Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 25/11/2014; 16:23)

List of processes

File name	PID	Description	Copyright	MD5	Information
BullGuardBhvScanner.exe Script: Quarantine, Delete, BC delete, Terminate	1940			??	error getting file info Command line:
BullGuardScanner.exe Script: Quarantine, Delete, BC delete, Terminate	1204			??	error getting file info Command line:
BullGuardUpdate.exe Script: Quarantine, Delete, BC delete, Terminate	1384			??	error getting file info Command line:
E_IATILBE.EXE Script: Quarantine, Delete, BC delete, Terminate	4800			??	error getting file info Command line:
InputPersonalization.exe Script: Quarantine, Delete, BC delete, Terminate	6140			??	error getting file info Command line:
officeclicktorun.exe Script: Quarantine, Delete, BC delete, Terminate	2088			??	error getting file info Command line:
TabTip.exe Script: Quarantine, Delete, BC delete, Terminate	3412			??	error getting file info Command line:
wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate	4872			??	error getting file info Command line:
Detected:67, recognized as trusted 59

Module name	Handle	Description	Copyright	MD5	Used by processes
Modules detected:397, recognized as trusted 397

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\system32\DRIVERS\85978005.sys Script: Quarantine, Delete, BC delete	B078000	75F000 (7729152)
C:\Windows\system32\DRIVERS\89638826.sys Script: Quarantine, Delete, BC delete	B877000	75F000 (7729152)
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, BC delete	61EB000	013000 (77824)
C:\Windows\System32\Drivers\dump_iaStor.sys Script: Quarantine, Delete, BC delete	4200000	3A2000 (3809280)
Modules detected - 218, recognized as trusted - 214

Services

Service	Description	Status	File	Group	Dependencies
HP Support Assistant Service Service: Stop, Delete, Disable, BC delete	HP Support Assistant Service	Not started	C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe Script: Quarantine, Delete, BC delete
Detected - 201, recognized as trusted - 200

Drivers

Service	Description	Status	File	Group	Dependencies
85978005 Driver: Unload, Delete, Disable, BC delete	85978005	Running	85978005.sys Script: Quarantine, Delete, BC delete
89638826 Driver: Unload, Delete, Disable, BC delete	89638826	Running	89638826.sys Script: Quarantine, Delete, BC delete
catchme Driver: Unload, Delete, Disable, BC delete	catchme	Not started	C:\ComboFix\catchme.sys Script: Quarantine, Delete, BC delete	Base
EagleX64 Driver: Unload, Delete, Disable, BC delete	EagleX64	Not started	C:\Windows\system32\drivers\EagleX64.sys Script: Quarantine, Delete, BC delete
USBAAPL64 Driver: Unload, Delete, Disable, BC delete	Apple Mobile USB Driver	Not started	C:\Windows\system32\Drivers\usbaapl64.sys Script: Quarantine, Delete, BC delete	Base
Detected - 272, recognized as trusted - 267

Autoruns

File name	Status	Startup method	Description
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\IPSEventLogMsg.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Handwriting Recognition, EventMessageFile
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\CAAMSvc, EventMessageFile
C:\Program Files\CA\SharedComponents\TMEngine\UmxAgent.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\UmxAgent, EventMessageFile
C:\Program Files\CA\SharedComponents\TMEngine\UmxEngine.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\UmxEngine, EventMessageFile
C:\Program Files\Mozilla Firefox\firefox.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Pettit Family\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Pettit Family\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk,
C:\Users\Pettit Family\AppData\Local\Temp\_uninst_20580393.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Pettit Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Pettit Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_20580393.lnk,
C:\Users\Pettit Family\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop (1).ini Script: Quarantine, Delete, BC delete	Active	File in Autoruns folder	C:\Users\Pettit Family\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Pettit Family\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop (1).ini,
C:\Users\Pettit Family\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop (2).ini Script: Quarantine, Delete, BC delete	Active	File in Autoruns folder	C:\Users\Pettit Family\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Pettit Family\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop (2).ini,
C:\Users\Pettit Family\AppData\Roaming\Riverpoint Writer\Riverpoint.dot Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Pettit Family\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Pettit Family\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Riverpoint Writer.lnk,
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\System32\appmgmts.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll Delete
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
D:\b2140546ea18be2b6d4fda\DW\DW20.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
auditcse.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName Delete
igfxdev.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName Delete
rdpclip Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms Delete
Autoruns items detected - 691, recognized as trusted - 672

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	Extension module			{2670000A-7350-4f3c-8081-5663EE0C6C49} Delete
	Extension module			{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} Delete
C:\Program Files\Upromise RewardU Toolbar\Helper.dll Script: Quarantine, Delete, BC delete	URLSearchHook			{6f52f077-2dbf-f864-8da7-73cc1a21005a} Delete
Elements detected - 19, recognized as trusted - 16

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	ColumnHandler			{F9DB5320-233E-11D1-9F84-707F02C10627} Delete
Elements detected - 13, recognized as trusted - 12

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
E_ILMHBA.DLL Script: Quarantine, Delete, BC delete	Monitor	EPSON NX430 Series 64MonitorBA
E_ILMBLBE.DLL Script: Quarantine, Delete, BC delete	Monitor	EPSON XP-310 Series 64MonitorBE
enppmon.dll Script: Quarantine, Delete, BC delete	Monitor	EpsonNet Print Port
localspl.dll Script: Quarantine, Delete, BC delete	Monitor	Local Port
FXSMON.DLL Script: Quarantine, Delete, BC delete	Monitor	Microsoft Shared Fax Monitor
nitrolocalmon2.dll Script: Quarantine, Delete, BC delete	Monitor	Nitro PDF Port Monitor
pdfc_port.dll Script: Quarantine, Delete, BC delete	Monitor	PDFC
Primomonnt.dll Script: Quarantine, Delete, BC delete	Monitor	PrimoMon
tcpmon.dll Script: Quarantine, Delete, BC delete	Monitor	Standard TCP/IP Port
usbmon.dll Script: Quarantine, Delete, BC delete	Monitor	USB Monitor
WSDMon.dll Script: Quarantine, Delete, BC delete	Monitor	WSD Port
inetpp.dll Script: Quarantine, Delete, BC delete	Provider	HTTP Print Services
Elements detected - 13, recognized as trusted - 1

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 8, recognized as trusted - 8

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 9, recognized as trusted - 9

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
UDP ports

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Elements detected - 0, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer
C:\Windows\system32\FlashPlayerCPLApp.cpl
Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet Copyright © 1996-2014 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Elements detected - 19, recognized as trusted - 18

Active Setup

File name Description Manufacturer CLSID
Elements detected - 7, recognized as trusted - 7

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 21, recognized as trusted - 18

Suspicious objects

File Description Type

Main script of analysis
Windows version: Windows 7 Home Premium, Build=7601, SP="Service Pack 1"
System Restore: enabled
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)
Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
UDP ports