by JenzAgem » February 21st, 2012, 1:51 am
Results of system analysis
Kaspersky Virus Removal Tool 11.0.0.1245 (database released 20/02/2012; 14:23)
List of processes
File name PID Description Copyright MD5 Information
agr64svc.exe
Script: Quarantine, Delete, BC delete, Terminate 1492 ?? error getting file info
Command line:
ALU.exe
Script: Quarantine, Delete, BC delete, Terminate 1072 ?? error getting file info
Command line:
c:\program files (x86)\newtech infosystems\acer backup manager\backupmanagertray.exe
Script: Quarantine, Delete, BC delete, Terminate 472 Acer Backup Manager Copyright (C) 2009, NewTech Infosystems, Inc. All rights reserved. ?? 255.75 kb, rsAh,
created: 20.08.2009 16:25:56,
modified: 20.08.2009 16:25:56
Command line:
"C:\ProgramFiles(x86)\NewTechInfosystems\AcerBackupManager\BackupManagerTray.exe"-h-k
bdagent.exe
Script: Quarantine, Delete, BC delete, Terminate 2216 ?? error getting file info
Command line:
caller64.exe
Script: Quarantine, Delete, BC delete, Terminate 5072 ?? error getting file info
Command line:
ePowerEvent.exe
Script: Quarantine, Delete, BC delete, Terminate 4856 ?? error getting file info
Command line:
ePowerSvc.exe
Script: Quarantine, Delete, BC delete, Terminate 1616 ?? error getting file info
Command line:
ePowerTray.exe
Script: Quarantine, Delete, BC delete, Terminate 4020 ?? error getting file info
Command line:
mcsacore.exe
Script: Quarantine, Delete, BC delete, Terminate 1468 ?? error getting file info
Command line:
RAVCpl64.exe
Script: Quarantine, Delete, BC delete, Terminate 3924 ?? error getting file info
Command line:
safeboxservice.exe
Script: Quarantine, Delete, BC delete, Terminate 2340 ?? error getting file info
Command line:
SynTPEnh.exe
Script: Quarantine, Delete, BC delete, Terminate 3936 ?? error getting file info
Command line:
SynTPHelper.exe
Script: Quarantine, Delete, BC delete, Terminate 3520 ?? error getting file info
Command line:
TrustedInstaller.exe
Script: Quarantine, Delete, BC delete, Terminate 4192 ?? error getting file info
Command line:
updatesrv.exe
Script: Quarantine, Delete, BC delete, Terminate 2468 ?? error getting file info
Command line:
vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate 832 ?? error getting file info
Command line:
wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate 4628 ?? error getting file info
Command line:
Detected:69, recognized as trusted 53
Module name Handle Description Copyright MD5 Used by processes
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\MUI\0409\lang.dll
Script: Quarantine, Delete, BC delete 268435456 Acer Backup Manager Copyright (C) 2009, NewTech Infosystems, Inc. All rights reserved. -- 472
Modules detected:288, recognized as trusted 287
Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\Windows\System32\Drivers\dump_dumpfve.sys
Script: Quarantine, Delete, BC delete 99EA000 013000 (77824)
C:\Windows\System32\Drivers\dump_iaStor.sys
Script: Quarantine, Delete, BC delete 34CA000 11C000 (1163264)
Modules detected - 164, recognized as trusted - 162
Services
Service Description Status File Group Dependencies
Detected - 162, recognized as trusted - 162
Drivers
Service Description Status File Group Dependencies
DgiVecp
Driver: Unload, Delete, Disable, BC delete DgiVecp Not started C:\Windows\system32\Drivers\DgiVecp.sys
Script: Quarantine, Delete, BC delete
RtsUIR
Driver: Unload, Delete, Disable, BC delete Realtek IR Driver Not started C:\Windows\system32\DRIVERS\Rts516xIR.sys
Script: Quarantine, Delete, BC delete
SSPORT
Driver: Unload, Delete, Disable, BC delete SSPORT Not started C:\Windows\system32\Drivers\SSPORT.sys
Script: Quarantine, Delete, BC delete
USBCCID
Driver: Unload, Delete, Disable, BC delete Realtek Smartcard Reader Driver Not started C:\Windows\system32\DRIVERS\RtsUCcid.sys
Script: Quarantine, Delete, BC delete
Detected - 258, recognized as trusted - 254
Autoruns
File name Status Startup method Description
C:\Program Files (x86)\McAfee\VirusScan\NAIEvent.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\McLogEvent, EventMessageFile
C:\Program Files\Common Files\Bitdefender\eventlog.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Arrakis3, EventMessageFile
C:\Users\Jenna\AppData\Local\Temp\_uninst_60792897.bat
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Users\Jenna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Jenna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_60792897.lnk,
C:\Windows\system32\psxss.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
auditcse.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName
Delete
igfxdev.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName
Delete
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Delete
Autoruns items detected - 566, recognized as trusted - 559
Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
Elements detected - 7, recognized as trusted - 7
Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Delete
ColumnHandler BDFVCtxMenuExt
Delete
ColumnHandler {F9DB5320-233E-11D1-9F84-707F02C10627}
Delete
Elements detected - 26, recognized as trusted - 23
Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
cl31cl6.dll
Script: Quarantine, Delete, BC delete Monitor CL31C Langmon
