Kaspersky Virus Removal Tool 2010 9.0.0.722 (database released 07/04/2011; 09:33)
| File name | PID | Description | Copyright | MD5 | Information
| c:\windows\system32\atwtusb.exe | Script: Quarantine, Delete, BC delete, Terminate 3036 | User Mode Tablet Driver | | ?? | 387.73 kb, rsAh, | created: 19.3.2010 14:32:05, modified: 6.8.2009 17:34:36 Command line: C:\WINDOWS\system32\atwtusb.exe -s c:\windows\system32\atwtusb.exe | Script: Quarantine, Delete, BC delete, Terminate 5820 | User Mode Tablet Driver | | ?? | 387.73 kb, rsAh, | created: 19.3.2010 14:32:05, modified: 6.8.2009 17:34:36 Command line: C:\WINDOWS\system32\atwtusb.exe c:\windows\explorer.exe | Script: Quarantine, Delete, BC delete, Terminate 1024 | Windows Explorer | © Microsoft Corporation. All rights reserved. | ?? | 1009.50 kb, rsAh, | created: 11.8.2004 19:00:13, modified: 14.4.2008 5:42:20 Command line: C:\WINDOWS\Explorer.EXE c:\program files\i8kfangui\i8kfangui.exe | Script: Quarantine, Delete, BC delete, Terminate 2444 | Dell Inspiron/Latitude/Precision fan control | (c) 2001-2006 Christian Diefer | ?? | 816.00 kb, rsAh, | created: 8.9.2006 14:55:00, modified: 8.9.2006 14:55:00 Command line: "C:\Program Files\I8kfanGUI\I8kfanGUI.exe" /startup c:\program files\internet explorer\iexplore.exe | Script: Quarantine, Delete, BC delete, Terminate 4328 | Internet Explorer | © Microsoft Corporation. All rights reserved. | ?? | 623.84 kb, rsAh, | created: 11.8.2004 19:12:49, modified: 8.3.2009 14:09:26 Command line: "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4032 CREDAT:79873 c:\windows\system32\lsass.exe | Script: Quarantine, Delete, BC delete, Terminate 552 | LSA Shell (Export Version) | © Microsoft Corporation. All rights reserved. | ?? | 13.00 kb, rsAh, | created: 11.8.2004 19:00:18, modified: 14.4.2008 5:42:26 Command line: C:\WINDOWS\system32\lsass.exe c:\program files\wip miranda im 1.7.12\miranda32.exe | Script: Quarantine, Delete, BC delete, Terminate 2508 | Miranda IM | Copyright © 2000-2009 Miranda IM Project. This software is released under the terms of the GNU General Public License. | ?? | 675.09 kb, rsAh, | created: 20.7.2009 8:40:22, modified: 19.7.2009 14:19:48 Command line: "C:\Program Files\WIP Miranda IM 1.7.12\miranda32.exe" c:\windows\system32\rundll32.exe | Script: Quarantine, Delete, BC delete, Terminate 4140 | Run a DLL as an App | © Microsoft Corporation. All rights reserved. | ?? | 32.50 kb, rsAh, | created: 11.8.2004 19:00:29, modified: 14.4.2008 5:42:34 Command line: "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit c:\program files\ntru cryptosystems\ntru tcg software stack\bin\tcsd_win32.exe | Script: Quarantine, Delete, BC delete, Terminate 2892 | | | ?? | 1516.00 kb, rsAh, | created: 9.11.2007 0:50:10, modified: 9.11.2007 0:50:10 Command line: "C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" c:\program files\wave systems corp\trusted drive manager\tdmservice.exe | Script: Quarantine, Delete, BC delete, Terminate 2920 | Tdm Service | Copyright © 2007 Wave Systems Corp. All Rights Reserved. | ?? | 720.00 kb, rsAh, | created: 7.9.2007 19:29:04, modified: 7.9.2007 19:29:04 Command line: "C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe" Detected:80, recognized as trusted 76
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\WINDOWS\System32\Drivers\dump_atapi.sys | Script: Quarantine, Delete, BC delete B1C82000 | 018000 (98304) |
| C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS | Script: Quarantine, Delete, BC delete BA652000 | 002000 (8192) |
| C:\WINDOWS\system32\drivers\fanio.sys | Script: Quarantine, Delete, BC delete BA3B8000 | 005000 (20480) | I8k Fan I/O | (c) 2001-2006 Christian Diefer
| C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS | Script: Quarantine, Delete, BC delete BA640000 | 002000 (8192) |
| C:\WINDOWS\system32\DRIVERS\WaveFDE.sys | Script: Quarantine, Delete, BC delete BA390000 | 005000 (20480) | WaveFDE Device Driver | © Microsoft Corporation. All rights reserved.
