Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
c:\users\hp\desktop\autologger.exe Script: Quarantine, Delete, Delete via BC, Terminate	4520	Automatic log collector	All rights for Autologger reserved by regist & Drongo © Copyright 2013 - 2015	1474EE27A1A205557DD2EAF3B884525C	10893.51 kb, rsAh, created: 06.04.2015 20:56:14, modified: 06.04.2015 04:33:04 Command line: "C:\Users\HP\Desktop\AutoLogger.exe"
Detected:61, recognized as trusted 60

Module name	Handle	Description	Copyright	MD5	Used by processes
Modules found:517, recognized as trusted 517

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, Delete via BC	81F60000	011000 (69632)
C:\Windows\System32\Drivers\dump_iaStor.sys Script: Quarantine, Delete, Delete via BC	8DE0A000	101000 (1052672)
C:\Windows\system32\DRIVERS\rixdptsk.sys Script: Quarantine, Delete, Delete via BC	92723000	052000 (335872)	RICOH XD SM Driver	Copyright c 2001-2009, Ricoh Company Ltd.,
Modules found - 207, recognized as trusted - 204

Services

Service	Description	Status	File	Group	Dependencies
gupdate Service: Stop, Delete, Disable, Delete via BC	Служба Оновлення Google (gupdate)	Not started	C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC		RPCSS
gupdatem Service: Stop, Delete, Disable, Delete via BC	Служба Оновлення Google (gupdatem)	Not started	C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC		RPCSS
Steam Client Service Service: Stop, Delete, Disable, Delete via BC	Steam Client Service	Not started	C:\Program Files\Common Files\Steam\SteamService.exe Script: Quarantine, Delete, Delete via BC
WiseBootAssistant Service: Stop, Delete, Disable, Delete via BC	Wise Boot Assistant	Not started	C:\Program Files\Wise\Wise Care 365\BootTime.exe Script: Quarantine, Delete, Delete via BC
Detected - 163, recognized as trusted - 159

Drivers

Service	Description	Status	File	Group	Dependencies
rismxdp Driver: Unload, Delete, Disable, Delete via BC	Ricoh xD-Picture Card Driver	Running	C:\Windows\system32\DRIVERS\rixdptsk.sys Script: Quarantine, Delete, Delete via BC	SmartMedia/XD
ATSWPDRV Driver: Unload, Delete, Disable, Delete via BC	AuthenTec TruePrint USB Driver (SwipeSensor)	Not started	C:\Windows\system32\DRIVERS\ATSwpDrv.sys Script: Quarantine, Delete, Delete via BC
VGPU Driver: Unload, Delete, Disable, Delete via BC	VGPU	Not started	C:\Windows\system32\drivers\rdvgkmd.sys Script: Quarantine, Delete, Delete via BC
Detected - 277, recognized as trusted - 274

Autoruns

File name	Status	Startup method	Description
C:\Program Files\Borland\CBuilder6\Bin\bordbg61.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\AeDebug, Debugger
C:\Program Files\Common Files\Steam\SteamService.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Steam Client Service, EventMessageFile
C:\Program Files\Google\Chrome\Application\chrome.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Users\HP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\HP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk,
C:\Windows\System32\drivers\ATSwpDrv.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ATSWPDRV, EventMessageFile
D:\Program\NLClient\NLClient.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Users\HP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\HP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\NLClient.lnk,
progman.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell Delete
Autoruns items found - 755, recognized as trusted - 749

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	Extension module			{2670000A-7350-4f3c-8081-5663EE0C6C49} Delete
	Extension module			{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} Delete
Items found - 7, recognized as trusted - 5

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
Items found - 34, recognized as trusted - 34

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Items found - 7, recognized as trusted - 7

