Kaspersky Virus Removal Tool 11.0.0.1245 (database released 03/12/2011; 19:06)
| File name | PID | Description | Copyright | MD5 | Information
| c:\docume~1\jarda\locals~1\temp\rarsfx0\8785589.exe | Script: Quarantine, Delete, BC delete, Terminate 2972 | | | ?? | 700.48 kb, rsAh, | created: 03.12.2011 22:20:22, modified: 04.12.2011 00:20:48 Command line: "C:\DOCUME~1\Jarda\LOCALS~1\Temp\RarSFX0\8785589.exe" c:\program files\mouse\amoumain.exe | Script: Quarantine, Delete, BC delete, Terminate 492 | | | ?? | 264.00 kb, rsAh, | created: 28.06.2010 12:03:02, modified: 19.03.2008 22:51:46 Command line: "C:\Program Files\Mouse\Amoumain.exe" c:\windows\explorer.exe | Script: Quarantine, Delete, BC delete, Terminate 1976 | Průzkumník Windows | © Microsoft Corporation. Všechna práva vyhrazena. | ?? | 1010.00 kb, rsAh, | created: 25.10.2001 12:00:00, modified: 14.04.2008 08:52:24 Command line: C:\WINDOWS\Explorer.EXE c:\program files\free download manager\fdm.exe | Script: Quarantine, Delete, BC delete, Terminate 1668 | Free Download Manager | Copyright © 2003-2010 | ?? | 3640.05 kb, rsAh, | created: 03.06.2010 17:12:56, modified: 28.04.2010 23:28:18 Command line: "C:\Program Files\Free Download Manager\fdm.exe" -autorun c:\program files\srware iron\iron.exe | Script: Quarantine, Delete, BC delete, Terminate 2220 | SRWare Iron | Copyright (C) 2006-2009 The Chromium Authors. All Rights Reserved. | ?? | 1184.00 kb, rsAh, | created: 14.12.2010 18:47:47, modified: 26.09.2011 23:11:18 Command line: "C:\Program Files\SRWare Iron\iron.exe" --type=extension --lang=cs --force-fieldtest=ConnCountImpact/conn_count_6/ConnnectBackupJobs/ConnectBackupJobsEnabled/DnsImpact/default_enabled_prefetch/DnsParallelism/parallel_default/GlobalSdch/global_enable_sdch/IdleSktToImpact/idle_timeout_10/Prefetch/ContentPrefetchPrerender2/ProxyConnectionImpact/proxy_connections_32/SpdyImpact/npn_with_spdy/SuggestHostPrefix/Default_Prefix/WarmSocketImpact/warmest_socket/ --disable-client-side-phishing-detection --channel=3392.011E9580.1808700889 --ignored=" --type=renderer " /prefetch:3 c:\program files\srware iron\iron.exe | Script: Quarantine, Delete, BC delete, Terminate 3336 | SRWare Iron | Copyright (C) 2006-2009 The Chromium Authors. All Rights Reserved. | ?? | 1184.00 kb, rsAh, | created: 14.12.2010 18:47:47, modified: 26.09.2011 23:11:18 Command line: "C:\Program Files\SRWare Iron\iron.exe" --type=plugin --plugin-path="C:\Documents and Settings\Jarda\Local Settings\Data aplikací\Chromium\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj\1.0.0_0\npFreemake.dll" --lang=cs --channel=3392.0797CE00.994014229 /prefetch:4 c:\program files\srware iron\iron.exe | Script: Quarantine, Delete, BC delete, Terminate 3140 | SRWare Iron | Copyright (C) 2006-2009 The Chromium Authors. All Rights Reserved. | ?? | 1184.00 kb, rsAh, | created: 14.12.2010 18:47:47, modified: 26.09.2011 23:11:18 Command line: "C:\Program Files\SRWare Iron\iron.exe" --type=renderer --lang=cs --force-fieldtest=ConnCountImpact/conn_count_6/ConnnectBackupJobs/ConnectBackupJobsEnabled/DnsImpact/default_enabled_prefetch/DnsParallelism/parallel_default/GlobalSdch/global_enable_sdch/IdleSktToImpact/idle_timeout_10/Prefetch/ContentPrefetchPrerender2/ProxyConnectionImpact/proxy_connections_32/SpdyImpact/npn_with_spdy/SuggestHostPrefix/Default_Prefix/WarmSocketImpact/warmest_socket/ --disable-client-side-phishing-detection --channel=3392.08AB4840.1821637052 /prefetch:3 c:\program files\srware iron\iron.exe | Script: Quarantine, Delete, BC delete, Terminate 3392 | SRWare Iron | Copyright (C) 2006-2009 The Chromium Authors. All Rights Reserved. | ?? | 1184.00 kb, rsAh, | created: 14.12.2010 18:47:47, modified: 26.09.2011 23:11:18 Command line: "C:\Program Files\SRWare