange notice from Avira saying: "Access to the file 'D:\Autorun.inf' was blocked for your security".
Results of system analysis
Kaspersky Virus Removal Tool 11.0.0.1245 (database released 18/08/2011; 14:20)
List of processes
File name PID Description Copyright MD5 Information
c:\program files (x86)\agi\core\4.2.0.10752\agcoreservice.exe
Script: Quarantine, Delete, BC delete, Terminate 1956 AGCoreService Copyright © AG Interactive 2008 ?? 20.00 kb, rsAh,
created: 15.02.2010 15:25:10,
modified: 26.01.2010 15:48:24
Command line:
"C:\Program Files (x86)\AGI\core\4.2.0.10752\AGCoreService.exe"
c:\program files (x86)\avira\antivir desktop\avgnt.exe
Script: Quarantine, Delete, BC delete, Terminate 2996 Antivirus System Tray Tool Copyright © 2000 - 2010 Avira GmbH. All rights reserved. ?? 275.16 kb, rsAh,
created: 15.07.2010 02:12:04,
modified: 02.11.2010 16:57:21
Command line:
"C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
c:\program files (x86)\avira\antivir desktop\avguard.exe
Script: Quarantine, Delete, BC delete, Terminate 1128 Antivirus On-Access Service Copyright © 2000 - 2010 Avira GmbH. All rights reserved. ?? 263.16 kb, rsAh,
created: 15.07.2010 02:12:04,
modified: 28.06.2011 09:01:58
Command line:
"C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe"
avshadow.exe
Script: Quarantine, Delete, BC delete, Terminate 2160 ?? error getting file info
Command line:
HydraDM64.exe
Script: Quarantine, Delete, BC delete, Terminate 4844 ?? error getting file info
Command line:
wmpenc.exe
Script: Quarantine, Delete, BC delete, Terminate 5432 ?? error getting file info
Command line:
wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate 1572 ?? error getting file info
Command line:
wmpnscfg.exe
Script: Quarantine, Delete, BC delete, Terminate 3508 ?? error getting file info
Command line:
Detected:119, recognized as trusted 114
Module name Handle Description Copyright MD5 Used by processes
C:\Program Files (x86)\AGI\core\4.2.0.10752\agicore.dll
Script: Quarantine, Delete, BC delete 1942814720 agicore Copyright © AG Interactive 2008 -- 1956
C:\Program Files (x86)\AGI\core\4.2.0.10752\AutoUpdateServicePlugin.dll
Script: Quarantine, Delete, BC delete 1944256512 AutoUpdateServicePlugin Copyright © AG Interactive 2009 -- 1956
C:\Program Files (x86)\AGI\core\4.2.0.10752\FlashTrustServicePlugin.dll
Script: Quarantine, Delete, BC delete 1942749184 FlashTrustServicePlugin Copyright © AG Interactive 2009 -- 1956
C:\Program Files (x86)\AGI\core\4.2.0.10752\InstallLibrary.dll
Script: Quarantine, Delete, BC delete 1939865600 InstallLibrary Copyright © AG Interactive 2009 -- 1956
C:\Program Files (x86)\Avira\AntiVir Desktop\aeheur.dll
Script: Quarantine, Delete, BC delete 40173568 AntiVir Engine Module for Windows Copyright © 2011 Avira GmbH. All rights reserved. -- 1128
C:\Program Files (x86)\Avira\AntiVir Desktop\rcimage.dll
Script: Quarantine, Delete, BC delete 48365568 Avira AntiVir PersonalEdition Classic Master Resource File (English) Copyright © 2000 - 2010 Avira GmbH. All rights reserved. -- 2996
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\eb5ed48265c5035b75b76a847213c0bc\System.Xml.ni.dll
Script: Quarantine, Delete, BC delete 1918500864 .NET Framework © Microsoft Corporation. All rights reserved. -- 1956
Modules detected:438, recognized as trusted 431
Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\Windows\System32\Drivers\dump_atapi.sys
Script: Quarantine, Delete, BC delete 6BD9000 008000 (32768)
C:\Windows\System32\Drivers\dump_dumpata.sys
Script: Quarantine, Delete, BC delete 6BCD000 00C000 (49152)
Modules detected - 153, recognized as trusted - 151
Services
Service Description Status File Group Dependencies
AGWinService
Service: Stop, Delete, Disable, BC delete AG Windows Service Not started C:\Program Files (x86)\AGI\common\win32\PythonService.exe
Script: Quarantine, Delete, BC delete
getPlusHelper
Service: Stop, Delete, Disable, BC delete getPlusHelper Not started getPlusHelper.sys
Script: Quarantine, Delete, BC delete
msiserver
Service: Stop, Delete, Disable, BC delete Windows Installer Not started C:\Windows\system32\msiexec
Script: Quarantine, Delete, BC delete rpcss
