Results of system analysis

List of processes

File name	PID	Description	Copyright	MD5	Information
c:\documents and settings\brian norris\local settings\application data\aijtzvo.exe Script: Quarantine, Delete, BC delete, Terminate	1484			??	313.50 kb, rsAh, created: 2/7/2008 11:55:30 AM, modified: 2/7/2008 11:55:30 AM Command line: "C:\documents and settings\brian norris\local settings\application data\aijtzvo.exe" aijtzvo
c:\documents and settings\brian norris\desktop\avz4\avz4\avz.exe Script: Quarantine, Delete, BC delete, Terminate	836	???????????? ??????? AVZ	???????????? ??????? AVZ	??	715.50 kb, rsAh, created: 12/13/2007 3:28:04 PM, modified: 12/13/2007 3:28:04 PM Command line: "C:\Documents and Settings\Brian Norris\Desktop\AVZ4\avz4\avz.exe"
c:\winnt\explorer.exe Script: Quarantine, Delete, BC delete, Terminate	1176	Windows Explorer	Copyright (C) Microsoft Corp. 1981-1999	??	237.27 kb, rsAh, created: 8/22/2002 8:06:45 PM, modified: 7/22/2002 2:05:04 PM Command line: C:\WINNT\Explorer.EXE
c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, BC delete, Terminate	1652	Firefox	Mozilla Corporation	??	7471.11 kb, rsAh, created: 1/6/2008 11:47:03 AM, modified: 11/28/2007 2:11:50 PM Command line: "C:\Program Files\Mozilla Firefox\firefox.exe"
c:\winnt\system32\lexbces.exe Script: Quarantine, Delete, BC delete, Terminate	552	LexBce Service	(C) 1993 - 2002 Lexmark International, Inc.	??	296.00 kb, rsAh, created: 10/14/2002 2:03:18 PM, modified: 10/14/2002 2:03:18 PM Command line: C:\WINNT\system32\LEXBCES.EXE
c:\winnt\system32\lexpps.exe Script: Quarantine, Delete, BC delete, Terminate	616	LEXPPS.EXE	(C) 1993 - 2002 Lexmark International, Inc.	??	170.50 kb, rsAh, created: 10/14/2002 2:00:42 PM, modified: 10/14/2002 2:00:42 PM Command line: LEXPPS.EXE
c:\program files\lexmark x74-x75\lxbbbmgr.exe Script: Quarantine, Delete, BC delete, Terminate	1456	Lexmark X74-X75 Button Manager	(C) 2002 Lexmark International, Inc.	??	56.00 kb, rsAh, created: 10/14/2002 2:09:12 PM, modified: 10/14/2002 2:09:12 PM Command line: "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
c:\program files\lexmark x74-x75\lxbbbmon.exe Script: Quarantine, Delete, BC delete, Terminate	1504	Lexmark X74-X75 Button Monitor	(C) 2002 Lexmark International, Inc.	??	48.00 kb, rsAh, created: 10/14/2002 2:22:04 PM, modified: 10/14/2002 2:22:04 PM Command line: "C:\Program Files\Lexmark X74-X75\lxbbbmon.exe"
c:\winnt\mixer.exe Script: Quarantine, Delete, BC delete, Terminate	1432	Mixer	Copyright (C) 1997-2001	??	1188.00 kb, rsAh, created: 8/25/2002 1:31:57 PM, modified: 11/15/2001 10:08:40 AM Command line: "C:\WINNT\Mixer.exe" /startup
c:\program files\common files\real\update_ob\realsched.exe Script: Quarantine, Delete, BC delete, Terminate	1476	RealNetworks Scheduler	Copyright © RealNetworks, Inc. 1995-2004	??	176.04 kb, rsAh, created: 12/9/2005 6:14:41 PM, modified: 12/9/2005 6:14:41 PM Command line: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
c:\winnt\system32\spoolsv.exe Script: Quarantine, Delete, BC delete, Terminate	580	Spooler SubSystem App	Copyright (C) Microsoft Corp. 1981-1999	??	44.27 kb, rsAh, created: 4/21/2002 8:37:53 AM, modified: 7/22/2002 2:05:04 PM Command line: C:\WINNT\system32\spoolsv.exe
c:\program files\superantispyware\superantispyware.exe Script: Quarantine, Delete, BC delete, Terminate	1496	SUPERAntiSpyware	Copyright (C) 2005-2007 by SUPERAntiSpyware.com and SUPERAdBlocker.com	??	1288.00 kb, rsAh, created: 6/21/2007 2:06:28 PM, modified: 6/21/2007 2:06:28 PM Command line: "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
c:\winnt\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate	412	Generic Host Process for Win32 Services	Copyright (C) Microsoft Corp. 1981-1999	??	7.77 kb, rsAh, created: 12/7/1999 7:00:00 AM, modified: 12/7/1999 7:00:00 AM Command line: C:\WINNT\system32\svchost -k rpcss
c:\winnt\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate	632	Generic Host Process for Win32 Services	Copyright (C) Microsoft Corp. 1981-1999	??	7.77 kb, rsAh, created: 12/7/1999 7:00:00 AM, modified: 12/7/1999 7:00:00 AM Command line: C:\WINNT\System32\svchost.exe -k netsvcs
c:\winnt\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate	888	Generic Host Process for Win32 Services	Copyright (C) Microsoft Corp. 1981-1999	??	7.77 kb, rsAh, created: 12/7/1999 7:00:00 AM, modified: 12/7/1999 7:00:00 AM Command line: C:\WINNT\system32\svchost.exe -k wugroup
C:\WINNT\System Script: Quarantine, Delete, BC delete, Terminate	8			??	0.00 kb, rsAh, created: 4/21/2002 8:32:04 AM, modified: 10/3/2005 9:15:12 PM Command line:
c:\winnt\system32\zonelabs\vsmon.exe Script: Quarantine, Delete, BC delete, Terminate	440	TrueVector Service	Copyright © 1998-2006, Zone Labs, LLC	??	73.80 kb, rsAh, created: 4/18/2007 4:56:35 PM, modified: 3/8/2007 11:01:58 PM Command line: C:\WINNT\system32\ZoneLabs\vsmon.exe -service
c:\winnt\system32\winlogon.exe Script: Quarantine, Delete, BC delete, Terminate	204	Windows NT Logon Application	Copyright (C) Microsoft Corp. 1981-1999	??	178.27 kb, rsAh, created: 12/2/2004 1:10:03 PM, modified: 8/24/2004 5:59:10 PM Command line: winlogon.exe
c:\winnt\system32\wbem\winmgmt.exe Script: Quarantine, Delete, BC delete, Terminate	876	Windows Management Instrumentation	Copyright (C) Microsoft Corp. 1995-1999	??	192.08 kb, rsAh, created: 8/22/2002 8:11:40 PM, modified: 7/22/2002 2:05:04 PM Command line: C:\WINNT\System32\WBEM\WinMgmt.exe
d:\apps\netgear\wlancfg4.exe Script: Quarantine, Delete, BC delete, Terminate	1580			??	1140.50 kb, rsAh, created: 12/27/2005 2:51:40 PM, modified: 3/20/2003 7:13:18 PM Command line:
c:\winnt\system32\wuauclt.exe Script: Quarantine, Delete, BC delete, Terminate	1752	Windows Update Automatic Updates	© Microsoft Corporation. All rights reserved.	??	51.84 kb, rsAh, created: 5/22/2002 10:29:18 PM, modified: 7/30/2007 6:19:16 PM Command line: "C:\WINNT\system32\wuauclt.exe"
c:\program files\zone labs\zonealarm\zlclient.exe Script: Quarantine, Delete, BC delete, Terminate	1464	ZoneAlarm Client	Copyright © 1998-2006, Zone Labs, LLC	??	897.73 kb, rsAh, created: 4/18/2007 4:56:56 PM, modified: 3/8/2007 11:02:00 PM Command line: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
Detected:30, recognized as trusted 20