Iron\iron.exe" -- "http://www.kaspersky.com/" c:\program files\srware iron\iron.exe | Script: Quarantine, Delete, BC delete, Terminate 4020 | SRWare Iron | Copyright (C) 2006-2009 The Chromium Authors. All Rights Reserved. | ?? | 1184.00 kb, rsAh, | created: 14.12.2010 18:47:47, modified: 26.09.2011 23:11:18 Command line: "C:\Program Files\SRWare Iron\iron.exe" --type=extension --lang=cs --force-fieldtest=ConnCountImpact/conn_count_6/ConnnectBackupJobs/ConnectBackupJobsEnabled/DnsImpact/default_enabled_prefetch/DnsParallelism/parallel_default/GlobalSdch/global_enable_sdch/IdleSktToImpact/idle_timeout_10/Prefetch/ContentPrefetchPrerender2/ProxyConnectionImpact/proxy_connections_32/SpdyImpact/npn_with_spdy/SuggestHostPrefix/Default_Prefix/WarmSocketImpact/warmest_socket/ --disable-client-side-phishing-detection --channel=3392.011E9160.1497422121 --ignored=" --type=renderer " /prefetch:3 c:\program files\srware iron\iron.exe | Script: Quarantine, Delete, BC delete, Terminate 1744 | SRWare Iron | Copyright (C) 2006-2009 The Chromium Authors. All Rights Reserved. | ?? | 1184.00 kb, rsAh, | created: 14.12.2010 18:47:47, modified: 26.09.2011 23:11:18 Command line: "C:\Program Files\SRWare Iron\iron.exe" --type=plugin --plugin-path="C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll" --lang=cs --channel=3392.0809D700.882311347 /prefetch:4 c:\program files\srware iron\iron.exe | Script: Quarantine, Delete, BC delete, Terminate 216 | SRWare Iron | Copyright (C) 2006-2009 The Chromium Authors. All Rights Reserved. | ?? | 1184.00 kb, rsAh, | created: 14.12.2010 18:47:47, modified: 26.09.2011 23:11:18 Command line: "C:\Program Files\SRWare Iron\iron.exe" --type=extension --lang=cs --force-fieldtest=ConnCountImpact/conn_count_6/ConnnectBackupJobs/ConnectBackupJobsEnabled/DnsImpact/default_enabled_prefetch/DnsParallelism/parallel_default/GlobalSdch/global_enable_sdch/IdleSktToImpact/idle_timeout_10/Prefetch/ContentPrefetchPrerender2/ProxyConnectionImpact/proxy_connections_32/SpdyImpact/npn_with_spdy/SuggestHostPrefix/Default_Prefix/WarmSocketImpact/warmest_socket/ --disable-client-side-phishing-detection --channel=3392.011E9840.941396014 --ignored=" --type=renderer " /prefetch:3 c:\program files\srware iron\iron.exe | Script: Quarantine, Delete, BC delete, Terminate 4028 | SRWare Iron | Copyright (C) 2006-2009 The Chromium Authors. All Rights Reserved. | ?? | 1184.00 kb, rsAh, | created: 14.12.2010 18:47:47, modified: 26.09.2011 23:11:18 Command line: "C:\Program Files\SRWare Iron\iron.exe" --type=extension --lang=cs --force-fieldtest=ConnCountImpact/conn_count_6/ConnnectBackupJobs/ConnectBackupJobsEnabled/DnsImpact/default_enabled_prefetch/DnsParallelism/parallel_default/GlobalSdch/global_enable_sdch/IdleSktToImpact/idle_timeout_10/Prefetch/ContentPrefetchPrerender2/ProxyConnectionImpact/proxy_connections_32/SpdyImpact/npn_with_spdy/SuggestHostPrefix/Default_Prefix/WarmSocketImpact/warmest_socket/ --disable-client-side-phishing-detection --channel=3392.011E96E0.66784938 --ignored=" --type=renderer " /prefetch:3 c:\windows\system32\mmc.exe | Script: Quarantine, Delete, BC delete, Terminate 1940 | Konzola Microsoft Management Console | © Microsoft Corporation. Všechna práva vyhrazena. | ?? | 1382.00 kb, rsAh, | created: 25.10.2001 12:00:00, modified: 14.04.2008 08:52:32 Command line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\compmgmt.msc" /s c:\program files\panda security\panda cloud antivirus\psunmain.exe | Script: Quarantine, Delete, BC delete, Terminate 1284 | Panda Cloud Antivirus | © Panda 2011 | ?? | 429.31 kb, rsAh, | created: 28.04.2011 14:01:20, modified: 28.04.2011 14:01:20 Command line: "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar c:\program files\dbns\screen grabber 2.0\screengrabber.exe | Script: Quarantine, Delete, BC