localspl.dll
Script: Quarantine, Delete, BC delete Monitor Local Port
FXSMON.DLL
Script: Quarantine, Delete, BC delete Monitor Microsoft Shared Fax Monitor
tcpmon.dll
Script: Quarantine, Delete, BC delete Monitor Standard TCP/IP Port
usbmon.dll
Script: Quarantine, Delete, BC delete Monitor USB Monitor
WSDMon.dll
Script: Quarantine, Delete, BC delete Monitor WSD Port
inetpp.dll
Script: Quarantine, Delete, BC delete Provider HTTP Print Services
Elements detected - 8, recognized as trusted - 1
Task Scheduler jobs
File name Job name Job status Description Manufacturer
Elements detected - 3, recognized as trusted - 3
SPI/LSP settings
Namespace providers (NSP) Provider Status EXE file Description GUID
Detected - 6, recognized as trusted - 6
Transport protocol providers (TSP, LSP) Provider EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check LSP settings checked. No errors detected
TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [884] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
554 LISTENING 0.0.0.0 0 [4628] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
3939 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5151 LISTENING 0.0.0.0 0 [2292] c:\program files (x86)\newtech infosystems\nti backup now 5\schedulersvc.exe
Script: Quarantine, Delete, BC delete, Terminate
5357 TIME_WAIT 127.0.0.1 49353 [0]
5357 TIME_WAIT 127.0.0.1 49354 [0]
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
8093 LISTENING 0.0.0.0 0 [1180] c:\program files (x86)\acer\registration\greghsrw.exe
Script: Quarantine, Delete, BC delete, Terminate
10243 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
24961 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
27827 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
38928 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
48752 LISTENING 0.0.0.0 0 [2468] updatesrv.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [556] wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [968] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49163 LISTENING 0.0.0.0 0 [632] lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49176 LISTENING 0.0.0.0 0 [616] services.exe
Script: Quarantine, Delete, BC delete, Terminate
49177 LISTENING 0.0.0.0 0 [3440] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49178 LISTENING 0.0.0.0 0 [1348] spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate
51099 LISTENING 0.0.0.0 0 [2340] safeboxservice.exe
Script: Quarantine, Delete, BC delete, Terminate
57322 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
65046 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3544 LISTENING -- -- [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1036] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1036] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5004 LISTENING -- -- [4628] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5005 LISTENING -- -- [4628] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1236] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
10000 LISTENING -- -- [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
50317 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
50318 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
50609 LISTENING -- -- [1036] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
50868 LISTENING -- -- [1036] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
52845 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
55427 LISTENING -- -- [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Elements detected - 1, recognized as trusted - 1
Control Panel Applets (CPL)
File name Description Manufacturer
Elements detected - 18, recognized as trusted - 18
Active Setup
File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9
HOSTS file
Hosts file record
Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 15, recognized as trusted - 12
Suspicious objects
File Description Type
--------------------------------------------------------------------------------
Main script of analysis
Windows version: Windows 7 Home Premium, Build=7600, SP=""
System Restore: enabled
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
>> Windows Explorer - show extensions of known file types
System Analysis in progress
System Analysis - complete
Script commands
Add commands to script:Blocking hooks using Anti-RootkitEnable AVZGuardOperations with AVZPM (true=enable,false=disable)BootCleaner - import list of deleted filesBootCleaner - import allRegistry cleanup after deleting filesExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizardBootCleaner - activateRebootInsert template for QuarantineFile() - quarantining fileInsert template for BC_QrFile() - quarantining file via BootCleanerInsert template for DeleteFile() - deleting fileInsert template for DelCLSID() - deleting CLSID item from registryAdditional operations:Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)Security tweaking: disable CD autorunSecurity tweaking: disable administrative sharesSecurity tweaking: disable anonymous user accessSecurity: disable sending Remote Assistant queries--------------------------------------------------------------------------------
File list