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\documents and settings\brian norris\local settings\application data\aijtzvo.exe Script: Quarantine, Delete, BC delete	4194304			??	1484
C:\Program Files\Common Files\Real\Update_OB\realsched.exe Script: Quarantine, Delete, BC delete	4194304	RealNetworks Scheduler	Copyright © RealNetworks, Inc. 1995-2004	??	1476
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe Script: Quarantine, Delete, BC delete	4194304	Lexmark X74-X75 Button Manager	(C) 2002 Lexmark International, Inc.	??	1456
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe Script: Quarantine, Delete, BC delete	4194304	Lexmark X74-X75 Button Monitor	(C) 2002 Lexmark International, Inc.	??	1504
C:\Program Files\SUPERAntiSpyware\deupx.dll Script: Quarantine, Delete, BC delete	268435456	deupx.dll	Copyright (C) 2006 by SUPERAntiSpyware.com and SUPERAdBlocker.com	--	1496
C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL Script: Quarantine, Delete, BC delete	64552960	SUPERAntiSpyware Context Menu Extension	(C) Copyright 2006-2007 SUPERAdBlocker.com and SUPERAntiSpyware.com	--	1176
C:\Program Files\SUPERAntiSpyware\SASSEH.DLL Script: Quarantine, Delete, BC delete	46333952	ShellExecuteHook	(c) Copyright 2004-2006 SuperAdBlocker.com	--	1176, 1496
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll Script: Quarantine, Delete, BC delete	268435456	SUPERAntiSpyware WinLogon Processor	Copyright (C) 2005-2007 SUPERAntiSpyware.com and SUPERAdBlocker.com	--	204
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Script: Quarantine, Delete, BC delete	4194304	SUPERAntiSpyware	Copyright (C) 2005-2007 by SUPERAntiSpyware.com and SUPERAdBlocker.com	??	1496
C:\Program Files\Zone Labs\ZoneAlarm\cam.zap Script: Quarantine, Delete, BC delete	22675456	Anti-Virus Monitoring Module	Copyright © 1998-2006, Zone Labs, LLC	--	1464
C:\Program Files\Zone Labs\ZoneAlarm\imsecure.zap Script: Quarantine, Delete, BC delete	1392508928	IMsecure Plugin Module	Copyright © 1998-2006, Zone Labs, LLC	--	1464
C:\WINNT\Mixer.exe Script: Quarantine, Delete, BC delete	4194304	Mixer	Copyright (C) 1997-2001	??	1432
C:\WINNT\system32\Avsmcpa.cpl Script: Quarantine, Delete, BC delete	63045632			--	1176
C:\WINNT\system32\CLBCATQ.DLL Script: Quarantine, Delete, BC delete	2002386944		Copyright (C) Microsoft Corp. 1995-1999	--	1484, 836, 1176, 1652, 1432, 1476, 580, 1496, 412, 632, 888, 440, 204, 876, 1752, 1464
C:\WINNT\System32\cmnprop.dll Script: Quarantine, Delete, BC delete	268435456	CMAudio Property Page	Copyright (C) C-Media Corp. 1998-2000	--	1432
C:\WINNT\system32\lex2kusb.dll Script: Quarantine, Delete, BC delete	22609920	LEX2KUSB DLL	(C) 1993 - 2002 Lexmark International, Inc.	--	552
C:\WINNT\system32\LEXBCE.DLL Script: Quarantine, Delete, BC delete	1660944384	LexBce Client	(C) 1993 - 2002 Lexmark International, Inc.	--	616, 580
C:\WINNT\system32\LEXBCES.EXE Script: Quarantine, Delete, BC delete	4194304	LexBce Service	(C) 1993 - 2002 Lexmark International, Inc.	??	552
C:\WINNT\system32\LEXLMPM.DLL Script: Quarantine, Delete, BC delete	268435456	LEXLMPM DLL	(C) 1993 - 2002 Lexmark International, Inc.	--	580
C:\WINNT\system32\lexp2p32.dll Script: Quarantine, Delete, BC delete	268435456	LEXP2P32 DLL	(C) 1993 - 2002 Lexmark International, Inc.	--	552
C:\WINNT\system32\LEXPPS.EXE Script: Quarantine, Delete, BC delete	4194304	LEXPPS.EXE	(C) 1993 - 2002 Lexmark International, Inc.	??	616
C:\WINNT\system32\LIBEAY32_0.9.6l.dll Script: Quarantine, Delete, BC delete	65273856			--	440, 1464
C:\WINNT\system32\LXBBpwr.dll Script: Quarantine, Delete, BC delete	26279936	Lexmark ColorFine POR Monitor	Copyright © 2000 Lexmark International, Inc.	--	580
C:\WINNT\system32\PLOTMAN.CPL Script: Quarantine, Delete, BC delete	1658716160	Autodesk Hardcopy Plotter Manager	Copyright (C) 1998-1999 Autodesk, Inc.	--	1176
C:\WINNT\system32\spool\PRTPROCS\W32X86\LXBBPP5C.dll Script: Quarantine, Delete, BC delete	22675456	Lexmark X74-X75 Print Processor	Copyright (C) Lexmark International 2002	--	580
C:\WINNT\system32\STYLEMAN.CPL Script: Quarantine, Delete, BC delete	1645871104	Autodesk Hardcopy Plotter Manager	Copyright (C) 1998-1999 Autodesk, Inc.	--	1176
C:\WINNT\system32\VSDATA.dll Script: Quarantine, Delete, BC delete	67108864	TrueVector Service DLL	Copyright © 1998-2006, Zone Labs, LLC	--	440, 1464
c:\winnt\system32\wuauserv.dll Script: Quarantine, Delete, BC delete	4456448	Windows Update AutoUpdate Service	© Microsoft Corporation. All rights reserved.	--	888
C:\WINNT\system32\zlcomm.dll Script: Quarantine, Delete, BC delete	1382023168	ZLComm	Copyright © 1998-2006, Zone Labs, LLC	--	440, 1464
C:\WINNT\system32\ZLCommDB.dll Script: Quarantine, Delete, BC delete	1384120320	ZLCommDB	Copyright © 1998-2006, Zone Labs, LLC	--	440, 1464
C:\WINNT\system32\ZoneLabs\imsecure.dll Script: Quarantine, Delete, BC delete	1390411776	TrueVector Service	Copyright © 1998-2006, Zone Labs, LLC	--	440
C:\WINNT\system32\ZoneLabs\srescan.dll Script: Quarantine, Delete, BC delete	62455808	srescan	Copyright © 2006	--	440
C:\WINNT\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll Script: Quarantine, Delete, BC delete	65011712	HttpBlocker plug-in	Copyright © 1998-2006, Zone Labs, LLC	--	440
C:\WINNT\system32\ZoneLabs\streamapi\imslsp\imslsp.dll Script: Quarantine, Delete, BC delete	34537472	ZoneAlarm IMsecure components for securing MSN/AIM-OSCAR/YIM protocols	Copyright © 1998-2006, Zone Labs, LLC	--	440
C:\WINNT\system32\ZoneLabs\zlsre.dll Script: Quarantine, Delete, BC delete	62062592	zlsre	Copyright © 1998-2006, Zone Labs, LLC	--	440
C:\WINNT\system32\zpeng24.dll Script: Quarantine, Delete, BC delete	503316480	Python Core	Copyright © 2001-2004 Python Software Foundation. Copyright © 2000 BeOpen.com. Copyright © 1995-2001 CNRI. Copyright © 1991-1995 SMC.	--	440, 1464
D:\APPS\CuteFTP\CuteShell.dll Script: Quarantine, Delete, BC delete	72744960	CuteShell DLL	Copyright (C) 1999	--	1176
D:\Apps\NetGear\W32N50.DLL Script: Quarantine, Delete, BC delete	268435456	WinDis 32 API & Platform Compatibility DLL	Copyright © 1997-2001 Printing Communications Assoc., Inc.	--	1580
D:\Apps\NetGear\wlancfg4.EXE Script: Quarantine, Delete, BC delete	4194304			??	1580
Modules detected:327, recognized as trusted 288

