Kaspersky Virus Removal Tool 11.0.0.1245 (database released 30/12/2011; 05:49)
| File name | PID | Description | Copyright | MD5 | Information
| wmpnetwk.exe | Script: Quarantine, Delete, BC delete, Terminate 2028 | | | ?? | error getting file info | Command line: Detected:39, recognized as trusted 38
| | |||||
| Module name | Handle | Description | Copyright | MD5 | Used by processes
| Modules detected:308, recognized as trusted 308
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\Windows\system32\DRIVERS\21786235.sys | Script: Quarantine, Delete, BC delete AA9A000 | 75F000 (7729152) |
| C:\Windows\System32\Drivers\dump_atapi.sys | Script: Quarantine, Delete, BC delete 5BA4000 | 009000 (36864) |
| C:\Windows\System32\Drivers\dump_dumpata.sys | Script: Quarantine, Delete, BC delete 5B98000 | 00C000 (49152) |
| C:\Windows\System32\Drivers\dump_dumpfve.sys | Script: Quarantine, Delete, BC delete 5BAD000 | 013000 (77824) |
| C:\Windows\system32\Drivers\PROCEXP113.SYS | Script: Quarantine, Delete, BC delete 79B6000 | 008000 (32768) |
| Modules detected - 189, recognized as trusted - 184
| | |||||||||
| Service | Description | Status | File | Group | Dependencies
| PnkBstrA | Service: Stop, Delete, Disable, BC delete PnkBstrA | Running | C:\Windows\system32\PnkBstrA.exe | Script: Quarantine, Delete, BC delete |
| Detected - 157, recognized as trusted - 156
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| 21786235 | Driver: Unload, Delete, Disable, BC delete 21786235 | Running | 21786235.sys | Script: Quarantine, Delete, BC delete |
| catchme | Driver: Unload, Delete, Disable, BC delete catchme | Not started | C:\ComboFix\catchme.sys | Script: Quarantine, Delete, BC delete Base |
| Detected - 249, recognized as trusted - 247
| | ||||||
| File name | Status | Startup method | Description
| C:\Users\DJ\AppData\Local\Temp\_uninst_84137851.bat | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\DJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\DJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_84137851.lnk,
| C:\Windows\system32\psxss.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| auditcse.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName | Delete lvcod64.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, vidc.i420 | Delete rdpclip | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms | Delete xfcodec64.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, VIDC.XFR1 | Delete Autoruns items detected - 645, recognized as trusted - 639
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| Extension module | {2670000A-7350-4f3c-8081-5663EE0C6C49} | Delete Extension module | {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} | Delete Elements detected - 4, recognized as trusted - 2
| | ||||||||||||
| File name | Destination | Description | Manufacturer | CLSID
| WinRAR shell extension | {B41DB860-8EE4-11D2-9906-E49FADC173CA} | Delete ColumnHandler | {F9DB5320-233E-11D1-9F84-707F02C10627} | Delete Elements detected - 24, recognized as trusted - 22
| | ||||||||||||
| File name | Type | Name | Description | Manufacturer
| localspl.dll | Script: Quarantine, Delete, BC delete Monitor | Local Port |
| FXSMON.DLL | Script: Quarantine, Delete, BC delete Monitor | Microsoft Shared Fax Monitor |
| tcpmon.dll | Script: Quarantine, Delete, BC delete Monitor | Standard TCP/IP Port |
| usbmon.dll | Script: Quarantine, Delete, BC delete Monitor | USB Monitor |
| WSDMon.dll | Script: Quarantine, Delete, BC delete Monitor | WSD Port |
| inetpp.dll | Script: Quarantine, Delete, BC delete Provider | HTTP Print Services |
| Elements detected - 7, recognized as trusted - 1
| | ||||||||||||
| File name | Job name | Job status | Description | Manufacturer
| Elements detected - 4, recognized as trusted - 4
| | ||||||
| Provider | Status | EXE file | Description | GUID
| Detected - 7, recognized as trusted - 7
| | ||||||
| Provider | EXE file | Description
| Detected - 10, recognized as trusted - 10
| | ||||||
| File name | Description | Manufacturer | CLSID | Source URL
| Elements detected - 0, recognized as trusted - 0
| | ||||||
| File name | Description | Manufacturer
| C:\Windows\system32\FlashPlayerCPLApp.cpl | Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet | Copyright © 1996-2010 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
| Elements detected - 20, recognized as trusted - 19
| | ||||||
| File name | Description | Manufacturer | CLSID
| Elements detected - 9, recognized as trusted - 9
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete Elements detected - 14, recognized as trusted - 11
| | ||||||
| File | Description | Type |
Main script of analysis Windows version: Windows 7 Professional, Build=7601, SP="Service Pack 1" System Restore: enabled >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268) >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100) >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun System Analysis in progressAdd commands to script:
System Analysis - complete
Script commands