delete, Terminate 1584 | DBNSScreenGrabber | Copyright © DBNS 2008 | ?? | 516.00 kb, rsAh, | created: 06.03.2008 13:28:50, modified: 06.03.2008 13:28:50 Command line: "C:\Program Files\DBNS\Screen Grabber 2.0\ScreenGrabber.exe" c:\program files\dbns\screen grabber 2.0\screengrabber.exe | Script: Quarantine, Delete, BC delete, Terminate 456 | DBNSScreenGrabber | Copyright © DBNS 2008 | ?? | 516.00 kb, rsAh, | created: 06.03.2008 13:28:50, modified: 06.03.2008 13:28:50 Command line: "C:\Program Files\DBNS\Screen Grabber 2.0\ScreenGrabber.exe" c:\documents and settings\jarda\plocha\downloads\setup_11.0.0.1245.x01_2011_12_04_00_19.exe | Script: Quarantine, Delete, BC delete, Terminate 508 | | | ?? | 102041.02 kb, rsAh, | created: 03.12.2011 22:07:24, modified: 03.12.2011 22:13:29 Command line: "C:\Documents and Settings\Jarda\Plocha\Downloads\setup_11.0.0.1245.x01_2011_12_04_00_19.exe" c:\program files\speedfan\speedfan.exe | Script: Quarantine, Delete, BC delete, Terminate 2172 | | | ?? | 4506.90 kb, rsAh, | created: 13.07.2011 07:33:08, modified: 13.07.2011 07:33:08 Command line: "C:\Program Files\SpeedFan\speedfan.exe" c:\program files\usb safely remove\usbsafelyremove.exe | Script: Quarantine, Delete, BC delete, Terminate 2192 | USB and SATA Device Manager | Copyright © 2011 by Crystal Rich Ltd | ?? | 1796.34 kb, rsAh, | created: 08.11.2011 20:24:47, modified: 04.08.2011 14:25:20 Command line: "C:\Program Files\USB Safely Remove\USBSafelyRemove.exe" /startup Detected:67, recognized as trusted 64
| | |||||
| Module name | Handle | Description | Copyright | MD5 | Used by processes
| C:\DOCUME~1\Jarda\LOCALS~1\Temp\sfareca00001.dll | Script: Quarantine, Delete, BC delete 268435456 | | | -- | 2172
| C:\Program Files\Mouse\Amoures.dll | Script: Quarantine, Delete, BC delete 14024704 | | | -- | 492
| C:\Program Files\SRWare Iron\locales\cs.dll | Script: Quarantine, Delete, BC delete 1022361600 | | | -- | 2220, 3336, 3140, 3392, 4020, 1744, 216, 4028
| C:\WINDOWS\system32\Amhooker.dll | Script: Quarantine, Delete, BC delete 42991616 | | | -- | 2972, 492, 1976, 1668, 3392, 1940, 1284, 1584, 456, 508, 2192
| Modules detected:611, recognized as trusted 607
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\WINDOWS\system32\DRIVERS\Amfilter.sys | Script: Quarantine, Delete, BC delete F77A7000 | 008000 (32768) | Mouse Filter Driver | (Standard mouse types) 2001-2007
| C:\WINDOWS\system32\DRIVERS\Amusbprt.sys | Script: Quarantine, Delete, BC delete F2C41000 | 009000 (36864) | HID Mouse Filter Driver | (Standard mouse types) 2001-2007
| C:\WINDOWS\System32\Drivers\dump_atapi.sys | Script: Quarantine, Delete, BC delete AD1FA000 | 018000 (98304) |
| C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS | Script: Quarantine, Delete, BC delete F7999000 | 002000 (8192) |
| C:\Program Files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys | Script: Quarantine, Delete, BC delete A99D3000 | 028000 (163840) | Roland VSC Synthesizer Engine | Copyright (C) 2001 Roland Corporation, All Rights Reserved
| C:\WINDOWS\system32\Drivers\sptd.sys | Script: Quarantine, Delete, BC delete F7276000 | 110000 (1114112) |
| Modules detected - 151, recognized as trusted - 145
| | |||||||
| Service | Description | Status | File | Group | Dependencies
| CardBusService | Service: Stop, Delete, Disable, BC delete CardBusService | Not started | CardBusService.sys | Script: Quarantine, Delete, BC delete |
| ttscp | Service: Stop, Delete, Disable, BC delete Text-to-Speech system Epos | Not started | C:\Program Files\Epos\epos-2.4.85\src\epos.exe | Script: Quarantine, Delete, BC delete |
| VideoAcceleratorService | Service: Stop, Delete, Disable, BC delete VideoAcceleratorService | Not started | C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe | Script: Quarantine, Delete, BC delete |
