Results of system analysis
Kaspersky Virus Removal Tool 11.0.0.1245 (database released 19/03/2014; 08:02)
List of processes
File name PID Description Copyright MD5 Information
mcshield.exe
Script: Quarantine, Delete, BC delete, Terminate 2216 ?? error getting file info
Command line:
mfeann.exe
Script: Quarantine, Delete, BC delete, Terminate 2612 ?? error getting file info
Command line:
saHookMain.exe
Script: Quarantine, Delete, BC delete, Terminate 2716 ?? error getting file info
Command line:
wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate 1568 ?? error getting file info
Command line:
c:\program files (x86)\yahoo!\ynanoclient\cpn0\ynanoservice.exe
Script: Quarantine, Delete, BC delete, Terminate 2168 YNanoClient Service Copyright © 2012 Yahoo! Inc. All rights reserved. ?? 153.34 kb, rsAh,
created: 23.05.2012 08:11:32,
modified: 23.05.2012 08:11:32
Command line:
"C:\Program Files (x86)\Yahoo!\YNanoClient\cpn0\YNanoService.exe"
Detected:62, recognized as trusted 57
Module name Handle Description Copyright MD5 Used by processes
Modules detected:307, recognized as trusted 307
Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\Windows\system32\DRIVERS\57811395.sys
Script: Quarantine, Delete, BC delete 9C7E000 75F000 (7729152)
C:\Windows\System32\Drivers\dump_atapi.sys
Script: Quarantine, Delete, BC delete 64C4000 009000 (36864)
C:\Windows\System32\Drivers\dump_dumpata.sys
Script: Quarantine, Delete, BC delete 64B8000 00C000 (49152)
C:\Windows\System32\Drivers\dump_dumpfve.sys
Script: Quarantine, Delete, BC delete 64CD000 013000 (77824)
Modules detected - 208, recognized as trusted - 204
Services
Service Description Status File Group Dependencies
0280211389918049mcinstcleanup
Service: Stop, Delete, Disable, BC delete McAfee Application Installer Cleanup (0280211389918049) Not started C:\Users\STARLA~1.NIC\AppData\Local\Temp\028021~1.EXE
Script: Quarantine, Delete, BC delete
vToolbarUpdater18.0.0
Service: Stop, Delete, Disable, BC delete vToolbarUpdater18.0.0 Not started C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe
Script: Quarantine, Delete, BC delete
Detected - 175, recognized as trusted - 173
Drivers
Service Description Status File Group Dependencies
57811395
Driver: Unload, Delete, Disable, BC delete 57811395 Running 57811395.sys
Script: Quarantine, Delete, BC delete
Detected - 266, recognized as trusted - 265
Autoruns
File name Status Startup method Description
C:\PROGRA~2\TELEVI~2\bar\1.bin\AppIntegrator64.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TelevisionFanatic Home Page Guard 64 bit
Delete
C:\Program Files (x86)\McAfee\Managed VirusScan\DesktopUI\McTrayEventLog.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\McAfee Win32 GUI Support Library, EventMessageFile
C:\Program Files (x86)\iYogi Support Dock\Download\vssetup.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSASaPInstall, EventMessageFile
C:\Users\starla.nicholson\AppData\Local\Temp\_uninst_54432125.bat
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Users\starla.nicholson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\starla.nicholson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_54432125.lnk,
C:\Windows\System32\MsSpellCheckingFacility.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\system32\psxss.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
auditcse.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName
Delete
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Delete
Autoruns items detected - 603, recognized as trusted - 592
Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
Explorer Bar {555D4D79-4BD2-4094-A395-CFC534424A05}
Delete
Elements detected - 6, recognized as trusted - 5
Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
ColumnHandler {F9DB5320-233E-11D1-9F84-707F02C10627}
Delete
Elements detected - 12, recognized as trusted - 11
Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
hpinksts4812LM.dll
Script: Quarantine, Delete, BC delete Monitor HP 4812 Status Monitor
HPDiscoPM4812.dll
Script: Quarantine, Delete, BC delete Monitor HP Discovery Port Monitor (HP Officejet 7500 E910)
hpf3l70v.dll
Script: Quarantine, Delete, BC delete Monitor hpf3l70v.dll
localspl.dll
Script: Quarantine, Delete, BC delete Monitor Local Port
FXSMON.DLL
Script: Quarantine, Delete, BC delete Monitor Microsoft Shared Fax Monitor
tcpmon.dll
Script: Quarantine, Delete, BC delete Monitor Standard TCP/IP Port
usbmon.dll
Script: Quarantine, Delete, BC delete Monitor USB Monitor
WSDMon.dll
Script: Quarantine, Delete, BC delete Monitor WSD Port
inetpp.dll
Script: Quarantine, Delete, BC delete Provider HTTP Print Services
