UVK Help: UVK log

UVK log is created on the Scan & create log section and contains complete information about your system, which is written in a special way so that both users an UVK can understand and know what to do with each line.

The log's header has information about UVK, the operating system and Internet explorer installed versions, current date and time, UVK immunized areas, CPU, hard drives, and memory size and free space:

=========================== UVK Scan log file ===========================

System Info:

UVK version: 4.1.0.0
Windows version: Microsoft windows 7 X64 Build 7601 Service Pack 1
I.E. Version: 9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
Time & date: 18:01 24/04/2012
System drive: C: 165.61 GB free of 356.28 GB.

D: 65.15 GB free of 96.68 GB.
E: 31.33 MB free of 100 MB.

WMI state: OK
UVK immunized areas: 0|1|2|4|6|7|8|9|11|12|13|14|15|16|18|19|

Processor: Intel(R) Core(TM) i3 CPU M 330 @ 2.13GHz
L2 Cache size: 256 Current processor usage: 19%

Computer name: FRED-PC. Logged on user: Fred. Number of users: 2.
Physical memory: Total: 3.86 GB. Free: 2.54 GB.
Virtual memory: Total: 7.73 GB. Free: 6.31 GB.
Last boot up time: 04/24/2012 17:10:25. Boot type: Normal boot

UVK scan mode: Verify file signatures, don't show Microsoft files, include file MD5 hash.

========================= End of System Info. ========================

The first thing UVK scans is the existence of a file named autorun.inf on all fixed partition roots. These files are commonly used by rootkits to run their infected files each time you access the partition's root with Windows explorer.

If UVK finds one of these files, it will tell you its placement, the file its pointing to, its description and signature.

UVK will then scan the state of executable file extensions. If you notice that an extension is damaged, or an autorun.inf was found, you can fix it by pasting the corresponding line in an UVK script or right on Execute commands screen.

How do you know if a file extension is corrupted? Well, in the table above, no file extension is corrupted, so just compare your results with these.

The rest of the log contains the information you choose when you made the scan using Scan & create log.

Each scanned area is headed by its title and format description. Example:

The title says that next lines are the programs that run automatically on windows startup.

The format description tells how each line is organized, so you and UVK can identify the items it contains.

Mode Coded word that tels UVK where the line's registry entries and files are placed

Name Name of the registry entry that runs the file on windows startup or startup folder's shortcut name.

Destination file The file that the registry entry or shortcut points to.

Description The file's description taken from the file version resource.

MD5 hash The file's MD5 hash.

File signature Tells if the file is signed and the publisher's name. Check File signatures for more info.

The mode is very important. Without it, UVK wouldn't know what to do with the information contained in the line.

Below are all possible modes (depending on OS version and architecture) and their reference:

<Autorun.inf>	Refers to an Autorun.inf file found in a partition's root.
<FileExtension>	Refers to an executable file extension.
<RunningProcess>	Refers to a running process.
<MemoryModules>	Memory object used by a process.
<Winlogon>	Hijacked Winlogon entries.
<HKLM...Run>	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
<HKLM...RunOnce>	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.
<HKLM...RunOnceEx>	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
<HKLMW6432...Run>	Same as <HKLM...Run> but in Wow6432Node (64 bit OS).
<HKLMW6432...RunOnce>	Same as <HKLM...RunOnce> but in Wow6432Node (64 bit OS).
<HKLMW6432...RunOnceEx>	Same as <HKLM...RunOnceEx> but in Wow6432Node (64 bit OS).
<HKCU...Run>	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
<HKCU...RunOnce>	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.
<HKCU...RunOnceEx>	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx.
<StartupFolder>	Current user's startup folder.
<CommonStartupFolder>	All users startup folder.
<IEStartPages>	Internet explorer start pages.
<BHO>	Browser helper objects.
<BHOW6432>	Browser helper objects in Wow6432Node (64 bit OS).
<HKLM...IEToolbar>	HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
<HKCU...IEToolbar>	HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar
<HKLM6432...IEToolbar>	HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar
<UrlSearchHooks>	Internet explorer url search hooks.
<ShellExecuteHooks>	Windows Shell Execute Hooks.
<W6432ShellExecuteHooks>	Windows Shell Execute Hooks in Wow6432Node (64 bit OS).
<ImageHijacks>	Image hijacks (HKLM node)
<ImageHijacks6432>	Image hijacks (HKLM6432 node)
<FileContextMenu>	Context menus for all files.
<FolderContextMenu>	Context menus for all folders and directories.
<Services>	All services and their corresponding names, files and states.
<Drivers>	All drivers and their corresponding names, files and states.
<ScheduledTasks>	All scheduled tasks.
<HKLM...Uninstall>	Uninstall list.
<HKLMW6432...Uninstall>	Uninstall list in Wow6432Node (64 bit OS).
<ContentsSystemDrive>	Directories and files in the system drive root and their sizes in KB.
<ContentsAppData>	Directories and files in current user's application data folder and their sizes in KB.
<ContentsLocalAppData>	Directories and files in current user's local application data folder and their sizes in KB.
<ContentsCommonAppData>	Directories and files in user's application data folder and their sizes in KB.
<ContentsProgramfiles>	Directories and files in program files folder and their sizes in KB.
<ContentsProgramfiles(x86)>	Directories and files in program files (x86) folder and their sizes in KB (64 bit OS).
<LsaProviders>	Security providers on the local machine.
<BlockedHosts>	Blocking/redirecting entry in the hosts file.
<AlternateStream>	Unsafe Alternate data stream.
<RecentFiles>	The mode for the recent files found in the UVK scan.

<Reg>	Used in the custom scans results: Exported registry key.
<Dir>	Used in the custom scans results: Contents of a directory.
<File>	Used in the custom scans results: File information.
<VtReport>	Used in the custom scans results: File VirusTotal report.

Thus, by reading the mode string, both you and UVK can identify what all items in a line mean. Note that only valid modes for your OS version and architecture are shown in the log. Also, if no entries are found for a mode, the mode's header will not be written to the log.

Now you can easily assume that a line like the one below refers to the value Software name under the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and points to the file C:\Program files\Software name\file name.exe which is signed by Company:

<HKLM...Run> | Software name | C:\Program files\Software name\file name.exe | Signed : Company

Now that you know all this, you're ready to analyze the log and search for infected files and registry entries that you can delete by pasting the corresponding lines in the Run UVK Scripts text box.

However, analyzing a log manually line by line and searching over internet for information about all the files you don't know can take a very long time.

That's why you should use the Log analyzer, a text editor included with UVK and specially created to simplify the search for infected items on the log and create a UVK commands script to disinfect and repair your computer.