Kaspersky Virus Removal Tool 11.0.0.1245 (database released 11/10/2011; 03:55)
| File name | PID | Description | Copyright | MD5 | Information
| c:\program files\alwil software\avast5\avastsvc.exe | Script: Quarantine, Delete, BC delete, Terminate 1280 | avast! Service | Copyright (c) 2011 AVAST Software | ?? | 43.72 kb, rsAh, | created: 24.09.2011 17:06:42, modified: 06.09.2011 22:45:28 Command line: "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" wmpnetwk.exe | Script: Quarantine, Delete, BC delete, Terminate 3124 | | | ?? | error getting file info | Command line: Detected:50, recognized as trusted 49
| | |||||
| Module name | Handle | Description | Copyright | MD5 | Used by processes
| C:\Program Files\Alwil Software\Avast5\defs\11101102\algo.dll | Script: Quarantine, Delete, BC delete 1824063488 | | | -- | 1280
| Modules detected:391, recognized as trusted 390
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\Windows\system32\DRIVERS\24752363.sys | Script: Quarantine, Delete, BC delete D229000 | 75F000 (7729152) |
| C:\Windows\system32\DRIVERS\35631669.sys | Script: Quarantine, Delete, BC delete CA49000 | 75F000 (7729152) |
| C:\Windows\System32\Drivers\dump_atapi.sys | Script: Quarantine, Delete, BC delete 43DB000 | 009000 (36864) |
| C:\Windows\System32\Drivers\dump_dumpata.sys | Script: Quarantine, Delete, BC delete 43CF000 | 00C000 (49152) |
| C:\Windows\System32\Drivers\dump_dumpfve.sys | Script: Quarantine, Delete, BC delete 43E4000 | 013000 (77824) |
| C:\Windows\System32\Drivers\sprg.sys | Script: Quarantine, Delete, BC delete 105E000 | 126000 (1204224) |
| Modules detected - 199, recognized as trusted - 193
| | ||||||||||
| Service | Description | Status | File | Group | Dependencies
| Detected - 159, recognized as trusted - 159
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| 24752363 | Driver: Unload, Delete, Disable, BC delete 24752363 | Running | 24752363.sys | Script: Quarantine, Delete, BC delete |
| 35631669 | Driver: Unload, Delete, Disable, BC delete 35631669 | Running | 35631669.sys | Script: Quarantine, Delete, BC delete |
| sptd | Driver: Unload, Delete, Disable, BC delete sptd | Running | C:\Windows\System32\Drivers\sptd.sys | Script: Quarantine, Delete, BC delete Boot Bus Extender |
| catchme | Driver: Unload, Delete, Disable, BC delete catchme | Not started | C:\ComboFix\catchme.sys | Script: Quarantine, Delete, BC delete Base |
| Detected - 252, recognized as trusted - 248
| | ||||||
| File name | Status | Startup method | Description
| C:\6557d091ac9fccef4477258930bc\DW\DW20.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
| C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\IPSEventLogMsg.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Handwriting Recognition, EventMessageFile
| C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter\fsgk.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\F-Secure Gatekeeper, EventMessageFile
| C:\Program Files (x86)\F-Secure\Common\AMEHEVN.DLL | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\FSecure-FSecure-F-Secure Management Agent, EventMessageFile
| C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\Stene\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Stene\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk,
| C:\Users\Stene\AppData\Local\Temp\NEventMessages.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Nokia M Platform, EventMessageFile
| C:\Users\Stene\AppData\Local\Temp\_uninst_77286306.bat | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Users\Stene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Stene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_77286306.lnk,
| C:\Windows\System32\appmgmts.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll | Delete C:\Windows\system32\psxss.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| auditcse.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName | Delete rdpclip | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms | Delete Autoruns items detected - 670, recognized as trusted - 659
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| Toolbar | {32099AAC-C132-4136-9E9A-4E364A424E17} | Delete Extension module | {2670000A-7350-4f3c-8081-5663EE0C6C49} | Delete Extension module | {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} | Delete Elements detected - 6, recognized as trusted - 3
| | |||||||||||||||
| File name | Destination | Description | Manufacturer | CLSID
| F-Prot Shell Extension | {23814B80-52A2-11D0-BC1A-004095606CB9} | Delete ColumnHandler | {7D4D6379-F301-4311-BEBA-E26EB0561882} | Delete ColumnHandler | {F9DB5320-233E-11D1-9F84-707F02C10627} | Delete Elements detected - 43, recognized as trusted - 40
| | |||||||||||||||
| File name | Type | Name | Description | Manufacturer
| localspl.dll | Script: Quarantine, Delete, BC delete Monitor | Local Port |
| FXSMON.DLL | Script: Quarantine, Delete, BC delete Monitor | Microsoft Shared Fax Monitor |
| tcpmon.dll | Script: Quarantine, Delete, BC delete Monitor | Standard TCP/IP Port |
| usbmon.dll | Script: Quarantine, Delete, BC delete Monitor | USB Monitor |
| WSDMon.dll | Script: Quarantine, Delete, BC delete Monitor | WSD Port |
| inetpp.dll | Script: Quarantine, Delete, BC delete Provider | HTTP Print Services |
| Elements detected - 7, recognized as trusted - 1
| | ||||||||||||
| File name | Job name | Job status | Description | Manufacturer
| Elements detected - 4, recognized as trusted - 4
| | ||||||
| Provider | Status | EXE file | Description | GUID
| Detected - 7, recognized as trusted - 7
| | ||||||
| Provider | EXE file | Description
| Detected - 10, recognized as trusted - 10
| | ||||||
| File name | Description | Manufacturer | CLSID | Source URL
| Elements detected - 0, recognized as trusted - 0
| | ||||||
| File name | Description | Manufacturer
| C:\Windows\system32\FlashPlayerCPLApp.cpl | Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet | Copyright © 1996-2010 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
| Elements detected - 19, recognized as trusted - 18
| | ||||||
| File name | Description | Manufacturer | CLSID
| Elements detected - 9, recognized as trusted - 9
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete Elements detected - 24, recognized as trusted - 21
| | ||||||
| File | Description | Type |
Main script of analysis Windows version: Windows Vista (TM) Ultimate, Build=6000, SP="Service Pack 1" System Restore: enabled >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268) >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100) >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun >> Windows Explorer - show extensions of known file types System Analysis in progressAdd commands to script:
System Analysis - complete
Script commands