| C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys | Script: Quarantine, Delete, BC delete AEF4F000 | 028000 (163840) | WavX Document Manager Filter Driver | Copyright (C) 2006 Wave Systems Corp.
| Modules detected - 204, recognized as trusted - 198
| | |||||||
| Service | Description | Status | File | Group | Dependencies
| NIDomainService | Service: Stop, Delete, Disable National Instruments Domain Service | Running | NIDomainService.sys | Script: Quarantine, Delete, BC delete |
| tcsd_win32.exe | Service: Stop, Delete, Disable NTRU TSS v1.2.1.25 TCS | Running | C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe | Script: Quarantine, Delete, BC delete |
| WTService | Service: Stop, Delete, Disable WTService | Running | C:\WINDOWS\system32\atwtusb.exe | Script: Quarantine, Delete, BC delete |
| r_server | Service: Stop, Delete, Disable Remote Administrator Service | Not started | C:\WINDOWS\system32\r_server.exe | Script: Quarantine, Delete, BC delete |
| ekrn | Service: Stop, Delete, Disable ESET Service | Not started | C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe | Script: Quarantine, Delete, BC delete |
| IJOGH | Service: Stop, Delete, Disable IJOGH | Not started | C:\DOCUME~1\Tomi\LOCALS~1\Temp\IJOGH.exe | Script: Quarantine, Delete, BC delete |
| Detected - 132, recognized as trusted - 126
| | ||||||
| File name | Status | Startup method | Description
| C:\Documents and Settings\Tomi\Desktop\DOKUMENTY\Explorer\Exp_sl_new_II.xls | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\Dokumenty.lnk,
| C:\Documents and Settings\Tomi\Desktop\TomiPass-sl-002.kdb | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\TomiPass-sl-002.kdb.lnk,
| C:\Program Files\AISNSIM\AISNSim v3.1.0.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\AISNSim v3.1.0.lnk,
| C:\Program Files\AISNSIM\Resources\AISNSim v3.0.0.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\AISNSim v3.0.0.lnk,
| C:\Program Files\Bonjour\mDNSResponder.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Bonjour Service, EventMessageFile | Delete C:\Program Files\CodePad\CodePad.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\CodePad.lnk,
| C:\Program Files\DnsLookup\DNSlookup.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\DNSlookup.lnk,
| C:\Program Files\I8kfanGUI\I8kfanGUI.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, S-1-5-21-1284850223-1950775006-3319849090-1005\Software\Microsoft\Windows\CurrentVersion\Run, i8kfangui | Delete C:\Program Files\PBADNS\PBADnsImportGUI.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\PBADnsImportGUI.lnk,
| C:\Program Files\Wave Systems Corp\Gemalto\Access Client\v5\xltCsp.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Axalto Cryptographic Service Provider, Image Path | Delete C:\Program Files\fred\FredGUI.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\FredGUI.lnk,
| C:\Program Files\hfch\HostflowPackageSwitchChecker.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\HostflowPackageSwitchChecker.lnk,
| C:\Program Files\whoiiiis\WhoIs.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\WhoIs.lnk,
| C:\WINDOWS\Installer\{505AFDC0-5E72-4928-8368-5DEA385E3647}\NewShortcut2.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\PHOTO-PAINT.lnk,
| C:\WINDOWS\System32\PrintFilterPipelineSvc.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc, EventMessageFile | Delete C:\WINDOWS\System32\igmpv2.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile | Delete C:\WINDOWS\System32\ipbootp.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile | Delete C:\WINDOWS\System32\iprip2.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile | Delete C:\WINDOWS\System32\ospf.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile | Delete C:\WINDOWS\System32\ospfmib.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile | Delete C:\WINDOWS\System32\polagent.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile | Delete C:\WINDOWS\System32\tssdis.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile | Delete C:\WINDOWS\System32\xltEvLog.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Axalto Access Client, EventMessageFile | Delete C:\WINDOWS\system32\KB905474\wgasetup.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WgaSetup, EventMessageFile | Delete C:\WINDOWS\system32\MsSip1.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL | Delete C:\WINDOWS\system32\MsSip2.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL | Delete C:\WINDOWS\system32\MsSip3.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL | Delete C:\WINDOWS\system32\awtqnkhe | Script: Quarantine, Delete, BC delete -- | ? | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Lsa, Authentication Packages