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer	Path	Command line
C:\Program Files\Driver Script: Quarantine, Delete, Delete via BC	Driver Robot.job Script: Delete	The task is ready to run at its next scheduled time.				C:\Program Files\Driver Robot\Driver Robot.lnk --scan --stack=from-scheduler
C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineCore1cf272df765cabc.job Script: Delete	The task is currently running.				C:\Program Files\Google\Update\GoogleUpdate.exe /c
C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineCore1d0426b9cb3bcac.job Script: Delete	The task has not yet run.				C:\Program Files\Google\Update\GoogleUpdate.exe /c
C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineUA1cf8b8bed287aa8.job Script: Delete	The task is ready to run at its next scheduled time.				C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
C:\Program Files\Driver Script: Quarantine, Delete, Delete via BC	Driver Robot Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Program Files\Driver Robot\Driver Robot.lnk --scan --stack=from-scheduler
C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineCore1cf272df765cabc Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Program Files\Google\Update\GoogleUpdate.exe /c
C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineCore1d0426b9cb3bcac Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Program Files\Google\Update\GoogleUpdate.exe /c
C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineUA1cf8b8bed287aa8 Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
C:\Users\HP\AppData\Local\Mail.Ru\MailRuUpdater.exe Script: Quarantine, Delete, Delete via BC	MailRuUpdateTask Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Users\HP\AppData\Local\Mail.Ru\MailRuUpdater.exe --scheduler
aitagent Script: Quarantine, Delete, Delete via BC	AitAgent Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\Microsoft\Windows\Application Experience\	aitagent
C:\Windows\ehome\mcupdate Script: Quarantine, Delete, Delete via BC	mcupdate Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\Microsoft\Windows\Media Center\	%SystemRoot%\ehome\mcupdate $(Arg0)
C:\Windows\ehome\ehrec Script: Quarantine, Delete, Delete via BC	RecordingRestart Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\Microsoft\Windows\Media Center\	%SystemRoot%\ehome\ehrec /RestartRecording
C:\Windows\ehome\ehrec Script: Quarantine, Delete, Delete via BC	StartRecording Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\Microsoft\Windows\Media Center\	%SystemRoot%\ehome\ehrec /StartRecording
C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe Script: Quarantine, Delete, Delete via BC	SpyHunter4Startup Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	"C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe" /s
C:\Users\HP\Downloads\g2m_codec.exe Script: Quarantine, Delete, Delete via BC	{B37FDF90-6292-4BBE-A35F-1D72E7BC1CAA} Script: Delete	The task is ready to run at its next scheduled time.	GoToMeeting Installer Extractor	Copyright © 1997-2014 Citrix Systems, Inc.	C:\Windows\system32\Tasks\	C:\Windows\system32\pcalua.exe -a C:\Users\HP\Downloads\g2m_codec.exe -d C:\Users\HP\Downloads
C:\Program Files\Uninstall Information\97\4446\uninstall.exe Script: Quarantine, Delete, Delete via BC	{BF5F8BD7-E085-42F2-8D3D-A1BE3806A7E6} Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Windows\system32\pcalua.exe -a "C:\Program Files\Uninstall Information\97\4446\uninstall.exe" -d "C:\Program Files\Uninstall Information\97\4446"
C:\Program Files\Uninstall Information\97\4446 Script: Quarantine, Delete, Delete via BC	{BF5F8BD7-E085-42F2-8D3D-A1BE3806A7E6} Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Windows\system32\pcalua.exe -a "C:\Program Files\Uninstall Information\97\4446\uninstall.exe" -d "C:\Program Files\Uninstall Information\97\4446"
D:\гамес\mu\Bless MuOnline Orion Project.exe Script: Quarantine, Delete, Delete via BC	{FE074CB2-9880-42A7-94A4-E672602BA712} Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Windows\system32\pcalua.exe -a "D:\гамес\mu\Bless MuOnline Orion Project.exe" -d D:\гамес\mu
D:\гамес\mu Script: Quarantine, Delete, Delete via BC	{FE074CB2-9880-42A7-94A4-E672602BA712} Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Windows\system32\pcalua.exe -a "D:\гамес\mu\Bless MuOnline Orion Project.exe" -d D:\гамес\mu
Items found - 81, recognized as trusted - 62

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 7, recognized as trusted - 7

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 25, recognized as trusted - 25
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
139 LISTENING 0.0.0.0 0 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING 0.0.0.0 0 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
50303 TIME_WAIT 5.105.142.47 6024 [0]
50304 TIME_WAIT 151.29.136.12 28359 [0]
50307 TIME_WAIT 141.101.31.212 48318 [0]
50322 TIME_WAIT 173.194.116.255 80 [0]
50323 TIME_WAIT 173.194.116.255 80 [0]
UDP ports
137 LISTENING -- -- [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
138 LISTENING -- -- [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Items found - 0, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer
Items found - 22, recognized as trusted - 22

Active Setup

File name Description Manufacturer CLSID
C:\Program Files\Google\Chrome\Application\41.0.2272.118\Installer\chrmstp.exe
Script: Quarantine, Delete, Delete via BC {8A69D345-D564-463c-AFF1-A69D9E530F96}
Delete
Items found - 10, recognized as trusted - 9

HOSTS file

Hosts file record

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Items found - 18, recognized as trusted - 15

Shared resources

Network name Path Notes
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
D$ D:\ Default share
IPC$ Remote IPC

Suspicious objects

File Description Type
C:\Windows\system32\DRIVERS\ehdrv.sys
Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit Kernel-mode hook