Kernel space modules

Module	Base address	Size in memory	Description	Manufacturer
C:\WINNT\System32\Drivers\Cdr4_2K.SYS Script: Quarantine, Delete, BC delete	ED060000	00B000 (45056)	CDR4 CD and DVD Burning Helper Driver	Copyright (c) 1994-2005 Sonic Solutions
C:\WINNT\System32\Drivers\Cdralw2k.SYS Script: Quarantine, Delete, BC delete	ED2E8000	007000 (28672)	CDRAL for Windows 2000 Kernel Driver	Copyright (c) 1994-2005 Sonic Solutions
C:\WINNT\system32\drivers\cmaudio.sys Script: Quarantine, Delete, BC delete	BFC99000	058000 (360448)	C-Media Audio WDM Driver	Copyright (C) C-Media Inc. 1998-2001
C:\WINNT\System32\Drivers\dump_atapi.sys Script: Quarantine, Delete, BC delete	BE8B4000	016000 (90112)
C:\WINNT\System32\Drivers\dump_WMILIB.SYS Script: Quarantine, Delete, BC delete	ED640000	001000 (4096)
C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys Script: Quarantine, Delete, BC delete	ED388000	006000 (24576)
NaiFsRec.sys Script: Quarantine, Delete, BC delete	ED506000	002000 (8192)
D:\Apps\NetGear\PCANDIS5.SYS Script: Quarantine, Delete, BC delete	BC152000	004000 (16384)	PCAUSA NDIS 5.0 Protocol Driver	Copyright © 1995-2001 Printing Communications Assoc., Inc. (PCAUSA)
C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS Script: Quarantine, Delete, BC delete	ED3E0000	007000 (28672)	SASDIFSV	Copyright (C) 2006
C:\Program Files\SUPERAntiSpyware\SASENUM.SYS Script: Quarantine, Delete, BC delete	ED2B0000	005000 (20480)	SuperAntiSpyware	(C) Copyright 2004-2006
C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys Script: Quarantine, Delete, BC delete	ED1E0000	00C000 (49152)	SASKUTIL.SYS	Copyright (C) 2006
srescan.sys Script: Quarantine, Delete, BC delete	BFEB1000	014000 (81920)
C:\WINNT\system32\drivers\tmcomm.sys Script: Quarantine, Delete, BC delete	BCEF1000	012000 (73728)	TrendMicro Common Module	Copyright (C) 2005-2006 Trend Micro Incorporated. All rights reserved.
C:\WINNT\system32\Drivers\viaide.sys Script: Quarantine, Delete, BC delete	ED504000	002000 (8192)	VIA PCI IDE Bus Driver	Copyright (C) Microsoft Corp. 2000-2005
C:\WINNT\System32\Drivers\VIAPFD.SYS Script: Quarantine, Delete, BC delete	ED60C000	001000 (4096)	VIA PFD driver	Copyright (C) VIA Technologies, Inc. 2001-2005
Modules detected - 109, recognized as trusted - 94

Services

Service	Description	Status	File	Group	Dependencies
LexBceS Service: Stop, Delete, Disable	LexBce Server	Running	C:\WINNT\system32\LEXBCES.EXE Script: Quarantine, Delete, BC delete	SpoolerGroup	RPCSS
IISADMIN Service: Stop, Delete, Disable	IIS Admin Service	Not started	C:\WINNT\System32\inetsrv\inetinfo.exe Script: Quarantine, Delete, BC delete		RPCSS
MSFTPSVC Service: Stop, Delete, Disable	FTP Publishing Service	Not started	C:\WINNT\System32\inetsrv\inetinfo.exe Script: Quarantine, Delete, BC delete		IISADMIN
SMTPSVC Service: Stop, Delete, Disable	Simple Mail Transport Protocol (SMTP)	Not started	C:\WINNT\System32\inetsrv\inetinfo.exe Script: Quarantine, Delete, BC delete		IISADMIN
W3SVC Service: Stop, Delete, Disable	World Wide Web Publishing Service	Not started	C:\WINNT\System32\inetsrv\inetinfo.exe Script: Quarantine, Delete, BC delete		IISADMIN
WMDM PMSP Service Service: Stop, Delete, Disable	WMDM PMSP Service	Not started	C:\WINNT\System32\mspmspsv.exe Script: Quarantine, Delete, BC delete
Detected - 63, recognized as trusted - 57