| C:\WINDOWS\system32\drivers\etc\hosts | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\hosts.lnk,
| C:\WINDOWS\system32\psxss.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| C:\WINDOWS\system32\stisvc.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile | Delete C:\WINDOWS\system32\wvauth.dll | Script: Quarantine, Delete, BC delete -- | ? | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Lsa, Authentication Packages
| C:\_Private\INSTALACE\Atlantis_Xtreme_V0.9.1\AXSim.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\AXSim.lnk,
| C:\_Private\INSTALACE\Atlantis_Xtreme_V0.9.1\Zpm_Room.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\Zpm_Room.lnk,
| SDEvents.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile | Delete \\Ucetni\office\REGISTRATORSTVI\.cz\Zmena majitele\mustr_cz.doc | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Tomi\Application Data\Microsoft\Internet Explorer\Quick Launch\mustr_cz.lnk,
| kbd101.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN | Delete kbd101a.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR | Delete mvfs32.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB | Delete mvfs32.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB | Delete mvfs32.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB | Delete mvfs32.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB | Delete mvfs32.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, S-1-5-21-1284850223-1950775006-3319849090-1005\Control Panel\IOProcs, MVB | Delete tcgcsp.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Wave TCG Enabled CSP, Image Path | Delete tcgcsp.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Wave TCG Enabled SChannel CSP, Image Path | Delete vgafix.fon | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon | Delete vgaoem.fon | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon | Delete vgasys.fon | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon | Delete Autoruns items detected - 679, recognized as trusted - 631
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| Extension module | {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} | Delete Elements detected - 12, recognized as trusted - 11
| | |||||||||
| File name | Destination | Description | Manufacturer | CLSID
| Display Panning CPL Extension | {42071714-76d4-11d1-8b24-00a0c9068ff3} | Delete Shell extensions for file compression | {764BF0E1-F219-11ce-972D-00AA00A14F56} | Delete Encryption Context Menu | {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} | Delete Taskbar and Start Menu | {0DF44EAA-FF21-4412-828E-260A8728E7F1} | Delete rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4} | Script: Quarantine, Delete, BC delete Autoplay for SlideShow | {00E7B358-F65B-4dcf-83DF-CD026B94BFD4} | Delete User Accounts | {7A9D77BD-5403-11d2-8785-2E0420524153} | Delete ICQ Lite Shell Extension | {73B24247-042E-4EF5-ADC2-42F62E6FD654} | Delete CorelDRAW Shell Extension Component |
| Eudora's Shell Extension | {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} | Delete "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" | Script: Quarantine, Delete, BC delete OpenOffice.org Column Handler | {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} | Delete "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" | Script: Quarantine, Delete, BC delete OpenOffice.org Infotip Handler | {087B3AE3-E237-4467-B8DB-5A38AB959AC9} | Delete "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" | Script: Quarantine, Delete, BC delete OpenOffice.org Property Sheet Handler | {63542C48-9552-494A-84F7-73AA6A7C99C1} | Delete "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" | Script: Quarantine, Delete, BC delete OpenOffice.org Thumbnail Viewer | {3B092F0C-7696-40E3-A80F-68D74DA84210} | Delete AVG Find Extension | {9F97547E-460A-42C5-AE0C-81C61FFAEBC3} | Delete IE User Assist | {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} | Delete "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" | Script: Quarantine, Delete, BC delete ColumnHandler | {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} | Delete Elements detected - 241, recognized as trusted - 225
