UVK Help

UVK Help - UVK log

Carifred logo
Show menu

The UVK log is created in the Scan and create log section and contains complete information about your system, which is written in a special way so that both users an UVK can understand and know what to do with each line.

Content index:

 The log header

The first active lines

The Mode keyword

Reading the lines

 

The log header

The log's header contains information about UVK, the operating system and Internet explorer installed versions, current date and time, UVK immunized areas, CPU, hard drives, and memory size and free space:


================ UVK - Ultra Virus Killer Scan log file ================

System Info:

UVK - Ultra Virus Killer version: 7.3.2.0
Windows version: Microsoft Windows 7 Ultimate X64 Build 7601 Service Pack 1
I.E. Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
Time & date: 2015/06/30 16:15:30
System drive: C: 346 GB free of 659 GB.

Drive D: 119 GB free of 258 GB.
Drive E: 29.0 MB free of 99.9 MB.

WMI state: OK

Processor: Intel(R) Core(TM) i3 CPU M 330 @ 2.13GHz
L2 Cache size: 256 Current processor usage: 07%

Computer name: FRED-PC3. Logged on user: Fred. Number of users: 2.
Physical memory: Total: 7.86 GB. Free: 5.14 GB.
Virtual memory: Total: 15.7 GB. Free: 12.8 GB.
Last boot up time: 2015/06/30 15:56:41. Boot type: Normal boot

Immunized areas: |8|12|13|14|15|16|18|

Scan mode: Hide all Microsoft files, Verify file signatures.
Scan options: Scan all users, Include MD5 hash, Include recent folders.

========================= End of System Info. ========================

▲ Back to the list

 

The first active lines

The first thing UVK scans is the existence of a file named autorun.inf on all fixed partition roots. These files are commonly used by rootkits to run their infected files each time you access the partition's root with Windows explorer.

If UVK finds one of these files, it will tell you its placement, the file its pointing to, its description and signature.

UVK will then scan the state of executable file associations. If you notice that an extension is damaged, or an autorun.inf was found, you can fix it by pasting the corresponding line in an UVK script or right on the Run scripts section.

Searching for "autorun.inf" on HD partitions root...

Mode | autorun.inf | Destination file | Description

<Autorun.inf> | C:\autorun.inf | C:\Windows\Setup.exe | No description


Executable file extensions state (Mode | Extension | Association | Command):

<FileExtension> | .exe | exefile | "%1" %*
<FileExtension> | .msi | Msi.Package | "%SystemRoot%\System32\msiexec.exe" /i "%1" %*
<FileExtension> | .reg | regfile | regedit.exe "%1"
<FileExtension> | .bat | batfile | "%1" %*
<FileExtension> | .cmd | cmdfile | "%1" %*
<FileExtension> | .com | comfile | "%1" %*
<FileExtension> | .vbs | VBSFile | %SystemRoot%\System32\WScript.exe "%1" %*


============================ End of Executable file extensions state.============================

How do you know if a file extension is corrupted? Well, in the table above, no file extension is corrupted, so just compare your results with these.

▲ Back to the list

 

The Mode keyword

The rest of the log contains the information you selected when you started the scan in the Scan and create log section.

Each scanned area is headed by its title and format description. Example:

 Startup entries:

Format: Mode | Name | Destination file | Description | MD5 hash | File signature

The title says the next lines are the programs that run automatically on windows startup.

The format description tells how each line is organized, so you and UVK can identify the items it contains.

Mode Coded word that tells where the line's registry entries and files are placed
Name Name of the registry entry that runs the file on windows startup or startup folder's shortcut name.
Destination file The file that the registry entry or shortcut points to.
Description The file's description taken from the file version resource.
MD5 hash The file's MD5 hash.
File signature Tells whether the file is signed and the publisher's name. Check File signatures for more info.

The mode is very important. Without it, UVK wouldn't know what to do with the information contained in the line.

Below are all possible modes (depending on the OS version and architecture) and their reference:

<Autorun.inf> Refers to an Autorun.inf file found in a partition's root.
<FileExtension> Refers to an executable file extension.
<RunningProcess> Refers to a running process.
<MemoryModules> Memory object used by a process.
<Winlogon> Hijacked Winlogon entries.
<Winlogon32> 32 bit Hijacked Winlogon entries (for 64 bits systems).
<@User\Winlogon> User hijacked Winlogon entries (@User defines the user name).
<HKLM...Run> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
<HKLM...RunOnce> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.
<HKLM...RunOnceEx> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
<HKLMW6432...Run> Same as <HKLM...Run> but in Wow6432Node  (64 bit OS).
<HKLMW6432...RunOnce> Same as <HKLM...RunOnce> but in Wow6432Node  (64 bit OS).
<HKLMW6432...RunOnceEx> Same as <HKLM...RunOnceEx> but in Wow6432Node  (64 bit OS).
<HKCU...Run> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
<HKCU...RunOnce> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.
<HKCU...RunOnceEx> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx.
<@User\Run> User Run entries (@User defines the user name).
<@User\RunOnce> User RunOnce entries (@User defines the user name).
<@User\RunOnceEx> User RunOnce entries (@User defines the user name).
<StartupFolder> Current user's startup folder.
<CommonStartupFolder> All users startup folder.
<StartupFolder> User startup folder (@User defines the user name).
<IEStartPages> Internet explorer start pages.
<IEStartPages32> 32 bit Internet explorer start pages (64 bit OS).
<@User\IEStartPages> User Internet explorer start pages (@User defines the user name).
<IESearch> Internet Explorer search providers.
<IESearch32> 32 bit IE search providers (64 bit OS).
<@User\IESearch> User Internet explorer search providers (@User defines the user name).
<BHO> Browser helper objects.
<BHOW6432> Browser helper objects in Wow6432Node (64 bit OS).
<HKLM...IEToolbar> HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
<HKCU...IEToolbar> HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar
<HKLM6432...IEToolbar> HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar
<@User\IEToolbar> User Internet explorer toolbar (@User defines the user name).
<UrlSearchHooks> Internet explorer url search hooks.
<ShellExecuteHooks> Windows Shell Execute Hooks.
<W6432ShellExecuteHooks> Windows Shell Execute Hooks in Wow6432Node (64 bit OS).
<ImageHijacks> Image hijacks (HKLM node)
<ImageHijacks6432> Image hijacks (HKLM6432 node)
<FileContextMenu> Context menus for all files.
<FolderContextMenu> Context menus for all folders and directories.
<Services> All services and their corresponding names, files and states.
<Drivers> All drivers and their corresponding names, files and states.
<ScheduledTasks> All scheduled tasks.
<HKLM...Uninstall> Uninstall list.
<HKLMW6432...Uninstall> Uninstall list in Wow6432Node (64 bit OS).
<@User\Uninstall> User uninstall entry (@User defines the user name).
<@User\MuiCache> User Shell MUI Cache entries (@User defines the user name).
<ContentsSystemDrive> Directories and files in the system drive root and their sizes in KB.
<ContentsAppData> Directories and files in current user's application data folder and their sizes in KB.
<ContentsLocalAppData> Directories and files in current user's local application data folder and their sizes in KB.
<ContentsCommonAppData> Directories and files in user's application data folder and their sizes in KB.
<ContentsProgramfiles> Directories and files in program files folder and their sizes in KB.
<ContentsProgramfiles(x86)> Directories and files in program files (x86) folder and their sizes in KB (64 bit OS).
<@User\Appdata> Directories and files in a user's Application data folder (@User defines the user name).
<@User\LocalAppdata> Directories and files in a user's Local Application data folder (@User defines the user name).
<ContentsProgramfiles(x86)> Directories and files in program files (x86) folder and their sizes in KB (64 bit OS).
<LsaProviders> Security providers on the local machine.
<BlockedHosts> Blocking/redirecting entry in the hosts file.
<AlternateStream> Unsafe Alternate data stream.
<RecentFiles> A recent file.
<RecentFolder> A recent file folder.
   
<Reg> Used in the custom scans results: Exported registry key.
<Dir> Used in the custom scans results: Contents of a directory.
<File> Used in the custom scans results: File information.
<VtReport> Used in the custom scans results: File VirusTotal report.

▲ Back to the list

 

Reading the lines

Thus, identifying the mode keyword, both you and UVK can identify what all items in a line mean. Note that only valid modes for your OS version and architecture are shown in the log. Also, if no entries are found for a mode, the mode's header may not be present in the log.

Now you can easily assume that a line like the one below refers to the value Software name under the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and points to the file C:\Program files\Software name\file name.exe which is signed by Comp.:

 <HKLM...Run> | Software name | C:\Program files\Software name\file name.exe | Signed : Comp.

Now that you know all this, you're ready to analyze the log and search for infected files and registry entries that you can delete by pasting the corresponding lines in the Run UVK Scripts section's text box.

However, analyzing a log manually line by line and searching over internet for information about all the files you don't know can take a very long time.

That's why you should use the Log analyzer, a text editor included with UVK and specially created to simplify the search for infected items on the log and create a UVK commands script to disinfect and repair your computer.

▲ Back to the list

 

Copyright Carifred © 2010 - 2024, all rights reserved.

Scroll to top