Drivers

Service	Description	Status	File	Group	Dependencies
Cdr4_2K Driver: Unload, Delete, Disable	Cdr4_2K	Running	C:\WINNT\system32\Drivers\Cdr4_2K.sys Script: Quarantine, Delete, BC delete	Filter
Cdralw2k Driver: Unload, Delete, Disable	Cdralw2k	Running	C:\WINNT\system32\Drivers\Cdralw2k.sys Script: Quarantine, Delete, BC delete	Filter
cmpci Driver: Unload, Delete, Disable	C-Media PCI Audio Driver (WDM)	Running	C:\WINNT\system32\drivers\cmaudio.sys Script: Quarantine, Delete, BC delete
NaiFiltr Driver: Unload, Delete, Disable	NaiFiltr	Running	C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys Script: Quarantine, Delete, BC delete
NaiFsRec Driver: Unload, Delete, Disable	NaiFsRec	Running	C:\WINNT\system32\drivers\NaiFsRec.sys Script: Quarantine, Delete, BC delete
SASDIFSV Driver: Unload, Delete, Disable	SASDIFSV	Running	C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS Script: Quarantine, Delete, BC delete
SASENUM Driver: Unload, Delete, Disable	SASENUM	Running	C:\Program Files\SUPERAntiSpyware\SASENUM.SYS Script: Quarantine, Delete, BC delete
SASKUTIL Driver: Unload, Delete, Disable	SASKUTIL	Running	C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys Script: Quarantine, Delete, BC delete
srescan Driver: Unload, Delete, Disable	srescan	Running	C:\WINNT\system32\ZoneLabs\srescan.sys Script: Quarantine, Delete, BC delete
tmcomm Driver: Unload, Delete, Disable	tmcomm	Running	C:\WINNT\system32\drivers\tmcomm.sys Script: Quarantine, Delete, BC delete	ExtendedBase
viaide Driver: Unload, Delete, Disable	viaide	Running	C:\WINNT\System32\DRIVERS\viaide.sys Script: Quarantine, Delete, BC delete	System Bus Extender
VIAPFD Driver: Unload, Delete, Disable	VIAPFD	Running	C:\WINNT\System32\Drivers\VIAPFD.SYS Script: Quarantine, Delete, BC delete	Base
USB_RNDIS_2K Driver: Unload, Delete, Disable	Westell WireSpeed Dual Connect Modem	Not started	C:\WINNT\system32\DRIVERS\usb8023k.sys Script: Quarantine, Delete, BC delete	NDIS
Abiosdsk Driver: Unload, Delete, Disable	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, BC delete	Primary disk
abp480n5 Driver: Unload, Delete, Disable	abp480n5	Not started	abp480n5.sys Script: Quarantine, Delete, BC delete	SCSI miniport
adpu160m Driver: Unload, Delete, Disable	adpu160m	Not started	adpu160m.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Aha154x Driver: Unload, Delete, Disable	Aha154x	Not started	Aha154x.sys Script: Quarantine, Delete, BC delete	SCSI miniport
aic116x Driver: Unload, Delete, Disable	aic116x	Not started	aic116x.sys Script: Quarantine, Delete, BC delete	SCSI miniport
aic78u2 Driver: Unload, Delete, Disable	aic78u2	Not started	aic78u2.sys Script: Quarantine, Delete, BC delete	SCSI miniport
aic78xx Driver: Unload, Delete, Disable	aic78xx	Not started	aic78xx.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ami0nt Driver: Unload, Delete, Disable	ami0nt	Not started	ami0nt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
amsint Driver: Unload, Delete, Disable	amsint	Not started	amsint.sys Script: Quarantine, Delete, BC delete	SCSI miniport
asc Driver: Unload, Delete, Disable	asc	Not started	asc.sys Script: Quarantine, Delete, BC delete	SCSI miniport
asc3350p Driver: Unload, Delete, Disable	asc3350p	Not started	asc3350p.sys Script: Quarantine, Delete, BC delete	SCSI miniport
asc3550 Driver: Unload, Delete, Disable	asc3550	Not started	asc3550.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Atdisk Driver: Unload, Delete, Disable	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, BC delete	Primary disk
BusLogic Driver: Unload, Delete, Disable	BusLogic	Not started	BusLogic.sys Script: Quarantine, Delete, BC delete	SCSI miniport
cd20xrnt Driver: Unload, Delete, Disable	cd20xrnt	Not started	cd20xrnt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Changer Driver: Unload, Delete, Disable	Changer	Not started	Changer.sys Script: Quarantine, Delete, BC delete	Filter
Cpqarray Driver: Unload, Delete, Disable	Cpqarray	Not started	Cpqarray.sys Script: Quarantine, Delete, BC delete	SCSI miniport
cpqarry2 Driver: Unload, Delete, Disable	cpqarry2	Not started	cpqarry2.sys Script: Quarantine, Delete, BC delete	SCSI miniport
cpqfcalm Driver: Unload, Delete, Disable	cpqfcalm	Not started	cpqfcalm.sys Script: Quarantine, Delete, BC delete	SCSI miniport
cpqfws2e Driver: Unload, Delete, Disable	cpqfws2e	Not started	cpqfws2e.sys Script: Quarantine, Delete, BC delete	SCSI miniport
dac960nt Driver: Unload, Delete, Disable	dac960nt	Not started	dac960nt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