| | ||||||||||||||||||||||||||||||||||||||||||||||||
| File name | Type | Name | Description | Manufacturer
| Elements detected - 13, recognized as trusted - 13
| | ||||||
| File name | Job name | Job status | Description | Manufacturer
| C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe | Script: Quarantine, Delete, BC delete Ad-Aware Update (Weekly).job | The task has not yet run. |
| Elements detected - 1, recognized as trusted - 0
| | |||||||
| Provider | Status | EXE file | Description | GUID
| Detected - 3, recognized as trusted - 3
| | ||||||
| Provider | EXE file | Description
| Detected - 23, recognized as trusted - 23
| | ||||||
| File name | Description | Manufacturer | CLSID | Source URL
| Elements detected - 5, recognized as trusted - 5
| | ||||||
| File name | Description | Manufacturer
| C:\WINDOWS\system32\NicConfigSvc.cpl | Script: Quarantine, Delete, BC delete CPL for Internal Network Card Power Management | © 2002 Dell Inc.
| Elements detected - 37, recognized as trusted - 36
| | ||||||
| File name | Description | Manufacturer | CLSID
| Elements detected - 16, recognized as trusted - 16
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
| Elements detected - 32, recognized as trusted - 29
| | ||||||
| File | Description | Type |
Main script of analysis Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3" System Restore: enabled 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text IAT modification detected: CreateProcessA - 00F50010<>7C80236B IAT modification detected: GetModuleFileNameA - 00F50080<>7C80B56F IAT modification detected: GetModuleFileNameW - 00F500F0<>7C80B475 IAT modification detected: CreateProcessW - 00F50160<>7C802336 IAT modification detected: LoadLibraryW - 00F50240<>7C80AEEB IAT modification detected: LoadLibraryA - 00F50320<>7C801D7B IAT modification detected: GetProcAddress - 00F50390<>7C80AE40 IAT modification detected: FreeLibrary - 00F50400<>7C80AC7E Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=085700) Kernel ntkrnlpa.exe found in memory at address 804D7000 SDT = 8055C700 KiST = 80504480 (284) Functions checked: 284, intercepted: 0, restored: 0 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Analysis for CPU 2 CmpCallCallBacks = 00093D84 Disable callback - óæå íåéòèðàëèçîâàíû Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking of IRP handlers Checking - complete >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry) Error [2, SC_EXT_ADDITEMST] >> Services: potentially dangerous service allowed: TermService (Terminal Services) Error [2, SC_EXT_ADDITEMST] >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service) Error [2, SC_EXT_ADDITEMST] >> Services: potentially dangerous service allowed: TlntSvr (Telnet) Error [2, SC_EXT_ADDITEMST] >> Services: potentially dangerous service allowed: Schedule (Task Scheduler) Error [2, SC_EXT_ADDITEMST] >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing) Error [2, SC_EXT_ADDITEMST] >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager) Error [2, SC_EXT_ADDITEMST] > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled Error [2, SC_EXT_ADDITEMST] >> Security: administrative shares (C$, D$ ...) are enabled Error [2, SC_EXT_ADDITEMST] >> Security: anonymous user access is enabled Error [2, SC_EXT_ADDITEMST] Error [2, SC_EXT_ADDITEMST] >> Security: terminal connections to the PC are allowed Error [2, SC_EXT_ADDITEMST] >> Security: sending Remote Assistant queries is enabled >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun System Analysis in progressAdd commands to script:
System Analysis - complete
Script commands