Elements detected - 10, recognized as trusted - 1
Task Scheduler jobs
File name Job name Job status Description Manufacturer
Elements detected - 3, recognized as trusted - 3
SPI/LSP settings
Namespace providers (NSP)
Provider Status EXE file Description GUID
Detected - 8, recognized as trusted - 8
Transport protocol providers (TSP, LSP)
Provider EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check LSP settings checked. No errors detected
TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [728] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
554 LISTENING 0.0.0.0 0 [1568] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
1025 LISTENING 0.0.0.0 0 [452] wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
1026 LISTENING 0.0.0.0 0 [872] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1027 LISTENING 0.0.0.0 0 [172] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1028 LISTENING 0.0.0.0 0 [1288] spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate
1029 LISTENING 0.0.0.0 0 [528] lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1030 LISTENING 0.0.0.0 0 [508] services.exe
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
6515 LISTENING 0.0.0.0 0 [1884] c:\program files (x86)\mcafee\managed virusscan\agent\myagtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
10243 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [172] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [984] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [984] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [172] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5004 LISTENING -- -- [1568] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5005 LISTENING -- -- [1568] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1164] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
6514 LISTENING -- -- [1884] c:\program files (x86)\mcafee\managed virusscan\agent\myagtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
6515 LISTENING -- -- [1728] c:\program files (x86)\mcafee\managed virusscan\agent\myagtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
6516 LISTENING -- -- [1728] c:\program files (x86)\mcafee\managed virusscan\agent\myagtsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
49195 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49197 LISTENING -- -- [984] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
63830 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
63831 LISTENING -- -- [3780] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Elements detected - 1, recognized as trusted - 1
Control Panel Applets (CPL)
File name Description Manufacturer
C:\Windows\system32\FlashPlayerCPLApp.cpl
Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet Copyright © 1996 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Elements detected - 19, recognized as trusted - 18
Active Setup
File name Description Manufacturer CLSID
Elements detected - 8, recognized as trusted - 8
HOSTS file
Hosts file record
127.0.0.1 localhost
Clear Hosts file
Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 15, recognized as trusted - 12
Suspicious objects
File Description Type
Main script of analysis
Windows version: Windows 7 Home Premium, Build=7601, SP="Service Pack 1"
System Restore: enabled
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: sending Remote Assistant queries is enabled
>> Process termination timeout is out of admissible values
>> Service termination timeout is out of admissible values
>> Timeout of "Not Responding" verdict for processes is out of admissible values
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
System Analysis in progress
System Analysis - complete
Script commands
Add commands to script:
•Blocking hooks using Anti-Rootkit
•Enable AVZGuard
•Operations with AVZPM (true=enable,false=disable)
•BootCleaner - import list of deleted files
•BootCleaner - import all
•Registry cleanup after deleting files
•ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
•BootCleaner - activate
•Reboot
•Insert template for QuarantineFile() - quarantining file
•Insert template for BC_QrFile() - quarantining file via BootCleaner
•Insert template for DeleteFile() - deleting file
•Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:•Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)
•Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
•Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
•Security tweaking: disable CD autorun
•Security tweaking: disable administrative shares
•Security: disable sending Remote Assistant queries
--------------------------------------------------------------------------------
File list