deckzpsx Driver: Unload, Delete, Disable	deckzpsx	Not started	deckzpsx.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ENDETECT Driver: Unload, Delete, Disable	ENDETECT	Not started	C:\PROGRA~1\FRONTI~1\FRONTI~1\app\ENDETECT.SYS Script: Quarantine, Delete, BC delete
Fd16_700 Driver: Unload, Delete, Disable	Fd16_700	Not started	Fd16_700.sys Script: Quarantine, Delete, BC delete	SCSI miniport
fireport Driver: Unload, Delete, Disable	fireport	Not started	fireport.sys Script: Quarantine, Delete, BC delete	SCSI miniport
flashpnt Driver: Unload, Delete, Disable	flashpnt	Not started	flashpnt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ini910u Driver: Unload, Delete, Disable	ini910u	Not started	ini910u.sys Script: Quarantine, Delete, BC delete	SCSI miniport
IntelIde Driver: Unload, Delete, Disable	IntelIde	Not started	IntelIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
ipsraidn Driver: Unload, Delete, Disable	ipsraidn	Not started	ipsraidn.sys Script: Quarantine, Delete, BC delete	SCSI miniport
L2XPSR Driver: Unload, Delete, Disable	L2XPSR	Not started	C:\PROGRA~1\FRONTI~1\FRONTI~1\app\L2XPSR.SYS Script: Quarantine, Delete, BC delete
lbrtfdc Driver: Unload, Delete, Disable	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, BC delete	System Bus Extender
lp6nds35 Driver: Unload, Delete, Disable	lp6nds35	Not started	lp6nds35.sys Script: Quarantine, Delete, BC delete	SCSI miniport
mraid35x Driver: Unload, Delete, Disable	mraid35x	Not started	mraid35x.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Ncrc710 Driver: Unload, Delete, Disable	Ncrc710	Not started	Ncrc710.sys Script: Quarantine, Delete, BC delete	SCSI miniport
NTSTPL1 Driver: Unload, Delete, Disable	NTSTPL1	Not started	C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL1.SYS Script: Quarantine, Delete, BC delete
NTSTPL2 Driver: Unload, Delete, Disable	NTSTPL2	Not started	C:\PROGRA~1\FRONTI~1\FRONTI~1\app\NTSTPL2.SYS Script: Quarantine, Delete, BC delete
OlCamudp Driver: Unload, Delete, Disable	OLYMPUS Digital Camera	Not started	C:\WINNT\system32\Drivers\olcamudp.sys Script: Quarantine, Delete, BC delete	Base
PCIDump Driver: Unload, Delete, Disable	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, BC delete	PCI Configuration
ql1080 Driver: Unload, Delete, Disable	ql1080	Not started	ql1080.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Ql10wnt Driver: Unload, Delete, Disable	Ql10wnt	Not started	Ql10wnt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ql1240 Driver: Unload, Delete, Disable	ql1240	Not started	ql1240.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ql2100 Driver: Unload, Delete, Disable	ql2100	Not started	ql2100.sys Script: Quarantine, Delete, BC delete	SCSI miniport
sglfb Driver: Unload, Delete, Disable	sglfb	Not started	sglfb.sys Script: Quarantine, Delete, BC delete	Video
Simbad Driver: Unload, Delete, Disable	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, BC delete	Filter
Sparrow Driver: Unload, Delete, Disable	Sparrow	Not started	Sparrow.sys Script: Quarantine, Delete, BC delete	SCSI miniport
sym_hi Driver: Unload, Delete, Disable	sym_hi	Not started	sym_hi.sys Script: Quarantine, Delete, BC delete	SCSI miniport
symc810 Driver: Unload, Delete, Disable	symc810	Not started	symc810.sys Script: Quarantine, Delete, BC delete	SCSI miniport
symc8xx Driver: Unload, Delete, Disable	symc8xx	Not started	symc8xx.sys Script: Quarantine, Delete, BC delete	SCSI miniport
TAPBIND Driver: Unload, Delete, Disable	TAPBIND	Not started	C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TAPBIND1.SYS Script: Quarantine, Delete, BC delete
tga Driver: Unload, Delete, Disable	tga	Not started	tga.sys Script: Quarantine, Delete, BC delete	Video
ultra66 Driver: Unload, Delete, Disable	ultra66	Not started	ultra66.sys Script: Quarantine, Delete, BC delete	SCSI miniport
UNDPX2A Driver: Unload, Delete, Disable	UNDPX2A	Not started	C:\WINNT\system32\drivers\UNDPX2A.SYS Script: Quarantine, Delete, BC delete
viafilter Driver: Unload, Delete, Disable	VIA USB Filter	Not started	C:\WINNT\System32\Drivers\viausb.sys Script: Quarantine, Delete, BC delete	extend base
WLAN_USB Driver: Unload, Delete, Disable	Wireless LAN USB Driver	Not started	C:\WINNT\system32\DRIVERS\MA111nd5.sys Script: Quarantine, Delete, BC delete	NDIS
XIRLINK Driver: Unload, Delete, Disable	Veo PC Camera	Not started	C:\WINNT\system32\DRIVERS\ucdnt.sys Script: Quarantine, Delete, BC delete
Detected - 180, recognized as trusted - 112