AVZ Antiviral Toolkit log; AVZ version is 4.43
Scanning started at 07.04.2015 20:46:25
Database loaded: signatures - 297605, NN profile(s) - 2, malware removal microprograms - 56, signature database released 06.04.2015 04:00
Heuristic microprograms loaded: 410
PVS microprograms loaded: 9
Digital signatures of system files loaded: 729510
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: disabled
Windows version is: 6.1.7601, Service Pack 1 "Windows 7 Ultimate" ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=16A9C0)
 Kernel ntkrnlpa.exe found in memory at address 82C01000
   SDT = 82D6B9C0
   KiST = 82C7FD9C (401)
Function NtCreateThread (57) intercepted (82EDEC02->90B0E260), hook C:\Windows\system32\DRIVERS\ehdrv.sys, driver recognized as trusted
Function NtLoadDriver (9B) intercepted (82DC8B78->90B0E320), hook C:\Windows\system32\DRIVERS\ehdrv.sys, driver recognized as trusted
Function NtSetSystemInformation (15E) intercepted (82E510EE->90B0E2E0), hook C:\Windows\system32\DRIVERS\ehdrv.sys, driver recognized as trusted
Function NtSystemDebugControl (170) intercepted (82E88464->90B0E2A0), hook C:\Windows\system32\DRIVERS\ehdrv.sys, driver recognized as trusted
Functions checked: 401, intercepted: 4, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Analyzing CPU 2
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Driver loaded successfully
 Checking - complete
2. Scanning RAM
 Number of processes found: 63
 Number of modules loaded: 528
Scanning RAM - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Hidden startup suspected:  HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShadowPlay="C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap.dll,ShadowPlayOnSystemStart"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Планувальник завдань)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 591, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 07.04.2015 20:47:22
Time of scanning: 00:00:59
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/
System Analysis in progress
Network diagnostics
 DNS and Ping test
  Host="yandex.ru", IP="87.250.251.11,77.88.21.11,93.158.134.8,87.250.250.8", Ping=Error (11010,0,0.0.0.0)
  Host="google.ru", IP="173.194.116.255,173.194.116.247,173.194.116.248,173.194.116.239", Ping=Error (11010,0,0.0.0.0)
  Host="google.com", IP="173.194.116.228,173.194.116.231,173.194.116.224,173.194.116.229,173.194.116.232,173.194.116.227,173.194.116.230,173.194.116.233,173.194.116.238,173.194.116.225,173.194.116.226", Ping=Error (11010,0,0.0.0.0)
  Host="www.kaspersky.com", IP="77.74.178.16", Ping=Error (11010,0,0.0.0.0)
  Host="www.kaspersky.ru", IP="4.59.181.212", Ping=Error (11010,0,0.0.0.0)
  Host="dnl-03.geo.kaspersky.com", IP="94.75.236.122", Ping=Error (11010,0,0.0.0.0)
  Host="dnl-11.geo.kaspersky.com", IP="38.117.98.199", Ping=Error (11010,0,0.0.0.0)
  Host="activation-v2.kaspersky.com", IP="212.5.89.37", Ping=Error (11010,0,0.0.0.0)
  Host="odnoklassniki.ru", IP="217.20.147.94", Ping=Error (11010,0,0.0.0.0)
  Host="vk.com", IP="87.240.143.241,87.240.131.97,87.240.131.99", Ping=Error (11010,0,0.0.0.0)
  Host="vkontakte.ru", IP="95.213.4.247,95.213.4.248,95.213.4.241", Ping=Error (11010,0,0.0.0.0)
  Host="twitter.com", IP="185.45.5.32,185.45.5.43", Ping=Error (11010,0,0.0.0.0)
  Host="facebook.com", IP="173.252.120.6", Ping=Error (11010,0,0.0.0.0)
  Host="ru-ru.facebook.com", IP="31.13.93.3", Ping=Error (11010,0,0.0.0.0)
 Network IE settings
  IE setting AutoConfigURL=
  IE setting AutoConfigProxy=wininet.dll
  IE setting ProxyOverride=
  IE setting ProxyServer=
  IE setting Internet\ManualProxies=
 Network TCP/IP settings
 Network Persistent Routes

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Remove traces of deleted files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (Remote Desktop Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Планувальник завдань)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
139	LISTENING	0.0.0.0	0	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	0.0.0.0	0	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
50303	TIME_WAIT	5.105.142.47	6024	[0]
50304	TIME_WAIT	151.29.136.12	28359	[0]
50307	TIME_WAIT	141.101.31.212	48318	[0]
50322	TIME_WAIT	173.194.116.255	80	[0]
50323	TIME_WAIT	173.194.116.255	80	[0]
UDP ports
137	LISTENING	--	--	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
138	LISTENING	--	--	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate

Network name	Path	Notes
ADMIN$	C:\Windows	Remote Admin
C$	C:\	Default share
D$	D:\	Default share
IPC$		Remote IPC