Detected - 147, recognized as trusted - 144
Drivers
Service Description Status File Group Dependencies
cpuz132
Driver: Unload, Delete, Disable, BC delete cpuz132 Not started C:\Users\Veronica\AppData\Local\Temp\cpuz132\cpuz132_x64.sys
Script: Quarantine, Delete, BC delete
EuMusDesignVirtualAudioCableWdm_lcs
Driver: Unload, Delete, Disable, BC delete Breakaway Pipeline (WDM) Not started C:\Windows\system32\DRIVERS\vaclcskd.sys
Script: Quarantine, Delete, BC delete
IpInIp
Driver: Unload, Delete, Disable, BC delete IP in IP Tunnel Driver Not started C:\Windows\system32\DRIVERS\ipinip.sys
Script: Quarantine, Delete, BC delete Tcpip
NwlnkFlt
Driver: Unload, Delete, Disable, BC delete IPX Traffic Filter Driver Not started C:\Windows\system32\DRIVERS\nwlnkflt.sys
Script: Quarantine, Delete, BC delete NwlnkFwd
NwlnkFwd
Driver: Unload, Delete, Disable, BC delete IPX Traffic Forwarder Driver Not started C:\Windows\system32\DRIVERS\nwlnkfwd.sys
Script: Quarantine, Delete, BC delete
Detected - 235, recognized as trusted - 230
Autoruns
File name Status Startup method Description
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Bonjour Service, EventMessageFile
C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\getPlusHelper\Parameters, ServiceDll
Delete
C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-21-2932777127-504153465-3726424614-1000\Software\Microsoft\Windows\CurrentVersion\Run, WMPNSCFG
Delete
C:\Users\Veronica\AppData\Local\Temp\_uninst_74385989.bat
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Users\Veronica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Veronica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_74385989.lnk,
C:\Users\Veronica\AppData\Local\Temp\_uninst_83594569.bat
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Users\Veronica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Veronica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_83594569.lnk,
C:\Users\Veronica\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\eBay.lnk
Script: Quarantine, Delete, BC delete Active File in Autoruns folder C:\Users\Veronica\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Veronica\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\eBay.lnk,
C:\WindowsSystem32\IoLogMsg.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vsmraid, EventMessageFile
C:\Windows\SysWOW64\ShellvRTF64.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {7F67036B-66F1-411A-AD85-759FB9C5B0DB}
Delete
C:\Windows\System32\igmpv2.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
C:\Windows\System32\ipbootp.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
C:\Windows\System32\iprip2.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
C:\Windows\System32\ws03res.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPNATHLP, EventMessageFile
C:\Windows\system32\psxss.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
SDEvents.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Delete
Autoruns items detected - 664, recognized as trusted - 649
Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
C:\Program Files (x86)\AVG\AVG9\avgssiea.dll
Script: Quarantine, Delete, BC delete BHO {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Delete
URLSearchHook {0BC6E3FA-78EF-4886-842C-5A1258C4455A}
Delete
Elements detected - 4, recognized as trusted - 2
Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
IE User Assist {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}
Delete
lnkfile {00020d75-0000-0000-c000-000000000046}
Delete
Color Control Panel Applet {b2c761c6-29bc-4f19-9251-e6195265baf1}
Delete
Add New Hardware {7A979262-40CE-46ff-AEEE-7884AC3B6136}
Delete
Get Programs Online {3e7efb4c-faf1-453d-89eb-56026875ef90}
Delete
Taskbar and Start Menu {0DF44EAA-FF21-4412-828E-260A8728E7F1}
Delete
ActiveDirectory Folder {1b24a030-9b20-49bc-97ac-1be4426f9e59}
Delete
ActiveDirectory Folder {34449847-FD14-4fc8-A75A-7432F5181EFB}
Delete
Sam Account Folder {C8494E42-ACDD-4739-B0FB-217361E4894F}
Delete
Sam Account Folder {E29F9716-5C08-4FCD-955A-119FDB5A522D}
Delete
Control Panel command object for Start menu {5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
Delete