| Detected - 120, recognized as trusted - 117
| | ||||||
| File name | Status | Startup method | Description
| "C:\Program Files\Soluto\Debugger\x86\ntsd.exe" -p %ld -e %ld -noio -c "g;g;.dump /u /o /mFhut C:\Documents and Settings\All Users\Data aplikací\Soluto\Dumps\ApplicationDumps\AeDebug.dmp; .kill; q" | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\AeDebug, Debugger
| (None) | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, .DEFAULT\Control Panel\Desktop, scrnsave.exe | Delete (None) | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, S-1-5-18\Control Panel\Desktop, scrnsave.exe | Delete C:\Documents and Settings\Jarda\Local Settings\temp\_uninst_63443825.bat | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Jarda\Nabídka Start\Programy\Po spuštění\, C:\Documents and Settings\Jarda\Nabídka Start\Programy\Po spuštění\_uninst_63443825.lnk,
| C:\PROGRA~1\PERFEC~1\CONTEX~1.DLL | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {84058084-7609-44D1-B3CC-7A9436CB6D92} | Delete C:\Program Files\AmaPro\OnLineSlovnik\onlineslovnik.exe | Script: Quarantine, Delete, BC delete Active | Shortcut in Autoruns folder | C:\Documents and Settings\Jarda\Data aplikací\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Jarda\Data aplikací\Microsoft\Internet Explorer\Quick Launch\On Line Slovník.lnk,
| C:\Program Files\Ashampoo\Ashampoo WinOptimizer 8\DfsdkS.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\DfSdkS, EventMessageFile
| C:\Program Files\Cepstral\bin\ceptools.cpl | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls, Cepstral Tools | Delete C:\Program Files\Mouse\Amoumain.exe | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, WheelMouse | Delete C:\WINDOWS\System32\Drivers\AliIde.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\aliide, EventMessageFile
| C:\WINDOWS\System32\Drivers\CmdIde.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\cmdide, EventMessageFile
| C:\WINDOWS\System32\Drivers\IntelIde.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\intelide, EventMessageFile
| C:\WINDOWS\System32\Drivers\TosIde.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\toside, EventMessageFile
| C:\WINDOWS\System32\Drivers\ViaIde.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\viaide, EventMessageFile
| C:\WINDOWS\System32\Drivers\lbrtfdc.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\lbrtfdc, EventMessageFile
| C:\WINDOWS\System32\drivers\Amusbprt.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Amusbprt, EventMessageFile
| C:\WINDOWS\System32\drivers\avipbb.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\avipbb, EventMessageFile
| C:\WINDOWS\System32\drivers\avkmgr.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\avkmgr, EventMessageFile
| C:\WINDOWS\System32\drivers\dwprot.sys | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\DwProt, EventMessageFile
| C:\WINDOWS\syst | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls, PSUNCPL | Delete C:\WINDOWS\system32\CTsvcCDA.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Creative Service for CDROM Access, EventMessageFile
| C:\WINDOWS\system32\HDDSvc.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\HDD Info Service, EventMessageFile
| C:\WINDOWS\system32\MsSip1.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL | Delete C:\WINDOWS\system32\MsSip2.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL | Delete C:\WINDOWS\system32\MsSip3.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL | Delete C:\WINDOWS\system32\psxss.exe | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| SDEvents.dll | Script: Quarantine, Delete, BC delete -- | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile
| kbd101.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN | Delete kbd101a.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR | Delete mvfs32.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB | Delete mvfs32.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB | Delete mvfs32.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB | Delete mvfs32.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB | Delete mvfs32.dll | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_USERS, S-1-5-21-1390067357-1960408961-725345543-1003\Control Panel\IOProcs, MVB | Delete vgafix.fon | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon | Delete vgaoem.fon | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon | Delete vgasys.fon | Script: Quarantine, Delete, BC delete Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon | Delete Autoruns items detected - 974, recognized as trusted - 937
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| Extension module | {2670000A-7350-4f3c-8081-5663EE0C6C49} | Delete /C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html | Script: Quarantine, Delete, BC delete Extension module | {320AF880-6646-11D3-ABEE-C5DBF3571F46} | Delete /C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html | Script: Quarantine, Delete, BC delete Extension module | {320AF880-6646-11D3-ABEE-C5DBF3571F49} | Delete /C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html | Script: Quarantine, Delete, BC delete Extension module | {724d43aa-0d85-11d4-9908-00400523e39a} | Delete /C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html | Script: Quarantine, Delete, BC delete Extension module | {92780B25-18CC-41C8-B9BE-3C9C571A8263} | Delete Explorer Bar | {C5F7A735-70F1-477F-8C36-6FF3C736017B} | Delete Elements detected - 26, recognized as trusted - 20
| | ||||||||||||||||||||
| File name | Destination | Description | Manufacturer | CLSID
| Rozšíření ikony programu HyperTerminal | {88895560-9AA2-1069-930E-00AA0030EBC8} | Delete Hlavní panel a nabídka Start | {0DF44EAA-FF21-4412-828E-260A8728E7F1} | Delete Uživatelské účty | {7A9D77BD-5403-11d2-8785-2E0420524153} | Delete SmartFolders | {684AF5C2-4C42-4756-B1AA-05206B6A70B9} | Delete Zařízení technologie UPnP | {e57ce731-33e8-4c51-8354-bb4de9d215d1} | Delete Shell Extension for Malware scanning | {45AC2688-0253-4ED8-97DE-B5370FA7D48A} | Delete C:\PROGRA~1\PERFEC~1\CONTEX~1.DLL | Script: Quarantine, Delete, BC delete Context Menu Shell Extension | {84058084-7609-44D1-B3CC-7A9436CB6D92} | Delete Elements detected - 228, recognized as trusted - 221
| | ||||||||||||||||||||||||||
| File name | Type | Name | Description | Manufacturer
| Elements detected - 9, recognized as trusted - 9
| | ||||||
| File name | Job name | Job status | Description | Manufacturer
| C:\Program Files\ErrorEND\ErrorEND.exe | Script: Quarantine, Delete, BC delete ErrorEND.job | The task has not yet run. |
| C:\Program Files\REGSERVO\RegSERVO.exe | Script: Quarantine, Delete, BC delete RegSERVO.job | The task has not yet run. |
| C:\Program Files\NCH Swift Sound\TwelveKeys\twelvekeys.exe | Script: Quarantine, Delete, BC delete twelvekeysShakeIcon.job | The task will not run at the scheduled times because it has been disabled. | TwelveKeys Music Transcription Software | NCH Software
| Elements detected - 13, recognized as trusted - 10
| | ||||||||
| Provider | Status | EXE file | Description | GUID
| Detected - 4, recognized as trusted - 4
| | ||||||
| Provider | EXE file | Description
| Detected - 19, recognized as trusted - 19
| | ||||||
| File name | Description | Manufacturer | CLSID | Source URL
| Elements detected - 8, recognized as trusted - 8
| | ||||||
| File name | Description | Manufacturer
| Elements detected - 31, recognized as trusted - 31
| | ||||||
| File name | Description | Manufacturer | CLSID