Autoruns

File name	Status	Startup method	Description
C:\Program Files\Common Files\Real\Update_OB\realsched.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TkBellExe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Lexmark X74-X75
C:\Program Files\SUPERAntiSpyware\SASSEH.DLL Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon, DLLName
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, SUPERAntiSpyware
C:\WINNT\Mixer.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, C-Media Mixer
C:\WINNT\System32\NeroCheck.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, NeroCheck
D:\Apps\Microsoft Office\Office\OSA9.EXE Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\, C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk,
D:\Apps\NetGear\wlancfg.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\, C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MA111 Configuration Utility.lnk,
D:\apps\quicktime\qttask.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, QuickTime Task
c:\documents and settings\brian norris\local settings\application data\aijtzvo.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, aijtzvo
Autoruns items detected - 59, recognized as trusted - 48

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
D:\Apps\AOL\aim.exe Script: Quarantine, Delete, BC delete	Extension module	AOL Instant Messenger	Copyright © 1996-2006 America Online, Inc.	{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} Delete
Elements detected - 5, recognized as trusted - 4

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
deskpan.dll Script: Quarantine, Delete, BC delete	Display Panning CPL Extension			{42071714-76d4-11d1-8b24-00a0c9068ff3}
	Shell extensions for file compression			{764BF0E1-F219-11ce-972D-00AA00A14F56}
	Encryption Context Menu			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
D:\APPS\CuteFTP\CuteShell.dll Script: Quarantine, Delete, BC delete	CuteFTP Shell Extension	CuteShell DLL	Copyright (C) 1999	{8f7261d0-d2b9-11d2-9909-00605205b24c}
C:\Program Files\Real\RealPlayer\rpshell.dll Script: Quarantine, Delete, BC delete	Shell Extensions for RealOne Player	RealPlayer Shell Extensions	Copyright © RealNetworks, Inc. 2001-2004	{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
Elements detected - 165, recognized as trusted - 160

Print system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
C:\WINNT\system32\LEXLMPM.DLL Script: Quarantine, Delete, BC delete	Monitor	Lexmark Network Port	LEXLMPM DLL	(C) 1993 - 2002 Lexmark International, Inc.
Elements detected - 9, recognized as trusted - 8

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 0, recognized as trusted - 0

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	Exe file	Description	GUID
Detected - 2, recognized as trusted - 2

Transport protocol providers (TSP, LSP)