Default Programs command object for Start menu {E44E5D18-0652-4508-A4E2-8A090067BCB0}
Delete
Folder Options {6dfd7c5c-2451-11d3-a299-00c04f8ef6af}
Delete
Explorer Query Band {2C2577C2-63A7-40e3-9B7F-586602617ECB}
Delete
View Available Networks {38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b}
Delete
Contacts folder {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48}
Delete
Problem Reports and Solutions {fcfeecae-ee1b-4849-ae50-685dcf7717ec}
Delete
Windows Firewall {4026492f-2f69-46b8-b9bf-5654fc07e423}
Delete
iSCSI Initiator {a304259d-52b8-4526-8b1a-a1d6cecc8243}
Delete
.cab or .zip files {911051fa-c21c-4246-b470-070cd8df6dc4}
Delete
Windows Search Shell Service {da67b8ad-e81b-4c70-9b91b417b5e33527}
Delete
Microsoft.ScannersAndCameras {00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}
Delete
emdmgmt.dll
Script: Quarantine, Delete, BC delete EMDFileProperties {BB6B2374-3D79-41DB-87F4-896C91846510}
Delete
Windows Sidebar Properties {37efd44d-ef8d-41b1-940d-96973a50e9e0}
Delete
Windows Features {67718415-c450-4f3c-bf8a-b487642dc39b}
Delete
Windows Defender {d8559eb9-20c0-410e-beda-7ed416aecc2a}
Delete
Mobility Center Control Panel {5ea4f148-308c-46d7-98a9-49041b1dd468}
Delete
C:\Program Files (x86)\Common Files\microsoft shared\ink\TipBand.dll
Script: Quarantine, Delete, BC delete Tablet PC Input Panel {15D633E2-AD00-465b-9EC7-F56B7CDF8E27}
Delete
User Accounts {7A9D77BD-5403-11d2-8785-2E0420524153}
Delete
C:\Windows\SysWOW64\ShellvRTF64.dll
Script: Quarantine, Delete, BC delete ShellViewRTF ShellvRTF Copyright © 2002-2005 {7F67036B-66F1-411A-AD85-759FB9C5B0DB}
Delete
ColumnHandler {0561EC90-CE54-4f0c-9C55-E226110A740C}
Delete
ColumnHandler {F9DB5320-233E-11D1-9F84-707F02C10627}
Delete
Elements detected - 283, recognized as trusted - 251
Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
CNBLM3_2.DLL
Script: Quarantine, Delete, BC delete Monitor BJ Language Monitor3_2
E_ILMALA.DLL
Script: Quarantine, Delete, BC delete Monitor EPSON Stylus CX5800F Series 64MonitorBA
hpzlllhn.dll
Script: Quarantine, Delete, BC delete Monitor LIDIL hpzlllhn
inetpp.dll
Script: Quarantine, Delete, BC delete Provider HTTP Print Services
Elements detected - 9, recognized as trusted - 5
Task Scheduler jobs
File name Job name Job status Description Manufacturer
C:\Program Files (x86)\Driver Robot\1.2.0.5\DriverRobot.exe
Script: Quarantine, Delete, BC delete Driver Robot.job The task is ready to run at its next scheduled time.
Elements detected - 3, recognized as trusted - 2
SPI/LSP settings
Namespace providers (NSP)
Provider Status EXE file Description GUID
Detected - 6, recognized as trusted - 6
Transport protocol providers (TSP, LSP)
Provider EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check
LSP settings checked. No errors detected
TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
UDP ports
Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Elements detected - 0, recognized as trusted - 0
Control Panel Applets (CPL)
File name Description Manufacturer
C:\Windows\system32\DivXControlPanelApplet.cpl
Script: Quarantine, Delete, BC delete DivX Control Panel © Copyright 2000 - 2009 DivX, Inc.
C:\Windows\system32\FlashPlayerCPLApp.cpl
Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet Copyright © 1996-2010 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Elements detected - 20, recognized as trusted - 18
Active Setup
File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9
HOSTS file
Hosts file record
яю1
Clear Hosts file
Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 14, recognized as trusted - 11
Suspicious objects
File Description Type
D:\autorun.inf
Script: Quarantine, Delete, BC delete Suspicion by Heuristic analysis HSC: suspicion for hidden autorun (high degree of probability)
Main script of analysis
Windows version: Windows Vista Home Premium, Build=6002, SP="Service Pack 2"
System Restore: enabled
>>> D:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
>> Windows Explorer - show extensions of known file types
System Analysis in progress
System Analysis - complete
Script commands
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)
Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries
File list