| Elements detected - 15, recognized as trusted - 15
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete mscoree.dll | Script: Quarantine, Delete, BC delete Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D} | Delete "C:\Program Files\Common Files\BinarySense\hlAPP.dll" | Script: Quarantine, Delete, BC delete Handler | (hddlife: pluggable protocol) | {BD758015-47D9-477A-8873-4B688A2BC0E2} | Delete Elements detected - 33, recognized as trusted - 29
| | |||||||
| File | Description | Type
| R:\autorun.inf | Script: Quarantine, Delete, BC delete Suspicion by Heuristic analysis | HSC: suspicion for hidden autorun (high degree of probability)
| |
Main script of analysis Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3" System Restore: enabled 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text IAT modification detected: CreateProcessA - 00BE0010<>7C80236B IAT modification detected: GetModuleFileNameA - 00BE0080<>7C80B56F IAT modification detected: FreeLibrary - 00BE00F0<>7C80AC7E IAT modification detected: GetModuleFileNameW - 00BE0160<>7C80B475 IAT modification detected: CreateProcessW - 00BE01D0<>7C802336 IAT modification detected: LoadLibraryW - 00BE02B0<>7C80AEEB IAT modification detected: LoadLibraryA - 00BE0320<>7C801D7B IAT modification detected: GetProcAddress - 00BE0390<>7C80AE40 Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=085700) Kernel ntkrnlpa.exe found in memory at address 804D7000 SDT = 8055C700 KiST = 80504480 (284) Functions checked: 284, intercepted: 0, restored: 0 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Analysis for CPU 2 CmpCallCallBacks = 00093D84 Disable callback - óćĺ íĺéňčđŕëčçîâŕíű Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed 1.5 Checking of IRP handlers Driver loaded successfully \FileSystem\ntfs[IRP_MJ_CREATE] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_CLOSE] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_WRITE] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8B63C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 8B63C1E8 -> hook not defined \FileSystem\FastFat[IRP_MJ_CREATE] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_CLOSE] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_WRITE] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_EA] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_EA] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 89B32430 -> hook not defined \FileSystem\FastFat[IRP_MJ_PNP] = 89B32430 -> hook not defined Checking - complete >>> R:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability) >>> Suspecting the masking of\driver service registry key ".NET Data Provider for SqlServe" >> Services: potentially dangerous service allowed: RemoteRegistry (Vzdálený registr) >> Services: potentially dangerous service allowed: TermService (Terminálová služba) >> Services: potentially dangerous service allowed: SSDPSRV (Služba rozpoznávání pomocí protokolu SSDP) >> Services: potentially dangerous service allowed: TlntSvr (Telnet) >> Services: potentially dangerous service allowed: Schedule (Plánovač úloh) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting - Vzdálené sdílení plochy) >> Services: potentially dangerous service allowed: RDSessMgr (Správce relací nápovědy ke vzdálené ploše) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled >> Abnormal REG files association >> Process termination timeout is out of admissible values >> Service termination timeout is out of admissible values >> Timeout of "Not Responding" verdict for processes is out of admissible values >> Disable HDD autorun >> Disable autorun from network drives >> Disable CD/DVD autorun >> Disable removable media autorun System Analysis in progressAdd commands to script:
System Analysis - complete
Script commands