Manufacturer Exe file Description
Detected - 23, recognized as trusted - 23
Automatic SPI settings check results
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [0]
139 LISTENING 0.0.0.0 18590 [0]
445 LISTENING 0.0.0.0 18613 [0]
1025 LISTENING 0.0.0.0 0 [0]
1026 LISTENING 0.0.0.0 0 [0]
1027 LISTENING 0.0.0.0 2205 [0]
3006 LISTENING 0.0.0.0 35031 [0]
3006 CLOSE_WAIT 87.242.90.137 80 [0]
4301 ESTABLISHED 127.0.0.1 4302 [0]
4302 LISTENING 0.0.0.0 2272 [0]
4302 ESTABLISHED 127.0.0.1 4301 [0]
4303 ESTABLISHED 127.0.0.1 4304 [0]
4304 LISTENING 0.0.0.0 10353 [0]
4304 ESTABLISHED 127.0.0.1 4303 [0]
4377 LISTENING 0.0.0.0 18590 [0]
4377 CLOSE_WAIT 87.242.90.135 80 [0]
4379 LISTENING 0.0.0.0 2076 [0]
4379 CLOSE_WAIT 89.108.66.156 80 [0]
UDP ports
137 LISTENING -- -- [0]
138 LISTENING -- -- [0]
445 LISTENING -- -- [0]
500 LISTENING -- -- [0]
3001 LISTENING -- -- [0]
3026 LISTENING -- -- [0]

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
DirectAnimation Java Classes
Delete file://C:\WINNT\Java\classes\dajava.cab
Microsoft XML Parser for Java
Delete file://C:\WINNT\Java\classes\xmldso.cab
{31564D57-0000-0010-8000-00AA00389B71}
Delete http://codecs.microsoft.com/codecs/i386/wmvax.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F}
Delete http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37487.6239583333
{CEBC955E-58AF-11D2-A30A-00A0C903492B}
Delete http://windowsupdate.microsoft.com/R980/V31Controls/x86/nt5/en/actsetup.cab
C:\WINNT\Downloaded Program Files\dwa7W.dll
Script: Quarantine, Delete, BC delete {E008A543-CEFB-4559-912F-C27C2B89F13B}
Delete https://webmail.belk.com/belkmail04.belkinc.com/dwa7W.cab
Elements detected - 12, recognized as trusted - 6

Control Panel Applets (CPL)

File name Description Manufacturer
C:\WINNT\system32\PLOTMAN.CPL
Script: Quarantine, Delete, BC delete Autodesk Hardcopy Plotter Manager Copyright (C) 1998-1999 Autodesk, Inc.
C:\WINNT\system32\plugincpl131_10.cpl
Script: Quarantine, Delete, BC delete JavaPlugin Copyright Ё 2000
C:\WINNT\system32\STYLEMAN.CPL
Script: Quarantine, Delete, BC delete Autodesk Hardcopy Plotter Manager Copyright (C) 1998-1999 Autodesk, Inc.
Elements detected - 25, recognized as trusted - 22

Active Setup

File name Description Manufacturer CLSID
Elements detected - 12, recognized as trusted - 12

HOSTS file

Hosts file record
127.0.0.1 localhost

Protocols and handlers

File name Type Description Manufacturer CLSID
Elements detected - 23, recognized as trusted - 23

Suspicious objects

File Description Type
C:\WINNT\wt\webdriver\webdriver.dll
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Spy.WildTangent ( 006FD3AC 00000000 001D2F2B 00272AA7 712704)
C:\WINNT\wt\webdriver\wthost.exe
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Spy.WildTangent ( 0060E2B4 00000000 0020D925 00212AD5 61440)
C:\WINNT\wt\webdriver\wthostctl.dll
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Spy.WildTangent ( 0069ECE8 00000000 001FEDBA 001FD6E2 57344)
C:\WINNT\wt\webdriver\wtmulti.jar
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Spy.WildTangent ( 02F4D35A 07D6A835 0018AF0B 0007EBC1 18306)
C:\WINNT\wt\webdriver\wtwmplug.ax
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Spy.WildTangent ( 008115DC 00000000 001B4030 001F13B0 53248)
C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Spy.WildTangent.b ( 0063DC41 00000000 001C177E 00205A85 36864)
C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\webdriver.dll
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Spy.WildTangent ( 006FD3AC 00000000 001D2F2B 00272AA7 712704)
C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\wthost.exe
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Spy.WildTangent ( 0060E2B4 00000000 0020D925 00212AD5 61440)
C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\wthostctl.dll
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Spy.WildTangent ( 0069ECE8 00000000 001FEDBA 001FD6E2 57344)
C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtmulti.jar
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Spy.WildTangent ( 02F4D35A 07D6A835 0018AF0B 0007EBC1 18306)
C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Spy.WildTangent ( 0074B40A 00000000 001CF561 00201841 53248)
C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtwmplug.ax
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Spy.WildTangent ( 008115DC 00000000 001B4030 001F13B0 53248)
C:\Program Files\WildTangent\Apps\CDA\CDALogger0402.dll
Script: Quarantine, Delete, BC delete Suspicion by Heuristic analysis HSC: suspicion for Spy.WindTangent
C:\WINNT\wt\webdriver\4.1.1\webdriver.dll
Script: Quarantine, Delete, BC delete Suspicion by Heuristic analysis HSC: suspicion for Spy.WindTangent

AVZ Antiviral Toolkit log; AVZ version is 4.29 Scanning started at 2/10/2008 9:05:05 AM Database loaded: signatures - 149090, NN profile(s) - 2, microprograms of healing - 55, signature database released 09.02.2008 22:28 Heuristic microprograms loaded: 370 SPV microprograms loaded: 9 Digital signatures of system files loaded: 68697 Heuristic analyzer mode: Medium heuristics level Healing mode: enabled Windows version: 5.0.2195, Service Pack 3 ; AVZ is launched with administrator rights System Recovery: enabled 1. Searching for Rootkits and programs intercepting API functions >>>> Probable masking of an executable file's name 1496 superantispyware.exe, real name - SUPERAntiSpywar 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=080820) Kernel ntoskrnl.exe found in memory at address 80400000 SDT = 80480820 KiST = 80472128 (248) Functions checked: 248, intercepted: 0, restored: 0 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: the extended monitoring driver (AVZPM) is not installed 2. Scanning memory Number of processes found: 29 Number of modules loaded: 302 Memory checking - complete 3. Scanning disks C:\WINNT\wt\webdriver\webdriver.dll >>> suspicion for Spy.WildTangent ( 006FD3AC 00000000 001D2F2B 00272AA7 712704) C:\WINNT\wt\webdriver\wthost.exe >>> suspicion for Spy.WildTangent ( 0060E2B4 00000000 0020D925 00212AD5 61440) C:\WINNT\wt\webdriver\wthostctl.dll >>> suspicion for Spy.WildTangent ( 0069ECE8 00000000 001FEDBA 001FD6E2 57344) C:\WINNT\wt\webdriver\wtmulti.jar >>> suspicion for Spy.WildTangent ( 02F4D35A 07D6A835 0018AF0B 0007EBC1 18306) C:\WINNT\wt\webdriver\wtwmplug.ax >>> suspicion for Spy.WildTangent ( 008115DC 00000000 001B4030 001F13B0 53248) C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll >>> suspicion for Spy.WildTangent.b ( 0063DC41 00000000 001C177E 00205A85 36864) C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\webdriver.dll >>> suspicion for Spy.WildTangent ( 006FD3AC 00000000 001D2F2B 00272AA7 712704) C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\wthost.exe >>> suspicion for Spy.WildTangent ( 0060E2B4 00000000 0020D925 00212AD5 61440) C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\wthostctl.dll >>> suspicion for Spy.WildTangent ( 0069ECE8 00000000 001FEDBA 001FD6E2 57344) C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtmulti.jar >>> suspicion for Spy.WildTangent ( 02F4D35A 07D6A835 0018AF0B 0007EBC1 18306) C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll >>> suspicion for Spy.WildTangent ( 0074B40A 00000000 001CF561 00201841 53248) C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtwmplug.ax >>> suspicion for Spy.WildTangent ( 008115DC 00000000 001B4030 001F13B0 53248) 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user 7. Heuristic system check >>> C:\Program Files\WildTangent\Apps\CDA\CDALogger0402.dll HSC: suspicion for Spy.WindTangent >>> C:\WINNT\wt\webdriver\4.1.1\webdriver.dll HSC: suspicion for Spy.WindTangent Checking complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed RemoteRegistry (Remote Registry Service) >> Services: potentially dangerous service allowed TlntSvr (Telnet) >> Services: potentially dangerous service allowed Messenger (Messenger) >> Services: potentially dangerous service allowed Alerter (Alerter) >> Services: potentially dangerous service allowed Schedule (Task Scheduler) >> Services: potentially dangerous service allowed mnmsrvc (NetMeeting Remote Desktop Sharing) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >>> Security: Internet Explorer allows automatic queries of ActiveX administrative elements >> Security: terminal connections to the PC are allowed >> Security: sending Remote Assistant queries is enabled Checking complete 9. Troubleshooting wizard >> Internet Explorer - automatic queries of ActiveX operating elements are allowed Checking complete Files scanned: 81883, extracted from archives: 46922, malicious programs found 0, suspicions - 12 Scanning finished at 2/10/2008 9:17:51 AM Time of scanning: 00:12:49 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference Creating archive of files from Quarantine Creating archive of files from Quarantine - complete System Analysis in progress
Script commands

Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
BootCleaner - import list of deleted files
Registry cleanup after deleting files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from the registry
Additional operations:
Performance tweaking: disable service RemoteRegistry (Remote Registry Service)
Performance tweaking: disable service TlntSvr (Telnet)
Performance tweaking: disable service Messenger (Messenger)
Performance tweaking: disable service Alerter (Alerter)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Security tweaking: disable disk drives' autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: block automatic queries of ActiveX administrative elements in Internet Explorer
Security: prevent terminal connections to the PC
Security: disable sending Remote Assistant queries
File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	0	[0]
139	LISTENING	0.0.0.0	18590	[0]
445	LISTENING	0.0.0.0	18613	[0]
1025	LISTENING	0.0.0.0	0	[0]
1026	LISTENING	0.0.0.0	0	[0]
1027	LISTENING	0.0.0.0	2205	[0]
3006	LISTENING	0.0.0.0	35031	[0]
3006	CLOSE_WAIT	87.242.90.137	80	[0]
4301	ESTABLISHED	127.0.0.1	4302	[0]
4302	LISTENING	0.0.0.0	2272	[0]
4302	ESTABLISHED	127.0.0.1	4301	[0]
4303	ESTABLISHED	127.0.0.1	4304	[0]
4304	LISTENING	0.0.0.0	10353	[0]
4304	ESTABLISHED	127.0.0.1	4303	[0]
4377	LISTENING	0.0.0.0	18590	[0]
4377	CLOSE_WAIT	87.242.90.135	80	[0]
4379	LISTENING	0.0.0.0	2076	[0]
4379	CLOSE_WAIT	89.108.66.156	80	[0]
UDP ports
137	LISTENING	--	--	[0]
138	LISTENING	--	--	[0]
445	LISTENING	--	--	[0]
500	LISTENING	--	--	[0]
3001	LISTENING	--	--	[0]
3026	LISTENING	--	--	[0]